Hello,
I have some sp which is using saml 2.0 as sign-in protocol. Since I want to know which reply party user come form, I enable auditing in ADFS. After that, I can get the get the user query string in EVENT ID 403( Do I look at the correct EVENT?).
But unlike WF-Fed which can easy get reply party identity id in the query, the query string in SAML is complex:
?SAMLRequest=nVLLbtswEPwVgXdJlBXZEWEbcGMEMZCmRuz20EuxFtc1AT5U7ipp%2F7603AJJDz70xOXsznA42DmBs71aDXzyz%2FhjQOLsp7Oe1NhYiCF6FYAMKQ8OSXGndquPj2pSSNXHwKELVryhXGcAEUY2wYtss16Ib41uusnt4dCCbm6m02om20M7a1G22LX1saqmNdbyRkIjsi8YKTEXIgklOtGAG08MnhMkqyaXdS7bvZypplKT268iW6ffGA88sk7MPamyBH2kWuNLoYMD44tUjlhpqRTZ6q%2FBu%2BBpcBh3GF9Mh5%2BfH99L8Kj9vRgcdIULJRnXWzwnULqgB4tFf%2BrL8U6Xc5JDRyOq8QiD5Zx6kW3%2FZPjBeJ30rsd3uAyRetjvt%2Fn2024vlvOzthrjiMv%2Fd%2BiQQQPDPwbn5Vv5%2BWVbnpKxzXobrOl%2BZfchOuDrvs%2BI0flxHFUcwZNBzylua8PrXURgXAiOA4pyeXny%2FU4ufwM%3D&RelayState=https%3A%2F%2Fadfstesting.umac.mo%2Fsimplesaml%2Fmodule.php%2Fcore%2Fauthenticate.php%3Fas%3Ddefault-sp
How can I covert this SAML request to plaintext? Since all the ADFS log will be stored in Splunk, is it possible to convert them automatically?
Thank you.