How-to: Troubleshoot your Single Sign-On connection using Fiddler

This guide will provide steps on capturing the HTTP Post from your Identity Provider to Litmos, this is also known as a SAML assertion. If you do not have Fiddler installed, please acquire it here.

Troubleshooting SSO

Your SSO is set up, but you can't login

You have set up your ADFS, Okta, or other SSO integration and are receiving an error when you try to login. This error reads "Error logging into Litmos, please contact your administrator. 6a Origin: XXXX" This means a field is missing from your SAML assertion. 

  1. Check your mapped attributes - spelling and syntax are critical. The outgoing claim types to Litmos are: FirstName, LastName, Email. Each application has a different method for accessing this information. Check out step 4 from the ADFS install guide here. 
  2. Make sure that the account you are logging in with all of these fields are present within your directory and are properly mapped. 

You have checked mapped attributes, now what?

  1. Boot up Fiddler.
  2. Open Google Chrome in Incognito mode (ctrl+shift+n) or another browser. Make sure this is the only tab/window of this browser open at this time.
  3. In Fiddler, click File > uncheck "capture traffic" so that it stops.
  4. Then click Tools > Telerik Fiddler Options, click the HTTPS tab, check the "Decrypt HTTPS traffic", and click ok
  5. Click the X with drop down arrow and select Remove All.
  6. In your web browser, navigate to your SSO login page but do not login yet.
  7. From Fiddler drag the crosshair icon "Any Process" and drop it on your web browser login page. This tells Fiddler to capture network activity from the web browser.
  8. In Fiddler, click File > Capture Traffic.
  9. Login to SS with your web browser, make sure you see the same error as before. 
  10. In Fiddler, click File > Capture Traffic to end capturing traffic.
  11. You are done!

I have captured network traffic and generated the error message, now what?

  1. In Fiddler you will have a huge list of items, locate the one that has the HTTP Post icon and is indicative of your SSO target. This will typically look like instance.litmos.com/integration/samllogin2016-08-26_1643.png
  2. Delete all other activity logs except for this line
  3. Double click on the network activity and select the "Inspectors" tab then "Raw". Copy the SAML response line in its entirety and paste it into a text file2016-08-26_1647.png
  4. Copy and paste the SAML response to the SAML decoder. Make sure you remove the text "SAMLResponse=" from the beginning of the text. Remove "&RelayState=" from the end of the text.
  5. Select "Post", then click decode.
  6. Using an XML compatible text editor you can now look through the SAML response.

Cleaning up your SAML response

Sublime text editor has a plugin for auto-indenting XML format text, this is a great way to clean up the text generated from previous steps.

  1. Copy the text into Sublime
  2. Remove everything before <?xml version="1.0".......
  3. Remove everything after </saml2p:Response>
  4. Highlight all > click Selection > Format > Indent XML
  5. Compare to the following imageProper_SSO_Assertion_XML.png
Have more questions? Submit a request

0 Comments

Article is closed for comments.