The following procedure describes how to view a SAML response from your SAML identity provider in your browser. The SAML response contains the user’s claims as issued by the SAML provider, such as groups the user belongs to, username, and email. This helps determine if the SAML provider is sending over the expected information to Laserfiche. The Directory Server token is built after interpreting the SAML response and incorporating user properties stored in Directory Server.
To view a SAML response in Chrome, Edge, or Firefox, follow these steps:
- Open Chrome, Edge, or Firefox and press F12 to start the developer console.
- In Chrome or Edge, select the Network tab, then click Preserve log. In Firefox, select the Network tab, then click Persist logs.
- Reproduce the issue by navigating to an application and signing in via your SAML provider.
- Look for SSO in the network request list's Name column. In Chrome or Edge, select that row and then view the Headers tab. In Firefox, view the Params tab. Under Form Data, look for the SAMLResponse attribute that contains the encoded response. For an example, see the image of an intercepted SAML Response below.
- Once you find the SAML response element in your browser, copy it and use a Base-64 decoding tool to extract the XML tagged response.
- For example, you may see this in a SAMLResponse:
- For example, you may see this in a SAMLResponse:
- Compare the claims contained in the SAML response to the Directory Server token. Mismatches can help narrow down where to investigate potential configuration issues.
- If the claims don't match, take a closer look at your Directory Server configuration.
- If the claims match, but don't match your expectations for what should be included, take a closer look at your SAML provider configuration.
- If the claims match, and are what you expect, the issue is likely not related to SSO configuration (e.g., you didn't put the group in your repository trusted groups).