Simulate MS AD SAML Login for Jmeter Performance Test

Question

Hello,

First of all thanks to all the community for the content of this site.

We have a website using MS Azure AD SAML to authenticate all users. In order to automate the performance tests in the website, we need to simulate the login into the Azure AD SAML to obtain a SAML Assertion ID to pass to our website. We followed the same authentication flow that we identified in our browser.

So far, we are following these steps:

1. GET to our local SP with a redirect to Azure Client ID (IdP = https://sts.windows.net/xxx-xxx ) to obtain the SAML Request.
   • From this point we get the following parameters that are used in the next step: SAMLRequest, SigAlg, Signature
   • This step is working as expected and we get all expected parameters.
2. GET to login.microsoftonline.com/clientID/saml2?SAMLRequest=XX&SigAlg=XX&Signature=XX
   • From this point we get the following parameters that are used in the next step: esctx, canary, ApiCanary, flowToken, originalRequest, hpgact, hpgid, hpgrequestid, x-ms-request-id, buid, ctx
   • This step is working as expected and we get all the expected parameters.
3. POST to login.microsoftonline.com/common/GetCredentialType?mkt=en-US
   • We made a POST using JSON format to pass, amount others, the flowToken, originalRequest and the username.
   • This step is working as expected and we get the expected response verifying that the user has password to continue with the login.
4. POST to login.microsoftonline.com/clientID/login
   • We made a POST using format application/x-www-form-urlencoded to pass, amount others, the flowToken, login, password, canary, hpgrequestid and ctx.
   • This step is working as expected and we get the expected response.
5. POST to login.microsoftonline.com/clientID/kmsi
   • We made a POST using format application/x-www-form-urlencoded to pass amount others the flowToken, canary, hpgrequestid and ctx.
   • This step is not working and we do not get the SAMLResponse to give it back to our IdP. (We get a 200 but in the response says that we are missing a parameter)

We verify many times that we are passing all the cookies and headers to every step (HTTP Request) in the Test Plan and so far we get the same responses and cookies as if we were in the browser.

Could you please tell us:

1. Is it possible to simulate this authentication flow using JMETER?
2. If it is, are we calling all the right entry points to make a successful login or are we missing some?
3. We were searching for documentation about this authentication flow, but without success, so, is there any documentation about this topic and all the endpoints to be called?

Thanks a lot in advance.

Best regards,
Daniel

Answer 1

Hello @Daniel J ,

I believe you should disable KMSI check from your testing workflow in your UAT environment. Ideally you are doing the performance/load testing on Azure AD authentictaion endpoints which should not require the testing the KMSI interrupt. In general the Azure AD sign-in flow gives users the option to remain signed in until they explicitly sign out using KMSI. This does not change Azure AD session lifetime but allows sessions to remain active when users close and reopen their browser. The KMSI was introduced to help reduce the number of times users are prompted to sign into any Azure AD application . when it is enabled and user chooses to keep themseleves signed it at the prompt, a persistent cookie is returned to the session. But I do not think you need this step to test the performance/resiliency of the auth endpoints .

You can disable this in your UAT test environment by going to Azure AD portal > Company Branding > Show option to remain signed in > Set this to NO.

Set the option to NO .

Hope this helps. In case the information provided is helpful , please do accept it as answer to that it is helpful to other members of the community searching for similar queries.

Thank you.

Answer 2

Hello @Shashi Shailaj ,

Thanks a lot for your answer, I really appreciate it.

As you suggested, I disabled the KMSI in our UAT environment and run the tests again and all worked as expected and I got the SAML Response.

But in our case we need to run these tests in our Production environment. We have to do it this way because we need to measure the response / load timings in the Production environment in order to be compliant with some SLAs.

Therefore, do you know a way to still be able to login (get the SAML Response) with the KMSI enabled using JMETER, please? Or maybe some documentation where I can find some information about how the KMSI works in case I am missing a parameter?

And don't worry, in case I don't find the solution, after some time I will accept you answer because it is working with the KMSI disabled.

Thanks a lot again,

Best regards,
Daniel

Answer 3

Hi .

I am scripting same but when i do the first request i get the SAML Reqeust and Relay and i capture them, however when i do execute the second step to generate the token, nothing gets generated i get a crappy js script that i cant interpret, can someone please share some script? I am keen to know how it gets developed.

Thanks,

Answer 4

Hi

I am facing the same issue.. where I am not getting the response value of "SAMLResponse" after executing kmsi api.

Is there any other solution to the problem other than disabling the kmsi check?

Please let me know of any updates.