SAML SP Initiated SSO Traffic Flow Explained
Article ID: CTX259127
Updated On:
Description
Introduction
Assuming you are already aware of SAML Authentication mechanism, we are skipping the intro and discussing the main scope of this article.
In SAML SP Initiated SSO, Client first access the SAML protected resource (SP) and being redirected to IdP for authentication and Authorization.
You can refer to these articles for more information on SAML
- Overview of SAML Authentication : https://docs.citrix.com/en-us/netscaler/12/aaa-tm/saml-authentication.html
- How to Deploy and Troubleshoot NetScaler as a SAML IdP or SP : https://support.citrix.com/article/CTX221631
Terminologies and URLs used in discussion
SP stands for Service Provider and in this article LB VIP on ADC1 is acting as SP
IdP stands for Identity Provider and AAA VIP on ADC2 is acting as SAML IdP
SP URL : https://sp.kurni.lab
IdP URL : https://ns-adfs.kurni.lab
SAML SP Initiated SSO Traffic Flow Diagram
Packet Trace Results and Analysis
Note: These traces are complete request and responses captured from Wireshark. You can copy the SAML request and responses for understanding the Assertions.
- Client Accessed the Resource Page for first time : https://sp.kurni.lab
Client IP to LB VIP GET / HTTP/1.1 Hypertext Transfer Protocol GET / HTTP/1.1\r\n Host: sp.kurni.lab\r\n Connection: keep-alive\r\n Upgrade-Insecure-Requests: 1\r\n User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36\r\n Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3\r\n Purpose: prefetch\r\n Accept-Encoding: gzip, deflate, br\r\n Accept-Language: en-US,en;q=0.9\r\n \r\n [Full request URI: https://sp.kurni.lab/]
- LB VIP as it does not find any AAA cookie, so it treats as unauthenticated user and sends user script which when executed on browser will redirect the USER to IdP with SAML request hidden in the script in following series of requests.
LB VIP to Client IP: HTTP/1.1 200 OK (text/html) Response to above GET request along with form script and Set-Cookie NSC_TMAC Hypertext Transfer Protocol HTTP/1.1 200 OK\r\n Set-Cookie: NSC_TMAC=/cgi/tmlogin;Path=/;Secure\r\n Set-Cookie: NSC_TEMP=xyz;Path=/;expires=Wednesday, 09-Nov-1999 23:12:40 GMT;Secure\r\n Set-Cookie: NSC_PERS=xyz;Path=/;expires=Wednesday, 09-Nov-1999 23:12:40 GMT;Secure\r\n Set-Cookie: NSC_TEMP=xyz;Path=/;expires=Wednesday, 09-Nov-1999 23:12:40 GMT\r\n Set-Cookie: NSC_PERS=xyz;Path=/;expires=Wednesday, 09-Nov-1999 23:12:40 GMT\r\n X-Frame-Options: SAMEORIGIN\r\n Connection: close\r\n Content-Length: 5382\r\n Cache-control: no-cache, no-store, must-revalidate\r\n Pragma: no-cache\r\n Content-Type: text/html\r\n \r\n Line-based text data: text/html <html><head><style type="text/css">body{ visibility: hidden;}</style></head><body onLoad='document.forms[0].submit();'><form action="https://ns-adfs.kurni.lab/saml/login" method="post"><input type=hidden name="SAMLRequest" value="PHNhbWxwOkF1dGhuUmVxdWVzdCB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIiBBc3NlcnRpb25Db25zdW1lclNlcnZpY2VVUkw9Imh0dHBzOi8vc3Aua3VybmkubGFiL2NnaS9zYW1sYXV0aCIgRGVzdGluYXRpb249Imh0dHBzOi8vbnMtYWRmcy5rdXJuaS5sYWIvc2FtbC9sb2dpbiIgRm9yY2VBdXRobj0iZmFsc2UiIElEPSJfOGM4YjZhMmQzM2FmMGYxZDg4YmY4Yzc2ZmY3OGMxODQiIElzc3VlSW5zdGFudD0iMjAxOS0wNy0yOFQxMzo1Mzo1NFoiIFByb3RvY29sQmluZGluZz0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmJpbmRpbmdzOkhUVFAtUE9TVCIgVmVyc2lvbj0iMi4wIj48c2FtbDpJc3N1ZXIgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI+aHR0cHM6Ly9zcC5rdXJuaS5sYWI8L3NhbWw6SXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpTaWduZWRJbmZvIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj48ZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyI+PC9kczpDYW5vbmljYWxpemF0aW9uTWV0aG9kPjxkczpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEiPjwvZHM6U2lnbmF0dXJlTWV0aG9kPjxkczpSZWZlcmVuY2UgVVJJPSIjXzhjOGI2YTJkMzNhZjBmMWQ4OGJmOGM3NmZmNzhjMTg0Ij48ZHM6VHJhbnNmb3Jtcz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI2VudmVsb3BlZC1zaWduYXR1cmUiPjwvZHM6VHJhbnNmb3JtPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiPjwvZHM6VHJhbnNmb3JtPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiPjwvZHM6RGlnZXN0TWV0aG9kPjxkczpEaWdlc3RWYWx1ZT5ZRjMzdklQTDdYZjN2SzQ4blhkeGxCMDU5R009PC9kczpEaWdlc3RWYWx1ZT48L2RzOlJlZmVyZW5jZT48L2RzOlNpZ25lZEluZm8+PGRzOlNpZ25hdHVyZVZhbHVlPmR3U0RsRHJ0T3UvNDBFeEtjT1hZWGJTWHFmbGlrbDRhNkoydU5weDdMSUJVZXlTNjl5NmlRL3JUV1ZabnNtS1RUTGVRQWlmZnFPc3EzNng3eXZjd2dGYUhoRnl5RkRCNHc1eXc2bkRmNXZrRkEyQVVCUldOSkF3cjRSVm5Eci96SVI1bENEQ25GWEJYejZIVzhWM0FSNUpxZzhNci9BcUhXVTkrODRyUGYzMlVQeHZ1dHBqNWNnZ3dWYjhmQWJNWjRzTUVzZ3BQbUFEZjNVYUFDTlVOZllVWVBjZ2NTWENrOHIwY1NHdTZRbTRTOCt3N2NBejFzSUVmL0YrdTdZVGNHMzJCNzU4YVFiUGFQY2R5bFE5eFVsaU05U2JuZ1ZFRDN6ZU5HeVppY3lyNHhlaUoyZlAzcllQTE1jRFYxOWcrcUVwZkN5djUzbTZ4NCt4WnVhbDVRQT09PC9kczpTaWduYXR1cmVWYWx1ZT48ZHM6S2V5SW5mbz48ZHM6WDUwOURhdGE+PGRzOlg1MDlDZXJ0aWZpY2F0ZT5NSUlGWXpDQ0JFdWdBd0lCQWdJVFNRQUFBQWRac2swVkpRbkhId0FBQUFBQUJ6QU5CZ2txaGtpRzl3MEJBUTBGQURCSU1STXdFUVlLQ1pJbWlaUHlMR1FCR1JZRGJHRmlNUlV3RXdZS0NaSW1pWlB5TEdRQkdSWUZhM1Z5Ym1reEdqQVlCZ05WQkFNVEVYSnZiM1F0WTJFdGEzVnlibWt0YkdGaU1CNFhEVEU1TURVeU9EQTVNelUxTUZvWERUSXdNRFV5T0RBNU5EVTFNRm93YWpFTE1Ba0dBMVVFQmhNQ1NVNHhDekFKQmdOVkJBZ1RBa3RCTVJFd0R3WURWUVFIRXdoQ1lXNW5iRzl5WlRFWU1CWUdBMVVFQ2hNUFMzVnlibWtnVm1WdWEyRjBaWE5vTVFzd0NRWURWUVFMRXdKTFZqRVVNQklHQTFVRUF3d0xLaTVyZFhKdWFTNXNZV0l3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRRFFBT1RYYmVReHNzQ3JjV0c5T3FRMmFrRXY3UGxPMEtLUVFlQ0tMWnpUa3pKQXRGbnUvYUswaGFqNm5yc1NyZDZsNzhheGpTV3VUdjdmNkduR1hwOC9sTGttQ2VVdkNjRitsbXlpYURtK204WXlscHBORTFIamdUTmZvTGtpL0FOa3kwS2RockhtODFMUks0RGp1WU5wNUlhSTJHOEt1N1FrWFZ4ZXIxRzkxemRRWEtPa1JQK0xranBHZXRYSkMxM1ltaEtCYi84Yk9JbUdwODNudDBIOEF2VlFEQ1V1cFFCOHhXSjVaeGsyTERuYUExUXQrRGRpWFFyRGxRUnExNllPWDBJbW1BQnRBV29BbWwvUC8yakwwQ3Evb0p5S0VHYXZPaFJUVVYrcTc3Q00yc25NKzIzaEpsNWJlWE5hVjEzYXNpQmFPV1VraWtUOTlMdGlTOU5YQWdNQkFBR2pnZ0lpTUlJQ0hqQUxCZ05WSFE4RUJBTUNCREF3RXdZRFZSMGxCQXd3Q2dZSUt3WUJCUVVIQXdFd0ZnWURWUjBSQkE4d0RZSUxLaTVyZFhKdWFTNXNZV0l3SFFZRFZSME9CQllFRkVBc1FHQlBoa1J1NFpwY2c3amM5YTBBNTBoQk1COEdBMVVkSXdRWU1CYUFGUHgyREpBSzdwSzZRbUJWU2hOUk5xZnZkMWVFTUlIUEJnTlZIUjhFZ2Njd2djUXdnY0dnZ2I2Z2didUdnYmhzWkdGd09pOHZMME5PUFhKdmIzUXRZMkV0YTNWeWJta3RiR0ZpTEVOT1BVRkVMVU5CTFVST1V5eERUajFEUkZBc1EwNDlVSFZpYkdsakpUSXdTMlY1SlRJd1UyVnlkbWxqWlhNc1EwNDlVMlZ5ZG1salpYTXNRMDQ5UTI5dVptbG5kWEpoZEdsdmJpeEVRejFyZFhKdWFTeEVRejFzWVdJL1kyVnlkR2xtYVdOaGRHVlNaWFp2WTJGMGFXOXVUR2x6ZEQ5aVlYTmxQMjlpYW1WamRFTnNZWE56UFdOU1RFUnBjM1J5YVdKMWRHbHZibEJ2YVc1ME1JSEJCZ2dyQmdFRkJRY0JBUVNCdERDQnNUQ0JyZ1lJS3dZQkJRVUhNQUtHZ2FGc1pHRndPaTh2TDBOT1BYSnZiM1F0WTJFdGEzVnlibWt0YkdGaUxFTk9QVUZKUVN4RFRqMVFkV0pzYVdNbE1qQkxaWGtsTWpCVFpYSjJhV05sY3l4RFRqMVRaWEoyYVdObGN5eERUajFEYjI1bWFXZDFjbUYwYVc5dUxFUkRQV3QxY201cExFUkRQV3hoWWo5alFVTmxjblJwWm1sallYUmxQMkpoYzJVL2IySnFaV04wUTJ4aGMzTTlZMlZ5ZEdsbWFXTmhkR2x2YmtGMWRHaHZjbWwwZVRBTUJnTlZIUk1CQWY4RUFqQUFNQTBHQ1NxR1NJYjNEUUVCRFFVQUE0SUJBUUM3elUwR0VZN2ZRUFRmWldpREdYdGFZR29aYnhvMi9GWkxSUlQ0NHdsRjB2Nncxa1ZtOXliTWJvVDVNQitaVGt2cmhkM2xETHNQZUpiYUxJT0ViQUM3K1B0bjRVTDE0Z3Yxdk5JWUd1aU5zeEJ0c3lHeEpCakNkNTV5bUczZ2lZL2tXMTF6NUR4Y3B4Q1d2QTgvS0Z5TUN2dTZ0c3JDRDhiZHJlQnJyUklkN21yYUZUQkY2QW5mQjM5QmpNM1JLZlh0bHFTUjVvSDE5VVZGNE03UDQyVURFOW9FcHl1a0w5ZU02NGRaV1NETmUwcnJ0eFZITGg4VmxlVVhmRnl1S1JWZnJHSVZySVdsYURxSVhQbUhWU0ZsWXNJTWZlem9HQWEwdnc5KzR5Q3htMGhFTlZhR00xN3ZTeDNXb1FMYmlDQytlcGJ2aGdONUJaYnR1QXBNVkQ4QjwvZHM6WDUwOUNlcnRpZmljYXRlPjwvZHM6WDUwOURhdGE+PC9kczpLZXlJbmZvPjwvZHM6U2lnbmF0dXJlPjwvc2FtbHA6QXV0aG5SZXF1ZXN0Pg=="><input type=hidden name=RelayState value="bnNfcG9saWN5PVNBTUwtU1AtUFJPRklMRQBhSFIwY0hNNkx5OXpjQzVyZFhKdWFTNXNZV0l2"><span id="If you are not automatically redirected click "></span><input id="Continue" type="submit" value="Continue"><span id="Trailing phrase after Continue button"></span></form></body></html>
Client IP to LB VIP GET / HTTP/1.1 with cookie NSC_TMAC=/cgi/tmlogin Hypertext Transfer Protocol GET / HTTP/1.1\r\n Host: sp.kurni.lab\r\n Connection: keep-alive\r\n Upgrade-Insecure-Requests: 1\r\n User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36\r\n Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3\r\n Accept-Encoding: gzip, deflate, br\r\n Accept-Language: en-US,en;q=0.9\r\n Cookie: NSC_TMAC=/cgi/tmlogin\r\n Cookie pair: NSC_TMAC=/cgi/tmlogin \r\n [Full request URI: https://sp.kurni.lab/]
LB VIP to Client IP HTTP/1.1 200 OK (text/html) Hypertext Transfer Protocol HTTP/1.1 200 OK\r\n Set-Cookie: NSC_TMAC=/cgi/tmlogin;Path=/;Secure\r\n Set-Cookie: NSC_TEMP=xyz;Path=/;expires=Wednesday, 09-Nov-1999 23:12:40 GMT;Secure\r\n Set-Cookie: NSC_PERS=xyz;Path=/;expires=Wednesday, 09-Nov-1999 23:12:40 GMT;Secure\r\n Set-Cookie: NSC_TEMP=xyz;Path=/;expires=Wednesday, 09-Nov-1999 23:12:40 GMT\r\n Set-Cookie: NSC_PERS=xyz;Path=/;expires=Wednesday, 09-Nov-1999 23:12:40 GMT\r\n X-Frame-Options: SAMEORIGIN\r\n Connection: close\r\n Content-Length: 5382\r\n [Content length: 5382] Cache-control: no-cache, no-store, must-revalidate\r\n Pragma: no-cache\r\n Content-Type: text/html\r\n \r\n [HTTP response 1/1] [Time since request: 0.001563352 seconds] [Request in frame: 7483] File Data: 5382 bytes Line-based text data: text/html (1 lines) <html><head><style type="text/css">body{ visibility: hidden;}</style></head><body onLoad='document.forms[0].submit();'><form action="https://ns-adfs.kurni.lab/saml/login" method="post"><input type=hidden name="SAMLRequest" value="PHNhbWxwOkF1dGhuUmVxdWVzdCB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIiBBc3NlcnRpb25Db25zdW1lclNlcnZpY2VVUkw9Imh0dHBzOi8vc3Aua3VybmkubGFiL2NnaS9zYW1sYXV0aCIgRGVzdGluYXRpb249Imh0dHBzOi8vbnMtYWRmcy5rdXJuaS5sYWIvc2FtbC9sb2dpbiIgRm9yY2VBdXRobj0iZmFsc2UiIElEPSJfN2I0ZGE2YWYyZjI3MTNhMDg1ZWIxMjM2ZGNhZjUzNjMiIElzc3VlSW5zdGFudD0iMjAxOS0wNy0yOFQxMzo1Mzo1NloiIFByb3RvY29sQmluZGluZz0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmJpbmRpbmdzOkhUVFAtUE9TVCIgVmVyc2lvbj0iMi4wIj48c2FtbDpJc3N1ZXIgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI+aHR0cHM6Ly9zcC5rdXJuaS5sYWI8L3NhbWw6SXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpTaWduZWRJbmZvIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj48ZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyI+PC9kczpDYW5vbmljYWxpemF0aW9uTWV0aG9kPjxkczpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEiPjwvZHM6U2lnbmF0dXJlTWV0aG9kPjxkczpSZWZlcmVuY2UgVVJJPSIjXzdiNGRhNmFmMmYyNzEzYTA4NWViMTIzNmRjYWY1MzYzIj48ZHM6VHJhbnNmb3Jtcz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI2VudmVsb3BlZC1zaWduYXR1cmUiPjwvZHM6VHJhbnNmb3JtPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiPjwvZHM6VHJhbnNmb3JtPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiPjwvZHM6RGlnZXN0TWV0aG9kPjxkczpEaWdlc3RWYWx1ZT4xV0NpZ2J1Slp0ZjZwTTBjL2tXcEw1QXNNYTA9PC9kczpEaWdlc3RWYWx1ZT48L2RzOlJlZmVyZW5jZT48L2RzOlNpZ25lZEluZm8+PGRzOlNpZ25hdHVyZVZhbHVlPklCb1AzT1lZWEtGSG04dHZUM1pWMkltbDFBc3lvQUFzQjRrVGdaN2UzSHF2bEgzVkprL2pCSXV3bnNhY2h2bHJwdkNMNFc3NjUrT0VGaHJ2SkRCeGdJejQvWVI1YlFGZ3E4WmNaZjJBY24wN05CREFvM3hoVXduTkZGYTd0d2l5S0ppN3ZoZVUyQjBhNlBlaUl6Y2hNSG1LdVRZY1J5UjJYcWNWdzlmQk9wWGJxUXRkNEpmbGpQTXowaVVjV2ZZY2xiSm9uZmlINGhrbWpWbXZqWXFLdVZGczhmcFhtWDNyNmRsUzJnWmdhbGU1cytsVTFONGZsdmwyK3M2Q1M4Ny9LMitrczRIakU3cExPOUdmaURvUk9VVjJCZ0hSaFYvWlB5bjQxcWZ1UmNGS01MUXNVRTNlVlB4VUlTcGpydFZrL204cjNwTVFWNEg3VE43NW4yYjhYQT09PC9kczpTaWduYXR1cmVWYWx1ZT48ZHM6S2V5SW5mbz48ZHM6WDUwOURhdGE+PGRzOlg1MDlDZXJ0aWZpY2F0ZT5NSUlGWXpDQ0JFdWdBd0lCQWdJVFNRQUFBQWRac2swVkpRbkhId0FBQUFBQUJ6QU5CZ2txaGtpRzl3MEJBUTBGQURCSU1STXdFUVlLQ1pJbWlaUHlMR1FCR1JZRGJHRmlNUlV3RXdZS0NaSW1pWlB5TEdRQkdSWUZhM1Z5Ym1reEdqQVlCZ05WQkFNVEVYSnZiM1F0WTJFdGEzVnlibWt0YkdGaU1CNFhEVEU1TURVeU9EQTVNelUxTUZvWERUSXdNRFV5T0RBNU5EVTFNRm93YWpFTE1Ba0dBMVVFQmhNQ1NVNHhDekFKQmdOVkJBZ1RBa3RCTVJFd0R3WURWUVFIRXdoQ1lXNW5iRzl5WlRFWU1CWUdBMVVFQ2hNUFMzVnlibWtnVm1WdWEyRjBaWE5vTVFzd0NRWURWUVFMRXdKTFZqRVVNQklHQTFVRUF3d0xLaTVyZFhKdWFTNXNZV0l3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRRFFBT1RYYmVReHNzQ3JjV0c5T3FRMmFrRXY3UGxPMEtLUVFlQ0tMWnpUa3pKQXRGbnUvYUswaGFqNm5yc1NyZDZsNzhheGpTV3VUdjdmNkduR1hwOC9sTGttQ2VVdkNjRitsbXlpYURtK204WXlscHBORTFIamdUTmZvTGtpL0FOa3kwS2RockhtODFMUks0RGp1WU5wNUlhSTJHOEt1N1FrWFZ4ZXIxRzkxemRRWEtPa1JQK0xranBHZXRYSkMxM1ltaEtCYi84Yk9JbUdwODNudDBIOEF2VlFEQ1V1cFFCOHhXSjVaeGsyTERuYUExUXQrRGRpWFFyRGxRUnExNllPWDBJbW1BQnRBV29BbWwvUC8yakwwQ3Evb0p5S0VHYXZPaFJUVVYrcTc3Q00yc25NKzIzaEpsNWJlWE5hVjEzYXNpQmFPV1VraWtUOTlMdGlTOU5YQWdNQkFBR2pnZ0lpTUlJQ0hqQUxCZ05WSFE4RUJBTUNCREF3RXdZRFZSMGxCQXd3Q2dZSUt3WUJCUVVIQXdFd0ZnWURWUjBSQkE4d0RZSUxLaTVyZFhKdWFTNXNZV0l3SFFZRFZSME9CQllFRkVBc1FHQlBoa1J1NFpwY2c3amM5YTBBNTBoQk1COEdBMVVkSXdRWU1CYUFGUHgyREpBSzdwSzZRbUJWU2hOUk5xZnZkMWVFTUlIUEJnTlZIUjhFZ2Njd2djUXdnY0dnZ2I2Z2didUdnYmhzWkdGd09pOHZMME5PUFhKdmIzUXRZMkV0YTNWeWJta3RiR0ZpTEVOT1BVRkVMVU5CTFVST1V5eERUajFEUkZBc1EwNDlVSFZpYkdsakpUSXdTMlY1SlRJd1UyVnlkbWxqWlhNc1EwNDlVMlZ5ZG1salpYTXNRMDQ5UTI5dVptbG5kWEpoZEdsdmJpeEVRejFyZFhKdWFTeEVRejFzWVdJL1kyVnlkR2xtYVdOaGRHVlNaWFp2WTJGMGFXOXVUR2x6ZEQ5aVlYTmxQMjlpYW1WamRFTnNZWE56UFdOU1RFUnBjM1J5YVdKMWRHbHZibEJ2YVc1ME1JSEJCZ2dyQmdFRkJRY0JBUVNCdERDQnNUQ0JyZ1lJS3dZQkJRVUhNQUtHZ2FGc1pHRndPaTh2TDBOT1BYSnZiM1F0WTJFdGEzVnlibWt0YkdGaUxFTk9QVUZKUVN4RFRqMVFkV0pzYVdNbE1qQkxaWGtsTWpCVFpYSjJhV05sY3l4RFRqMVRaWEoyYVdObGN5eERUajFEYjI1bWFXZDFjbUYwYVc5dUxFUkRQV3QxY201cExFUkRQV3hoWWo5alFVTmxjblJwWm1sallYUmxQMkpoYzJVL2IySnFaV04wUTJ4aGMzTTlZMlZ5ZEdsbWFXTmhkR2x2YmtGMWRHaHZjbWwwZVRBTUJnTlZIUk1CQWY4RUFqQUFNQTBHQ1NxR1NJYjNEUUVCRFFVQUE0SUJBUUM3elUwR0VZN2ZRUFRmWldpREdYdGFZR29aYnhvMi9GWkxSUlQ0NHdsRjB2Nncxa1ZtOXliTWJvVDVNQitaVGt2cmhkM2xETHNQZUpiYUxJT0ViQUM3K1B0bjRVTDE0Z3Yxdk5JWUd1aU5zeEJ0c3lHeEpCakNkNTV5bUczZ2lZL2tXMTF6NUR4Y3B4Q1d2QTgvS0Z5TUN2dTZ0c3JDRDhiZHJlQnJyUklkN21yYUZUQkY2QW5mQjM5QmpNM1JLZlh0bHFTUjVvSDE5VVZGNE03UDQyVURFOW9FcHl1a0w5ZU02NGRaV1NETmUwcnJ0eFZITGg4VmxlVVhmRnl1S1JWZnJHSVZySVdsYURxSVhQbUhWU0ZsWXNJTWZlem9HQWEwdnc5KzR5Q3htMGhFTlZhR00xN3ZTeDNXb1FMYmlDQytlcGJ2aGdONUJaYnR1QXBNVkQ4QjwvZHM6WDUwOUNlcnRpZmljYXRlPjwvZHM6WDUwOURhdGE+PC9kczpLZXlJbmZvPjwvZHM6U2lnbmF0dXJlPjwvc2FtbHA6QXV0aG5SZXF1ZXN0Pg=="><input type=hidden name=RelayState value="bnNfcG9saWN5PVNBTUwtU1AtUFJPRklMRQBhSFIwY0hNNkx5OXpjQzVyZFhKdWFTNXNZV0l2"><span id="If you are not automatically redirected click "></span><input id="Continue" type="submit" value="Continue"><span id="Trailing phrase after Continue button"></span></form></body></html>
- Based on above Script, Client will Initiate connection to IdP URL along with origin and referrer headers to identify the SP.
Client IP to AAA VIP POST /saml/login HTTP/1.1 (application/x-www-form-urlencoded) Hypertext Transfer Protocol POST /saml/login HTTP/1.1\r\n Host: ns-adfs.kurni.lab\r\n Connection: keep-alive\r\n Content-Length: 4882\r\n Cache-Control: max-age=0\r\n Origin: https://sp.kurni.lab\r\n Upgrade-Insecure-Requests: 1\r\n Content-Type: application/x-www-form-urlencoded\r\n User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36\r\n Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3\r\n Referer: https://sp.kurni.lab/\r\n Accept-Encoding: gzip, deflate, br\r\n Accept-Language: en-US,en;q=0.9\r\n \r\n [Full request URI: https://ns-adfs.kurni.lab/saml/login] HTML Form URL Encoded: application/x-www-form-urlencoded Form item: "SAMLRequest" = "PHNhbWxwOkF1dGhuUmVxdWVzdCB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIiBBc3NlcnRpb25Db25zdW1lclNlcnZpY2VVUkw9Imh0dHBzOi8vc3Aua3VybmkubGFiL2NnaS9zYW1sYXV0aCIgRGVzdGluYXRpb249Imh0dHBzOi8vbnM Key: SAMLRequest Value: PHNhbWxwOkF1dGhuUmVxdWVzdCB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIiBBc3NlcnRpb25Db25zdW1lclNlcnZpY2VVUkw9Imh0dHBzOi8vc3Aua3VybmkubGFiL2NnaS9zYW1sYXV0aCIgRGVzdGluYXRpb249Imh0dHBzOi8vbnMtYWRmcy5rdXJuaS5sYWIvc2FtbC9sb2dpbiIgRm9yY2VBdXRobj0iZmFsc2UiIElEPSJfN2I0ZGE2YWYyZjI3MTNhMDg1ZWIxMjM2ZGNhZjUzNjMiIElzc3VlSW5zdGFudD0iMjAxOS0wNy0yOFQxMzo1Mzo1NloiIFByb3RvY29sQmluZGluZz0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmJpbmRpbmdzOkhUVFAtUE9TVCIgVmVyc2lvbj0iMi4wIj48c2FtbDpJc3N1ZXIgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI%2BaHR0cHM6Ly9zcC5rdXJuaS5sYWI8L3NhbWw6SXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpTaWduZWRJbmZvIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj48ZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyI%2BPC9kczpDYW5vbmljYWxpemF0aW9uTWV0aG9kPjxkczpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEiPjwvZHM6U2lnbmF0dXJlTWV0aG9kPjxkczpSZWZlcmVuY2UgVVJJPSIjXzdiNGRhNmFmMmYyNzEzYTA4NWViMTIzNmRjYWY1MzYzIj48ZHM6VHJhbnNmb3Jtcz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI2VudmVsb3BlZC1zaWduYXR1cmUiPjwvZHM6VHJhbnNmb3JtPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiPjwvZHM6VHJhbnNmb3JtPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiPjwvZHM6RGlnZXN0TWV0aG9kPjxkczpEaWdlc3RWYWx1ZT4xV0NpZ2J1Slp0ZjZwTTBjL2tXcEw1QXNNYTA9PC9kczpEaWdlc3RWYWx1ZT48L2RzOlJlZmVyZW5jZT48L2RzOlNpZ25lZEluZm8%2BPGRzOlNpZ25hdHVyZVZhbHVlPklCb1AzT1lZWEtGSG04dHZUM1pWMkltbDFBc3lvQUFzQjRrVGdaN2UzSHF2bEgzVkprL2pCSXV3bnNhY2h2bHJwdkNMNFc3NjUrT0VGaHJ2SkRCeGdJejQvWVI1YlFGZ3E4WmNaZjJBY24wN05CREFvM3hoVXduTkZGYTd0d2l5S0ppN3ZoZVUyQjBhNlBlaUl6Y2hNSG1LdVRZY1J5UjJYcWNWdzlmQk9wWGJxUXRkNEpmbGpQTXowaVVjV2ZZY2xiSm9uZmlINGhrbWpWbXZqWXFLdVZGczhmcFhtWDNyNmRsUzJnWmdhbGU1cytsVTFONGZsdmwyK3M2Q1M4Ny9LMitrczRIakU3cExPOUdmaURvUk9VVjJCZ0hSaFYvWlB5bjQxcWZ1UmNGS01MUXNVRTNlVlB4VUlTcGpydFZrL204cjNwTVFWNEg3VE43NW4yYjhYQT09PC9kczpTaWduYXR1cmVWYWx1ZT48ZHM6S2V5SW5mbz48ZHM6WDUwOURhdGE%2BPGRzOlg1MDlDZXJ0aWZpY2F0ZT5NSUlGWXpDQ0JFdWdBd0lCQWdJVFNRQUFBQWRac2swVkpRbkhId0FBQUFBQUJ6QU5CZ2txaGtpRzl3MEJBUTBGQURCSU1STXdFUVlLQ1pJbWlaUHlMR1FCR1JZRGJHRmlNUlV3RXdZS0NaSW1pWlB5TEdRQkdSWUZhM1Z5Ym1reEdqQVlCZ05WQkFNVEVYSnZiM1F0WTJFdGEzVnlibWt0YkdGaU1CNFhEVEU1TURVeU9EQTVNelUxTUZvWERUSXdNRFV5T0RBNU5EVTFNRm93YWpFTE1Ba0dBMVVFQmhNQ1NVNHhDekFKQmdOVkJBZ1RBa3RCTVJFd0R3WURWUVFIRXdoQ1lXNW5iRzl5WlRFWU1CWUdBMVVFQ2hNUFMzVnlibWtnVm1WdWEyRjBaWE5vTVFzd0NRWURWUVFMRXdKTFZqRVVNQklHQTFVRUF3d0xLaTVyZFhKdWFTNXNZV0l3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRRFFBT1RYYmVReHNzQ3JjV0c5T3FRMmFrRXY3UGxPMEtLUVFlQ0tMWnpUa3pKQXRGbnUvYUswaGFqNm5yc1NyZDZsNzhheGpTV3VUdjdmNkduR1hwOC9sTGttQ2VVdkNjRitsbXlpYURtK204WXlscHBORTFIamdUTmZvTGtpL0FOa3kwS2RockhtODFMUks0RGp1WU5wNUlhSTJHOEt1N1FrWFZ4ZXIxRzkxemRRWEtPa1JQK0xranBHZXRYSkMxM1ltaEtCYi84Yk9JbUdwODNudDBIOEF2VlFEQ1V1cFFCOHhXSjVaeGsyTERuYUExUXQrRGRpWFFyRGxRUnExNllPWDBJbW1BQnRBV29BbWwvUC8yakwwQ3Evb0p5S0VHYXZPaFJUVVYrcTc3Q00yc25NKzIzaEpsNWJlWE5hVjEzYXNpQmFPV1VraWtUOTlMdGlTOU5YQWdNQkFBR2pnZ0lpTUlJQ0hqQUxCZ05WSFE4RUJBTUNCREF3RXdZRFZSMGxCQXd3Q2dZSUt3WUJCUVVIQXdFd0ZnWURWUjBSQkE4d0RZSUxLaTVyZFhKdWFTNXNZV0l3SFFZRFZSME9CQllFRkVBc1FHQlBoa1J1NFpwY2c3amM5YTBBNTBoQk1COEdBMVVkSXdRWU1CYUFGUHgyREpBSzdwSzZRbUJWU2hOUk5xZnZkMWVFTUlIUEJnTlZIUjhFZ2Njd2djUXdnY0dnZ2I2Z2didUdnYmhzWkdGd09pOHZMME5PUFhKdmIzUXRZMkV0YTNWeWJta3RiR0ZpTEVOT1BVRkVMVU5CTFVST1V5eERUajFEUkZBc1EwNDlVSFZpYkdsakpUSXdTMlY1SlRJd1UyVnlkbWxqWlhNc1EwNDlVMlZ5ZG1salpYTXNRMDQ5UTI5dVptbG5kWEpoZEdsdmJpeEVRejFyZFhKdWFTeEVRejFzWVdJL1kyVnlkR2xtYVdOaGRHVlNaWFp2WTJGMGFXOXVUR2x6ZEQ5aVlYTmxQMjlpYW1WamRFTnNZWE56UFdOU1RFUnBjM1J5YVdKMWRHbHZibEJ2YVc1ME1JSEJCZ2dyQmdFRkJRY0JBUVNCdERDQnNUQ0JyZ1lJS3dZQkJRVUhNQUtHZ2FGc1pHRndPaTh2TDBOT1BYSnZiM1F0WTJFdGEzVnlibWt0YkdGaUxFTk9QVUZKUVN4RFRqMVFkV0pzYVdNbE1qQkxaWGtsTWpCVFpYSjJhV05sY3l4RFRqMVRaWEoyYVdObGN5eERUajFEYjI1bWFXZDFjbUYwYVc5dUxFUkRQV3QxY201cExFUkRQV3hoWWo5alFVTmxjblJwWm1sallYUmxQMkpoYzJVL2IySnFaV04wUTJ4aGMzTTlZMlZ5ZEdsbWFXTmhkR2x2YmtGMWRHaHZjbWwwZVRBTUJnTlZIUk1CQWY4RUFqQUFNQTBHQ1NxR1NJYjNEUUVCRFFVQUE0SUJBUUM3elUwR0VZN2ZRUFRmWldpREdYdGFZR29aYnhvMi9GWkxSUlQ0NHdsRjB2Nncxa1ZtOXliTWJvVDVNQitaVGt2cmhkM2xETHNQZUpiYUxJT0ViQUM3K1B0bjRVTDE0Z3Yxdk5JWUd1aU5zeEJ0c3lHeEpCakNkNTV5bUczZ2lZL2tXMTF6NUR4Y3B4Q1d2QTgvS0Z5TUN2dTZ0c3JDRDhiZHJlQnJyUklkN21yYUZUQkY2QW5mQjM5QmpNM1JLZlh0bHFTUjVvSDE5VVZGNE03UDQyVURFOW9FcHl1a0w5ZU02NGRaV1NETmUwcnJ0eFZITGg4VmxlVVhmRnl1S1JWZnJHSVZySVdsYURxSVhQbUhWU0ZsWXNJTWZlem9HQWEwdnc5KzR5Q3htMGhFTlZhR00xN3ZTeDNXb1FMYmlDQytlcGJ2aGdONUJaYnR1QXBNVkQ4QjwvZHM6WDUwOUNlcnRpZmljYXRlPjwvZHM6WDUwOURhdGE%2BPC9kczpLZXlJbmZvPjwvZHM6U2lnbmF0dXJlPjwvc2FtbHA6QXV0aG5SZXF1ZXN0Pg%3D%3D Form item: "RelayState" = "bnNfcG9saWN5PVNBTUwtU1AtUFJPRklMRQBhSFIwY0hNNkx5OXpjQzVyZFhKdWFTNXNZV0l2" Key: RelayState Value: bnNfcG9saWN5PVNBTUwtU1AtUFJPRklMRQBhSFIwY0hNNkx5OXpjQzVyZFhKdWFTNXNZV0l2
- Below series of requests between Client and AAA VIP will redirect user for Authentication page, Login and Generate SAML response as discussed in flow diagram
AAA VIP to Client IP HTTP/1.1 302 Object Moved (text/html) Hypertext Transfer Protocol HTTP/1.1 302 Object Moved\r\n Location: /logon/LogonPoint/tmindex.html\r\n Set-Cookie: NSC_TASS=U0FNTC1JRFAtUFJPRklMRQBJRD1fN2I0ZGE2YWYyZjI3MTNhMDg1ZWIxMjM2ZGNhZjUzNjMmYmluZD1wb3N0JmJuTmZjRzlzYVdONVBWTkJUVXd0VTFBdFVGSlBSa2xNUlFCaFNGSXdZMGhOTmt4NU9YcGpRelZ5WkZoS2RXRlROWE5aVjBsMg==;HttpOnly;Path=/;Secure\r\n Set-Cookie: NSC_AAAC=xyz;Path=/;expires=Wednesday, 09-Nov-1999 23:12:40 GMT;Secure\r\n Set-Cookie: NSC_EPAC=xyz;Path=/;expires=Wednesday, 09-Nov-1999 23:12:40 GMT;Secure\r\n Set-Cookie: NSC_USER=xyz;Path=/;expires=Wednesday, 09-Nov-1999 23:12:40 GMT;Secure\r\n Set-Cookie: NSC_TEMP=xyz;Path=/;expires=Wednesday, 09-Nov-1999 23:12:40 GMT;Secure\r\n Set-Cookie: NSC_PERS=xyz;Path=/;expires=Wednesday, 09-Nov-1999 23:12:40 GMT;Secure\r\n Set-Cookie: NSC_BASEURL=xyz;Path=/;expires=Wednesday, 09-Nov-1999 23:12:40 GMT;Secure\r\n Set-Cookie: CsrfToken=xyz;Path=/;expires=Wednesday, 09-Nov-1999 23:12:40 GMT;Secure\r\n Set-Cookie: CtxsAuthId=xyz;Path=/;expires=Wednesday, 09-Nov-1999 23:12:40 GMT;Secure\r\n Set-Cookie: ASP.NET_SessionId=xyz;Path=/;expires=Wednesday, 09-Nov-1999 23:12:40 GMT;Secure\r\n Set-Cookie: NSC_TMAA=xyz;Path=/;expires=Wednesday, 09-Nov-1999 23:12:40 GMT\r\n Set-Cookie: NSC_TMAS=xyz;Path=/;expires=Wednesday, 09-Nov-1999 23:12:40 GMT;Secure\r\n Set-Cookie: NSC_TEMP=xyz;Path=/;expires=Wednesday, 09-Nov-1999 23:12:40 GMT\r\n Set-Cookie: NSC_PERS=xyz;Path=/;expires=Wednesday, 09-Nov-1999 23:12:40 GMT\r\n Set-Cookie: NSC_AAAC=xyz;Path=/;expires=Wednesday, 09-Nov-1999 23:12:40 GMT\r\n Connection: close\r\n Content-Length: 566\r\n Cache-control: no-cache, no-store, must-revalidate\r\n Pragma: no-cache\r\n Content-Type: text/html\r\n \r\n Line-based text data: text/html (1 lines) <html><head><script type="text/javascript" src="/vpn/resources.js"></script><script type="text/javascript" language="javascript">var Resources = new ResourceManager("/logon/themes/Default/resources/{lang}", "REDIRECTION_BODY");</script></head><body><span id="This object may be found "></span><a href="/logon/LogonPoint/tmindex.html"><span id="here"></span></a><span id="Trailing phrase after here"></span><script type="text/javascript" language="javascript">Resources.Load();</script></body></html>
Client IP to AAA VIP GET /logon/LogonPoint/tmindex.html HTTP/1.1 Hypertext Transfer Protocol GET /logon/LogonPoint/tmindex.html HTTP/1.1\r\n Host: ns-adfs.kurni.lab\r\n Connection: keep-alive\r\n Cache-Control: max-age=0\r\n Upgrade-Insecure-Requests: 1\r\n User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36\r\n Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3\r\n Referer: https://sp.kurni.lab/\r\n Accept-Encoding: gzip, deflate, br\r\n Accept-Language: en-US,en;q=0.9\r\n Cookie: NSC_TASS=U0FNTC1JRFAtUFJPRklMRQBJRD1fN2I0ZGE2YWYyZjI3MTNhMDg1ZWIxMjM2ZGNhZjUzNjMmYmluZD1wb3N0JmJuTmZjRzlzYVdONVBWTkJUVXd0VTFBdFVGSlBSa2xNUlFCaFNGSXdZMGhOTmt4NU9YcGpRelZ5WkZoS2RXRlROWE5aVjBsMg==\r\n Cookie pair: NSC_TASS=U0FNTC1JRFAtUFJPRklMRQBJRD1fN2I0ZGE2YWYyZjI3MTNhMDg1ZWIxMjM2ZGNhZjUzNjMmYmluZD1wb3N0JmJuTmZjRzlzYVdONVBWTkJUVXd0VTFBdFVGSlBSa2xNUlFCaFNGSXdZMGhOTmt4NU9YcGpRelZ5WkZoS2RXRlROWE5aVjBsMg== \r\n [Full request URI: https://ns-adfs.kurni.lab/logon/LogonPoint/tmindex.html]
With this Redirection to /logon/LogonPoint/tmindex.html, series of GET and 200 ok will load complete AAA login page as below
Client IP to AAA VIP POST /logon/LogonPoint/Resources/List HTTP/1.1 (application/x-www-form-urlencoded) Hypertext Transfer Protocol POST /logon/LogonPoint/Resources/List HTTP/1.1\r\n Host: ns-adfs.kurni.lab\r\n Connection: keep-alive\r\n Content-Length: 35\r\n [Content length: 35] Accept: application/json, text/javascript, */*; q=0.01\r\n Origin: https://ns-adfs.kurni.lab\r\n X-Requested-With: XMLHttpRequest\r\n X-Citrix-IsUsingHTTPS: Yes\r\n User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36\r\n Content-Type: application/x-www-form-urlencoded; charset=UTF-8\r\n Referer: https://ns-adfs.kurni.lab/logon/LogonPoint/tmindex.html\r\n Accept-Encoding: gzip, deflate, br\r\n Accept-Language: en-US,en;q=0.9\r\n Cookie: NSC_TASS=U0FNTC1JRFAtUFJPRklMRQBJRD1fN2I0ZGE2YWYyZjI3MTNhMDg1ZWIxMjM2ZGNhZjUzNjMmYmluZD1wb3N0JmJuTmZjRzlzYVdONVBWTkJUVXd0VTFBdFVGSlBSa2xNUlFCaFNGSXdZMGhOTmt4NU9YcGpRelZ5WkZoS2RXRlROWE5aVjBsMg==\r\n Cookie pair: NSC_TASS=U0FNTC1JRFAtUFJPRklMRQBJRD1fN2I0ZGE2YWYyZjI3MTNhMDg1ZWIxMjM2ZGNhZjUzNjMmYmluZD1wb3N0JmJuTmZjRzlzYVdONVBWTkJUVXd0VTFBdFVGSlBSa2xNUlFCaFNGSXdZMGhOTmt4NU9YcGpRelZ5WkZoS2RXRlROWE5aVjBsMg== \r\n [Full request URI: https://ns-adfs.kurni.lab/logon/LogonPoint/Resources/List] HTML Form URL Encoded: application/x-www-form-urlencoded Form item: "format" = "json" Key: format Value: json Form item: "resourceDetails" = "Default" Key: resourceDetails Value: Default
AAA VIP to Client IP HTTP/1.1 200 OK (text/plain)
Hypertext Transfer Protocol
HTTP/1.1 200 OK\r\n
Cache-Control: no-cache, no-store, must-revalidate\r\n
Pragma: no-cache\r\n
Content-Type: text/plain\r\n
Expires: -1\r\n
X-Citrix-Application: Receiver for Web\r\n
CitrixWebReceiver-Authenticate: reason="notoken", location="/cgi/GetAuthMethods"\r\n
Content-Length: 22\r\n
[Content length: 22]
\r\n
[HTTP response 6/8]
[Time since request: 0.000074479 seconds]
[Prev request in frame: 13244]
[Prev response in frame: 13332]
[Request in frame: 13378]
[Next request in frame: 13384]
[Next response in frame: 13385]
File Data: 22 bytes
Line-based text data: text/plain (1 lines)
{"unauthorized": true
Other GET exchanges between client and AAA VIP Client IP to AAA VIP POST /cgi/GetAuthMethods HTTP/1.1 AAA VIP to Client IP HTTP/1.1 200 OK (application/vnd.citrix.authenticateresponse-1+xml) Client IP to AAA VIP POST /nf/auth/getAuthenticationRequirements.do HTTP/1.1 AAA VIP to Client IP HTTP/1.1 200 OK (application/vnd.citrix.authenticateresponse-1+xml) etc.. Now by this time the page is entirely loaded and user inputs credentials and click Login
- Client posted the credentials to AAA vServer along with cookie NSC_TASS
Client IP to AAA VIP POST /nf/auth/doAuthentication.do HTTP/1.1 (application/x-www-form-urlencoded) Hypertext Transfer Protocol POST /nf/auth/doAuthentication.do HTTP/1.1\r\n Host: ns-adfs.kurni.lab\r\n Connection: keep-alive\r\n Content-Length: 128\r\n [Content length: 128] Origin: https://ns-adfs.kurni.lab\r\n X-Citrix-AM-LabelTypes: none, plain, heading, information, warning, error, confirmation, image, nsg-epa, nsg-epa-failure, nsg-login-label, tlogin-failure-msg, nsg-tlogin-heading, nsg-tlogin-single-res, nsg-tlogin-multi-res, nsg-tlogin, nsg-login-heading, nsg-fullvpn, nsg-l20n, nsg-l20n-error, certauth-failure-msg, dialogue-label, nsg-change-pass-assistive-text, nsg_confirmation, nsg_kba_registration_heading, nsg_email_registration_heading, nsg_kba_validation_question, nsg_sspr_success, nf-manage-otp X-Citrix-IsUsingHTTPS: Yes\r\n Content-Type: application/x-www-form-urlencoded; charset=UTF-8\r\n Accept: application/xml, text/xml, */*; q=0.01\r\n X-Citrix-AM-CredentialTypes: none, username, domain, password, newpassword, passcode, savecredentials, textcredential, webview, nsg-epa, negotiate, nsg_push, nsg_push_otp, nf_sspr_rem, nsg-x1, nsg-setclient, nsg-eula, nsg-tlogin, nsg-fullvpn, nsg-hidden, nsg-auth-failure, nsg-auth-success, nsg-epa-success, nsg-l20n, GoBack, nf-recaptcha, ns-dialogue, nf-gw-test, nsg_qrcode, nsg_manageotp X-Requested-With: XMLHttpRequest\r\n User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36\r\n Referer: https://ns-adfs.kurni.lab/logon/LogonPoint/tmindex.html\r\n Accept-Encoding: gzip, deflate, br\r\n Accept-Language: en-US,en;q=0.9\r\n Cookie: NSC_TASS=U0FNTC1JRFAtUFJPRklMRQBJRD1fN2I0ZGE2YWYyZjI3MTNhMDg1ZWIxMjM2ZGNhZjUzNjMmYmluZD1wb3N0JmJuTmZjRzlzYVdONVBWTkJUVXd0VTFBdFVGSlBSa2xNUlFCaFNGSXdZMGhOTmt4NU9YcGpRelZ5WkZoS2RXRlROWE5aVjBsMg==\r\n Cookie pair: NSC_TASS=U0FNTC1JRFAtUFJPRklMRQBJRD1fN2I0ZGE2YWYyZjI3MTNhMDg1ZWIxMjM2ZGNhZjUzNjMmYmluZD1wb3N0JmJuTmZjRzlzYVdONVBWTkJUVXd0VTFBdFVGSlBSa2xNUlFCaFNGSXdZMGhOTmt4NU9YcGpRelZ5WkZoS2RXRlROWE5aVjBsMg== \r\n [Full request URI: https://ns-adfs.kurni.lab/nf/auth/doAuthentication.do] HTML Form URL Encoded: application/x-www-form-urlencoded Form item: "login" = "guser1" Key: login Value: guser1 Form item: "passwd" = "Welcome@123" Key: passwd Value: Welcome@123 Form item: "savecredentials" = "false" Key: savecredentials Value: false Form item: "nsg-x1-logon-button" = "Log On" Key: nsg-x1-logon-button Value: Log On Form item: "StateContext" = "bG9naW5zY2hlbWE9ZGVmYXVsdA==" Key: StateContext Value: bG9naW5zY2hlbWE9ZGVmYXVsdA==
- AAA vServer validated the credentials and set NSC_TMAS cookie to user after successful authentication
AAA VIP to Client IP HTTP/1.1 200 OK (application/vnd.citrix.authenticateresponse-1+xml)
Hypertext Transfer Protocol
HTTP/1.1 200 OK\r\n
Set-Cookie: NSC_TMAS=16f68c9b459778b663b646db1fbb1ac6;Secure;HttpOnly;Path=/;\r\n
Content-Length: 303\r\n
[Content length: 303]
Cache-control: no-cache, no-store, must-revalidate\r\n
Pragma: no-cache\r\n
Content-Type: application/vnd.citrix.authenticateresponse-1+xml;charset=utf-8\r\n
X-Citrix-Application: Receiver for Web\r\n
\r\n
Media Type
Media type: application/vnd.citrix.authenticateresponse-1+xml; charset=utf-8 (303 bytes)
- Client requesting for SAML assertion after autentication using the cookies NSC_TASS, NSC_TMAS
Client IP to AAA VIP GET /nf/auth/samlidp/postassertion HTTP/1.1 Hypertext Transfer Protocol GET /nf/auth/samlidp/postassertion HTTP/1.1\r\n Host: ns-adfs.kurni.lab\r\n Connection: keep-alive\r\n Upgrade-Insecure-Requests: 1\r\n User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36\r\n Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3\r\n Referer: https://ns-adfs.kurni.lab/logon/LogonPoint/tmindex.html\r\n Accept-Encoding: gzip, deflate, br\r\n Accept-Language: en-US,en;q=0.9\r\n Cookie: NSC_TASS=U0FNTC1JRFAtUFJPRklMRQBJRD1fN2I0ZGE2YWYyZjI3MTNhMDg1ZWIxMjM2ZGNhZjUzNjMmYmluZD1wb3N0JmJuTmZjRzlzYVdONVBWTkJUVXd0VTFBdFVGSlBSa2xNUlFCaFNGSXdZMGhOTmt4NU9YcGpRelZ5WkZoS2RXRlROWE5aVjBsMg==; NSC_TMAS=16f68c9b459778b663b646db1fbb1ac6 Cookie pair: NSC_TASS=U0FNTC1JRFAtUFJPRklMRQBJRD1fN2I0ZGE2YWYyZjI3MTNhMDg1ZWIxMjM2ZGNhZjUzNjMmYmluZD1wb3N0JmJuTmZjRzlzYVdONVBWTkJUVXd0VTFBdFVGSlBSa2xNUlFCaFNGSXdZMGhOTmt4NU9YcGpRelZ5WkZoS2RXRlROWE5aVjBsMg== Cookie pair: NSC_TMAS=16f68c9b459778b663b646db1fbb1ac6 \r\n [Full request URI: https://ns-adfs.kurni.lab/nf/auth/samlidp/postassertion]
- The Response is SAML Response with script redirecting user to SP : https://sp.kurni.lab/cgi/samlauth (as per form action) along with SAML response code
AAA VIP to Client IP HTTP/1.1 200 OK (text/html) Hypertext Transfer Protocol HTTP/1.1 200 OK\r\n Set-Cookie: NSC_TMAS=16f68c9b459778b663b646db1fbb1ac6;Secure;HttpOnly;Path=/;\r\n Set-Cookie: NSC_TASS=xyz;Path=/;expires=Wednesday, 09-Nov-1999 23:12:40 GMT;Secure\r\n Set-Cookie: NSC_TMAP=xyz;Path=/;expires=Wednesday, 09-Nov-1999 23:12:40 GMT;Secure\r\n Set-Cookie: NSC_TMAV=xyz;Path=/;expires=Wednesday, 09-Nov-1999 23:12:40 GMT;Secure\r\n Set-Cookie: NSC_TMAC=xyz;Path=/;expires=Wednesday, 09-Nov-1999 23:12:40 GMT;Secure\r\n Connection: close\r\n Content-Length: 7068\r\n [Content length: 7068] Cache-control: no-cache, no-store, must-revalidate\r\n Pragma: no-cache\r\n Content-Type: text/html\r\n \r\n Line-based text data: text/html (1 lines) <html><head><style type="text/css">body{ visibility: hidden;}</style></head><body onLoad='document.forms[0].submit();'><form action="https://sp.kurni.lab/cgi/samlauth" method="post"><input type=hidden name="SAMLResponse" value="PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIERlc3RpbmF0aW9uPSJodHRwczovL3NwLmt1cm5pLmxhYi9jZ2kvc2FtbGF1dGgiIElEPSJfZDczYTljYzlhMjEwNTNhMTcyMzc1NWUxNmM5ZWIxODgiIEluUmVzcG9uc2VUbz0iXzdiNGRhNmFmMmYyNzEzYTA4NWViMTIzNmRjYWY1MzYzIiBJc3N1ZUluc3RhbnQ9IjIwMTktMDctMjhUMTM6NTQ6MjZaIiBWZXJzaW9uPSIyLjAiPjxzYW1sOklzc3VlciB4bWxuczpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIiBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpuYW1laWQtZm9ybWF0OmVudGl0eSI+aHR0cHM6Ly9ucy1hZGZzLmt1cm5pLmxhYjwvc2FtbDpJc3N1ZXI+PHNhbWxwOlN0YXR1cz48c2FtbHA6U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzIj48L3NhbWxwOlN0YXR1c0NvZGU+PC9zYW1scDpTdGF0dXM+PHNhbWw6QXNzZXJ0aW9uIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIElEPSJfNmQ4ZmMyZGNiMGJjZjhlMjc1NTdlNzAzMzcwN2MzNyIgSXNzdWVJbnN0YW50PSIyMDE5LTA3LTI4VDEzOjU0OjI2WiIgVmVyc2lvbj0iMi4wIj48c2FtbDpJc3N1ZXIgRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6bmFtZWlkLWZvcm1hdDplbnRpdHkiPmh0dHBzOi8vbnMtYWRmcy5rdXJuaS5sYWI8L3NhbWw6SXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpTaWduZWRJbmZvIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj48ZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyI+PC9kczpDYW5vbmljYWxpemF0aW9uTWV0aG9kPjxkczpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEiPjwvZHM6U2lnbmF0dXJlTWV0aG9kPjxkczpSZWZlcmVuY2UgVVJJPSIjXzZkOGZjMmRjYjBiY2Y4ZTI3NTU3ZTcwMzM3MDdjMzciPjxkczpUcmFuc2Zvcm1zPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSI+PC9kczpUcmFuc2Zvcm0+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyI+PC9kczpUcmFuc2Zvcm0+PC9kczpUcmFuc2Zvcm1zPjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjc2hhMSI+PC9kczpEaWdlc3RNZXRob2Q+PGRzOkRpZ2VzdFZhbHVlPlVBOHJ6U1JvbUQwNFlkeWU5RjFtVW9YaUVCQT08L2RzOkRpZ2VzdFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz48ZHM6U2lnbmF0dXJlVmFsdWU+d2l0SkgwVFFXcUowWHkzRHJBQm50QWdOTGVDTk9teFVCcnB3WSszZlowWjlMaWFNSXRrR3ZnY1pCTXlMd0lXQUJNSVhkUjF1dWNPSmYrbXpudS9ac1FCcTJjUGo4YmhXNTQxVzZNbzhhREVPS1k1TXBFc0Z3eHg4Ry9FRTVjSkVmRHJaU2h4aENVenIzR05XcksraVorQXBiYWJxMzJEYzQ1bEdDTTVadHNFQkpjWCtCM081cVQvVFlVZytabzcrRVRQaVgrTXZoZ1ArRm1IT0g0SVA3OEVyODNtTktyM0RnSVYyZU5FelAzRFRrV2h2dVNkSDZrL0I3bml4N05JMHRIaE1yaHFpbWF3S2xOZHdMUXB1MnVhWERseG1DNXU4MGNFUm03SisrM1dLUitFdFBvckJmMmtxeWNRNXIrcWJYZXd3cXcyV2k1U09OVkVxTGRONHRRPT08L2RzOlNpZ25hdHVyZVZhbHVlPjxkczpLZXlJbmZvPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSUZZekNDQkV1Z0F3SUJBZ0lUU1FBQUFBZFpzazBWSlFuSEh3QUFBQUFBQnpBTkJna3Foa2lHOXcwQkFRMEZBREJJTVJNd0VRWUtDWkltaVpQeUxHUUJHUllEYkdGaU1SVXdFd1lLQ1pJbWlaUHlMR1FCR1JZRmEzVnlibWt4R2pBWUJnTlZCQU1URVhKdmIzUXRZMkV0YTNWeWJta3RiR0ZpTUI0WERURTVNRFV5T0RBNU16VTFNRm9YRFRJd01EVXlPREE1TkRVMU1Gb3dhakVMTUFrR0ExVUVCaE1DU1U0eEN6QUpCZ05WQkFnVEFrdEJNUkV3RHdZRFZRUUhFd2hDWVc1bmJHOXlaVEVZTUJZR0ExVUVDaE1QUzNWeWJta2dWbVZ1YTJGMFpYTm9NUXN3Q1FZRFZRUUxFd0pMVmpFVU1CSUdBMVVFQXd3TEtpNXJkWEp1YVM1c1lXSXdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFEUUFPVFhiZVF4c3NDcmNXRzlPcVEyYWtFdjdQbE8wS0tRUWVDS0xaelRrekpBdEZudS9hSzBoYWo2bnJzU3JkNmw3OGF4alNXdVR2N2Y2R25HWHA4L2xMa21DZVV2Q2NGK2xteWlhRG0rbThZeWxwcE5FMUhqZ1ROZm9Ma2kvQU5reTBLZGhySG04MUxSSzREanVZTnA1SWFJMkc4S3U3UWtYVnhlcjFHOTF6ZFFYS09rUlArTGtqcEdldFhKQzEzWW1oS0JiLzhiT0ltR3A4M250MEg4QXZWUURDVXVwUUI4eFdKNVp4azJMRG5hQTFRdCtEZGlYUXJEbFFScTE2WU9YMEltbUFCdEFXb0FtbC9QLzJqTDBDcS9vSnlLRUdhdk9oUlRVVitxNzdDTTJzbk0rMjNoSmw1YmVYTmFWMTNhc2lCYU9XVWtpa1Q5OUx0aVM5TlhBZ01CQUFHamdnSWlNSUlDSGpBTEJnTlZIUThFQkFNQ0JEQXdFd1lEVlIwbEJBd3dDZ1lJS3dZQkJRVUhBd0V3RmdZRFZSMFJCQTh3RFlJTEtpNXJkWEp1YVM1c1lXSXdIUVlEVlIwT0JCWUVGRUFzUUdCUGhrUnU0WnBjZzdqYzlhMEE1MGhCTUI4R0ExVWRJd1FZTUJhQUZQeDJESkFLN3BLNlFtQlZTaE5STnFmdmQxZUVNSUhQQmdOVkhSOEVnY2N3Z2NRd2djR2dnYjZnZ2J1R2diaHNaR0Z3T2k4dkwwTk9QWEp2YjNRdFkyRXRhM1Z5Ym1rdGJHRmlMRU5PUFVGRUxVTkJMVVJPVXl4RFRqMURSRkFzUTA0OVVIVmliR2xqSlRJd1MyVjVKVEl3VTJWeWRtbGpaWE1zUTA0OVUyVnlkbWxqWlhNc1EwNDlRMjl1Wm1sbmRYSmhkR2x2Yml4RVF6MXJkWEp1YVN4RVF6MXNZV0kvWTJWeWRHbG1hV05oZEdWU1pYWnZZMkYwYVc5dVRHbHpkRDlpWVhObFAyOWlhbVZqZEVOc1lYTnpQV05TVEVScGMzUnlhV0oxZEdsdmJsQnZhVzUwTUlIQkJnZ3JCZ0VGQlFjQkFRU0J0RENCc1RDQnJnWUlLd1lCQlFVSE1BS0dnYUZzWkdGd09pOHZMME5PUFhKdmIzUXRZMkV0YTNWeWJta3RiR0ZpTEVOT1BVRkpRU3hEVGoxUWRXSnNhV01sTWpCTFpYa2xNakJUWlhKMmFXTmxjeXhEVGoxVFpYSjJhV05sY3l4RFRqMURiMjVtYVdkMWNtRjBhVzl1TEVSRFBXdDFjbTVwTEVSRFBXeGhZajlqUVVObGNuUnBabWxqWVhSbFAySmhjMlUvYjJKcVpXTjBRMnhoYzNNOVkyVnlkR2xtYVdOaGRHbHZia0YxZEdodmNtbDBlVEFNQmdOVkhSTUJBZjhFQWpBQU1BMEdDU3FHU0liM0RRRUJEUVVBQTRJQkFRQzd6VTBHRVk3ZlFQVGZaV2lER1h0YVlHb1pieG8yL0ZaTFJSVDQ0d2xGMHY2dzFrVm05eWJNYm9UNU1CK1pUa3ZyaGQzbERMc1BlSmJhTElPRWJBQzcrUHRuNFVMMTRndjF2TklZR3VpTnN4QnRzeUd4SkJqQ2Q1NXltRzNnaVkva1cxMXo1RHhjcHhDV3ZBOC9LRnlNQ3Z1NnRzckNEOGJkcmVCcnJSSWQ3bXJhRlRCRjZBbmZCMzlCak0zUktmWHRscVNSNW9IMTlVVkY0TTdQNDJVREU5b0VweXVrTDllTTY0ZFpXU0ROZTBycnR4VkhMaDhWbGVVWGZGeXVLUlZmckdJVnJJV2xhRHFJWFBtSFZTRmxZc0lNZmV6b0dBYTB2dzkrNHlDeG0waEVOVmFHTTE3dlN4M1dvUUxiaUNDK2VwYnZoZ041QlpidHVBcE1WRDhCPC9kczpYNTA5Q2VydGlmaWNhdGU+PC9kczpYNTA5RGF0YT48L2RzOktleUluZm8+PC9kczpTaWduYXR1cmU+PHNhbWw6U3ViamVjdD48c2FtbDpOYW1lSUQgRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6bmFtZWlkLWZvcm1hdDp0cmFuc2llbnQiPmd1c2VyMTwvc2FtbDpOYW1lSUQ+PHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbiBNZXRob2Q9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjbTpiZWFyZXIiPjxzYW1sOlN1YmplY3RDb25maXJtYXRpb25EYXRhIEluUmVzcG9uc2VUbz0iXzdiNGRhNmFmMmYyNzEzYTA4NWViMTIzNmRjYWY1MzYzIiBOb3RPbk9yQWZ0ZXI9IjIwMTktMDctMjhUMTM6NTk6MjZaIiBSZWNpcGllbnQ9Imh0dHBzOi8vc3Aua3VybmkubGFiL2NnaS9zYW1sYXV0aCI+PC9zYW1sOlN1YmplY3RDb25maXJtYXRpb25EYXRhPjwvc2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uPjwvc2FtbDpTdWJqZWN0PjxzYW1sOkNvbmRpdGlvbnMgTm90QmVmb3JlPSIyMDE5LTA3LTI4VDEzOjQ5OjI2WiIgTm90T25PckFmdGVyPSIyMDE5LTA3LTI4VDEzOjU5OjI2WiI+PHNhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj48c2FtbDpBdWRpZW5jZT5odHRwczovL3NwLmt1cm5pLmxhYjwvc2FtbDpBdWRpZW5jZT48L3NhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj48L3NhbWw6Q29uZGl0aW9ucz48c2FtbDpBdXRoblN0YXRlbWVudCBBdXRobkluc3RhbnQ9IjIwMTktMDctMjhUMTM6NTQ6MjZaIiBTZXNzaW9uSW5kZXg9Ik5TQ19UTUFBMTZmNjhjOWI0NTk3NzhiNjYzYjY0NmRiMWZiYjFhYzYiPjxzYW1sOkF1dGhuQ29udGV4dD48c2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3NlczpQYXNzd29yZFByb3RlY3RlZFRyYW5zcG9ydDwvc2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj48L3NhbWw6QXV0aG5Db250ZXh0Pjwvc2FtbDpBdXRoblN0YXRlbWVudD48L3NhbWw6QXNzZXJ0aW9uPjwvc2FtbHA6UmVzcG9uc2U+"><input type=hidden name=RelayState value="bnNfcG9saWN5PVNBTUwtU1AtUFJPRklMRQBhSFIwY0hNNkx5OXpjQzVyZFhKdWFTNXNZV0l2"><span id="If you are not automatically redirected click "></span><input id="Continue" type="submit" value="Continue"><span id="Trailing phrase after Continue button"></span></form></body></html>
- Client Posts the SAML response to the LB VIP along with previous cookie NSC_TMAC=/cgi/tmlogin
Client IP to LB VIP POST /cgi/samlauth HTTP/1.1 (application/x-www-form-urlencoded) Hypertext Transfer Protocol POST /cgi/samlauth HTTP/1.1\r\n Host: sp.kurni.lab\r\n Connection: keep-alive\r\n Content-Length: 6595\r\n [Content length: 6595] Cache-Control: max-age=0\r\n Origin: https://ns-adfs.kurni.lab\r\n Upgrade-Insecure-Requests: 1\r\n Content-Type: application/x-www-form-urlencoded\r\n User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36\r\n Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3\r\n Referer: https://ns-adfs.kurni.lab/nf/auth/samlidp/postassertion\r\n Accept-Encoding: gzip, deflate, br\r\n Accept-Language: en-US,en;q=0.9\r\n Cookie: NSC_TMAC=/cgi/tmlogin\r\n Cookie pair: NSC_TMAC=/cgi/tmlogin \r\n [Full request URI: https://sp.kurni.lab/cgi/samlauth] HTML Form URL Encoded: application/x-www-form-urlencoded Form item: "SAMLResponse" = "PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIERlc3RpbmF0aW9uPSJodHRwczovL3NwLmt1cm5pLmxhYi9jZ2kvc2FtbGF1dGgiIElEPSJfZDczYTljYzlhMjEwNTNhMTcyMzc1NWUxNmM5ZWIxODgiIEluUm Key: SAMLResponse Value: PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIERlc3RpbmF0aW9uPSJodHRwczovL3NwLmt1cm5pLmxhYi9jZ2kvc2FtbGF1dGgiIElEPSJfZDczYTljYzlhMjEwNTNhMTcyMzc1NWUxNmM5ZWIxODgiIEluUmVzcG9uc2VUbz0iXzdiNGRhNmFmMmYyNzEzYTA4NWViMTIzNmRjYWY1MzYzIiBJc3N1ZUluc3RhbnQ9IjIwMTktMDctMjhUMTM6NTQ6MjZaIiBWZXJzaW9uPSIyLjAiPjxzYW1sOklzc3VlciB4bWxuczpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIiBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpuYW1laWQtZm9ybWF0OmVudGl0eSI%2BaHR0cHM6Ly9ucy1hZGZzLmt1cm5pLmxhYjwvc2FtbDpJc3N1ZXI%2BPHNhbWxwOlN0YXR1cz48c2FtbHA6U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzIj48L3NhbWxwOlN0YXR1c0NvZGU%2BPC9zYW1scDpTdGF0dXM%2BPHNhbWw6QXNzZXJ0aW9uIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIElEPSJfNmQ4ZmMyZGNiMGJjZjhlMjc1NTdlNzAzMzcwN2MzNyIgSXNzdWVJbnN0YW50PSIyMDE5LTA3LTI4VDEzOjU0OjI2WiIgVmVyc2lvbj0iMi4wIj48c2FtbDpJc3N1ZXIgRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6bmFtZWlkLWZvcm1hdDplbnRpdHkiPmh0dHBzOi8vbnMtYWRmcy5rdXJuaS5sYWI8L3NhbWw6SXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpTaWduZWRJbmZvIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj48ZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyI%2BPC9kczpDYW5vbmljYWxpemF0aW9uTWV0aG9kPjxkczpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEiPjwvZHM6U2lnbmF0dXJlTWV0aG9kPjxkczpSZWZlcmVuY2UgVVJJPSIjXzZkOGZjMmRjYjBiY2Y4ZTI3NTU3ZTcwMzM3MDdjMzciPjxkczpUcmFuc2Zvcm1zPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSI%2BPC9kczpUcmFuc2Zvcm0%2BPGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyI%2BPC9kczpUcmFuc2Zvcm0%2BPC9kczpUcmFuc2Zvcm1zPjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjc2hhMSI%2BPC9kczpEaWdlc3RNZXRob2Q%2BPGRzOkRpZ2VzdFZhbHVlPlVBOHJ6U1JvbUQwNFlkeWU5RjFtVW9YaUVCQT08L2RzOkRpZ2VzdFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz48ZHM6U2lnbmF0dXJlVmFsdWU%2Bd2l0SkgwVFFXcUowWHkzRHJBQm50QWdOTGVDTk9teFVCcnB3WSszZlowWjlMaWFNSXRrR3ZnY1pCTXlMd0lXQUJNSVhkUjF1dWNPSmYrbXpudS9ac1FCcTJjUGo4YmhXNTQxVzZNbzhhREVPS1k1TXBFc0Z3eHg4Ry9FRTVjSkVmRHJaU2h4aENVenIzR05XcksraVorQXBiYWJxMzJEYzQ1bEdDTTVadHNFQkpjWCtCM081cVQvVFlVZytabzcrRVRQaVgrTXZoZ1ArRm1IT0g0SVA3OEVyODNtTktyM0RnSVYyZU5FelAzRFRrV2h2dVNkSDZrL0I3bml4N05JMHRIaE1yaHFpbWF3S2xOZHdMUXB1MnVhWERseG1DNXU4MGNFUm03SisrM1dLUitFdFBvckJmMmtxeWNRNXIrcWJYZXd3cXcyV2k1U09OVkVxTGRONHRRPT08L2RzOlNpZ25hdHVyZVZhbHVlPjxkczpLZXlJbmZvPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSUZZekNDQkV1Z0F3SUJBZ0lUU1FBQUFBZFpzazBWSlFuSEh3QUFBQUFBQnpBTkJna3Foa2lHOXcwQkFRMEZBREJJTVJNd0VRWUtDWkltaVpQeUxHUUJHUllEYkdGaU1SVXdFd1lLQ1pJbWlaUHlMR1FCR1JZRmEzVnlibWt4R2pBWUJnTlZCQU1URVhKdmIzUXRZMkV0YTNWeWJta3RiR0ZpTUI0WERURTVNRFV5T0RBNU16VTFNRm9YRFRJd01EVXlPREE1TkRVMU1Gb3dhakVMTUFrR0ExVUVCaE1DU1U0eEN6QUpCZ05WQkFnVEFrdEJNUkV3RHdZRFZRUUhFd2hDWVc1bmJHOXlaVEVZTUJZR0ExVUVDaE1QUzNWeWJta2dWbVZ1YTJGMFpYTm9NUXN3Q1FZRFZRUUxFd0pMVmpFVU1CSUdBMVVFQXd3TEtpNXJkWEp1YVM1c1lXSXdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFEUUFPVFhiZVF4c3NDcmNXRzlPcVEyYWtFdjdQbE8wS0tRUWVDS0xaelRrekpBdEZudS9hSzBoYWo2bnJzU3JkNmw3OGF4alNXdVR2N2Y2R25HWHA4L2xMa21DZVV2Q2NGK2xteWlhRG0rbThZeWxwcE5FMUhqZ1ROZm9Ma2kvQU5reTBLZGhySG04MUxSSzREanVZTnA1SWFJMkc4S3U3UWtYVnhlcjFHOTF6ZFFYS09rUlArTGtqcEdldFhKQzEzWW1oS0JiLzhiT0ltR3A4M250MEg4QXZWUURDVXVwUUI4eFdKNVp4azJMRG5hQTFRdCtEZGlYUXJEbFFScTE2WU9YMEltbUFCdEFXb0FtbC9QLzJqTDBDcS9vSnlLRUdhdk9oUlRVVitxNzdDTTJzbk0rMjNoSmw1YmVYTmFWMTNhc2lCYU9XVWtpa1Q5OUx0aVM5TlhBZ01CQUFHamdnSWlNSUlDSGpBTEJnTlZIUThFQkFNQ0JEQXdFd1lEVlIwbEJBd3dDZ1lJS3dZQkJRVUhBd0V3RmdZRFZSMFJCQTh3RFlJTEtpNXJkWEp1YVM1c1lXSXdIUVlEVlIwT0JCWUVGRUFzUUdCUGhrUnU0WnBjZzdqYzlhMEE1MGhCTUI4R0ExVWRJd1FZTUJhQUZQeDJESkFLN3BLNlFtQlZTaE5STnFmdmQxZUVNSUhQQmdOVkhSOEVnY2N3Z2NRd2djR2dnYjZnZ2J1R2diaHNaR0Z3T2k4dkwwTk9QWEp2YjNRdFkyRXRhM1Z5Ym1rdGJHRmlMRU5PUFVGRUxVTkJMVVJPVXl4RFRqMURSRkFzUTA0OVVIVmliR2xqSlRJd1MyVjVKVEl3VTJWeWRtbGpaWE1zUTA0OVUyVnlkbWxqWlhNc1EwNDlRMjl1Wm1sbmRYSmhkR2x2Yml4RVF6MXJkWEp1YVN4RVF6MXNZV0kvWTJWeWRHbG1hV05oZEdWU1pYWnZZMkYwYVc5dVRHbHpkRDlpWVhObFAyOWlhbVZqZEVOc1lYTnpQV05TVEVScGMzUnlhV0oxZEdsdmJsQnZhVzUwTUlIQkJnZ3JCZ0VGQlFjQkFRU0J0RENCc1RDQnJnWUlLd1lCQlFVSE1BS0dnYUZzWkdGd09pOHZMME5PUFhKdmIzUXRZMkV0YTNWeWJta3RiR0ZpTEVOT1BVRkpRU3hEVGoxUWRXSnNhV01sTWpCTFpYa2xNakJUWlhKMmFXTmxjeXhEVGoxVFpYSjJhV05sY3l4RFRqMURiMjVtYVdkMWNtRjBhVzl1TEVSRFBXdDFjbTVwTEVSRFBXeGhZajlqUVVObGNuUnBabWxqWVhSbFAySmhjMlUvYjJKcVpXTjBRMnhoYzNNOVkyVnlkR2xtYVdOaGRHbHZia0YxZEdodmNtbDBlVEFNQmdOVkhSTUJBZjhFQWpBQU1BMEdDU3FHU0liM0RRRUJEUVVBQTRJQkFRQzd6VTBHRVk3ZlFQVGZaV2lER1h0YVlHb1pieG8yL0ZaTFJSVDQ0d2xGMHY2dzFrVm05eWJNYm9UNU1CK1pUa3ZyaGQzbERMc1BlSmJhTElPRWJBQzcrUHRuNFVMMTRndjF2TklZR3VpTnN4QnRzeUd4SkJqQ2Q1NXltRzNnaVkva1cxMXo1RHhjcHhDV3ZBOC9LRnlNQ3Z1NnRzckNEOGJkcmVCcnJSSWQ3bXJhRlRCRjZBbmZCMzlCak0zUktmWHRscVNSNW9IMTlVVkY0TTdQNDJVREU5b0VweXVrTDllTTY0ZFpXU0ROZTBycnR4VkhMaDhWbGVVWGZGeXVLUlZmckdJVnJJV2xhRHFJWFBtSFZTRmxZc0lNZmV6b0dBYTB2dzkrNHlDeG0waEVOVmFHTTE3dlN4M1dvUUxiaUNDK2VwYnZoZ041QlpidHVBcE1WRDhCPC9kczpYNTA5Q2VydGlmaWNhdGU%2BPC9kczpYNTA5RGF0YT48L2RzOktleUluZm8%2BPC9kczpTaWduYXR1cmU%2BPHNhbWw6U3ViamVjdD48c2FtbDpOYW1lSUQgRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6bmFtZWlkLWZvcm1hdDp0cmFuc2llbnQiPmd1c2VyMTwvc2FtbDpOYW1lSUQ%2BPHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbiBNZXRob2Q9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjbTpiZWFyZXIiPjxzYW1sOlN1YmplY3RDb25maXJtYXRpb25EYXRhIEluUmVzcG9uc2VUbz0iXzdiNGRhNmFmMmYyNzEzYTA4NWViMTIzNmRjYWY1MzYzIiBOb3RPbk9yQWZ0ZXI9IjIwMTktMDctMjhUMTM6NTk6MjZaIiBSZWNpcGllbnQ9Imh0dHBzOi8vc3Aua3VybmkubGFiL2NnaS9zYW1sYXV0aCI%2BPC9zYW1sOlN1YmplY3RDb25maXJtYXRpb25EYXRhPjwvc2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uPjwvc2FtbDpTdWJqZWN0PjxzYW1sOkNvbmRpdGlvbnMgTm90QmVmb3JlPSIyMDE5LTA3LTI4VDEzOjQ5OjI2WiIgTm90T25PckFmdGVyPSIyMDE5LTA3LTI4VDEzOjU5OjI2WiI%2BPHNhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj48c2FtbDpBdWRpZW5jZT5odHRwczovL3NwLmt1cm5pLmxhYjwvc2FtbDpBdWRpZW5jZT48L3NhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj48L3NhbWw6Q29uZGl0aW9ucz48c2FtbDpBdXRoblN0YXRlbWVudCBBdXRobkluc3RhbnQ9IjIwMTktMDctMjhUMTM6NTQ6MjZaIiBTZXNzaW9uSW5kZXg9Ik5TQ19UTUFBMTZmNjhjOWI0NTk3NzhiNjYzYjY0NmRiMWZiYjFhYzYiPjxzYW1sOkF1dGhuQ29udGV4dD48c2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3NlczpQYXNzd29yZFByb3RlY3RlZFRyYW5zcG9ydDwvc2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj48L3NhbWw6QXV0aG5Db250ZXh0Pjwvc2FtbDpBdXRoblN0YXRlbWVudD48L3NhbWw6QXNzZXJ0aW9uPjwvc2FtbHA6UmVzcG9uc2U%2B Form item: "RelayState" = "bnNfcG9saWN5PVNBTUwtU1AtUFJPRklMRQBhSFIwY0hNNkx5OXpjQzVyZFhKdWFTNXNZV0l2" Key: RelayState Value: bnNfcG9saWN5PVNBTUwtU1AtUFJPRklMRQBhSFIwY0hNNkx5OXpjQzVyZFhKdWFTNXNZV0l2
- LB VIP (SP) after validation of SAML Response set's NSC_TMAS & NSC_TMAA cookie for user
LB VIP to Client IP HTTP/1.1 302 Object Moved Hypertext Transfer Protocol HTTP/1.1 302 Object Moved\r\n Location: https://sp.kurni.lab/cgi/selfauth?code=98a9b83d7594942f\r\n Set-Cookie: NSC_TMAA=f358ecb7715977c47b10430731347fb6;HttpOnly;Path=/;\r\n Set-Cookie: NSC_TMAS=6ebaebe1dce3de6fc80222d27a4dbe58;Secure;HttpOnly;Path=/;\r\n Set-Cookie: NSC_EPAC=xyz;Path=/;expires=Wednesday, 09-Nov-1999 23:12:40 GMT;Secure\r\n Set-Cookie: NSC_DLGE=xyz;Path=/;expires=Wednesday, 09-Nov-1999 23:12:40 GMT;Secure\r\n Set-Cookie: NSC_USER=xyz;Path=/;expires=Wednesday, 09-Nov-1999 23:12:40 GMT;Secure\r\n Set-Cookie: NSC_TASS=xyz;Path=/;expires=Wednesday, 09-Nov-1999 23:12:40 GMT;Secure\r\n Set-Cookie: NSC_TMAP=xyz;Path=/;expires=Wednesday, 09-Nov-1999 23:12:40 GMT;Secure\r\n Set-Cookie: NSC_CERT=xyz;Path=/;expires=Wednesday, 09-Nov-1999 23:12:40 GMT;Secure\r\n Set-Cookie: NSC_TMAV=xyz;Path=/;expires=Wednesday, 09-Nov-1999 23:12:40 GMT;Secure\r\n Set-Cookie: NSC_TMAC=xyz;Path=/;expires=Wednesday, 09-Nov-1999 23:12:40 GMT;Secure\r\n X-Frame-Options: SAMEORIGIN\r\n Connection: close\r\n Content-Length: 0\r\n [Content length: 0] Cache-control: no-cache, no-store, must-revalidate\r\n Pragma: no-cache\r\n Content-Type: text/html\r\n \r\n
- Client inserts NSC_TMAS & NSC_TMAA cookies and self authenticates to SP
Client IP to LB VIP GET /cgi/selfauth?code=98a9b83d7594942f HTTP/1.1 Hypertext Transfer Protocol GET /cgi/selfauth?code=98a9b83d7594942f HTTP/1.1\r\n Host: sp.kurni.lab\r\n Connection: keep-alive\r\n Cache-Control: max-age=0\r\n Upgrade-Insecure-Requests: 1\r\n User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36\r\n Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3\r\n Referer: https://ns-adfs.kurni.lab/nf/auth/samlidp/postassertion\r\n Accept-Encoding: gzip, deflate, br\r\n Accept-Language: en-US,en;q=0.9\r\n Cookie: NSC_TMAA=f358ecb7715977c47b10430731347fb6; NSC_TMAS=6ebaebe1dce3de6fc80222d27a4dbe58\r\n Cookie pair: NSC_TMAA=f358ecb7715977c47b10430731347fb6 Cookie pair: NSC_TMAS=6ebaebe1dce3de6fc80222d27a4dbe58 \r\n [Full request URI: https://sp.kurni.lab/cgi/selfauth?code=98a9b83d7594942f]
- LB VIP (SP) redirects the user to the resource page
LB VIP to Client IP HTTP/1.1 302 Object Moved Hypertext Transfer Protocol HTTP/1.1 302 Object Moved\r\n Location: https://sp.kurni.lab/\r\n Set-Cookie: NSC_TMAA=f358ecb7715977c47b10430731347fb6;HttpOnly;Path=/;\r\n Set-Cookie: NSC_TMAS=6ebaebe1dce3de6fc80222d27a4dbe58;Secure;HttpOnly;Path=/;\r\n X-Frame-Options: SAMEORIGIN\r\n Content-Length: 0\r\n [Content length: 0] Cache-control: no-cache, no-store, must-revalidate\r\n Pragma: no-cache\r\n Content-Type: text/html\r\n \r\n
- Client requests the SP for resource page : https://sp.kurni.lab
Client IP to LB VIP GET / HTTP/1.1 Hypertext Transfer Protocol GET / HTTP/1.1\r\n Host: sp.kurni.lab\r\n Connection: keep-alive\r\n Cache-Control: max-age=0\r\n Upgrade-Insecure-Requests: 1\r\n User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36\r\n Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3\r\n Referer: https://ns-adfs.kurni.lab/nf/auth/samlidp/postassertion\r\n Accept-Encoding: gzip, deflate, br\r\n Accept-Language: en-US,en;q=0.9\r\n Cookie: NSC_TMAA=f358ecb7715977c47b10430731347fb6; NSC_TMAS=6ebaebe1dce3de6fc80222d27a4dbe58\r\n Cookie pair: NSC_TMAA=f358ecb7715977c47b10430731347fb6 Cookie pair: NSC_TMAS=6ebaebe1dce3de6fc80222d27a4dbe58 \r\n [Full request URI: https://sp.kurni.lab/]
- LB VIP (SP) Responds user with requested resource
LB VIP to Client IP HTTP/1.1 200 OK (text/html) Hypertext Transfer Protocol HTTP/1.1 200 OK\r\n Content-Type: text/html\r\n Last-Modified: Mon, 03 Jun 2019 10:43:57 GMT\r\n Accept-Ranges: bytes\r\n ETag: "3a96403ff919d51:0"\r\n Server: Microsoft-IIS/8.5\r\n Date: Sun, 28 Jul 2019 13:54:04 GMT\r\n Content-Length: 701\r\n [Content length: 701] \r\n Line-based text data: text/html (32 lines) <<<<<< webpage code >>>>>>
Conclusion
This is how traffic flows between Client, SP and IdP in SAML SP Initiated SSO.
Issue/Introduction
This Article Explains How SAML SP Initiated SSO Traffic flow exchanges between the entities (Client, SP and IdP)
Additional Information
You can Refer to this Article for more information on
Steps to Configure Citrix ADC1 as SAML SP and Citrix ADC2 as SAML IdP : Article # 000210534
Was this article helpful?
Yes
No
Powered by
