question

DanielJ-0638 avatar image
0 Votes"
DanielJ-0638 asked ·

Simulate MS AD SAML Login for Jmeter Performance Test

Hello,

First of all thanks to all the community for the content of this site.

We have a website using MS Azure AD SAML to authenticate all users. In order to automate the performance tests in the website, we need to simulate the login into the Azure AD SAML to obtain a SAML Assertion ID to pass to our website. We followed the same authentication flow that we identified in our browser.

So far, we are following these steps:

  1. GET to our local SP with a redirect to Azure Client ID (IdP = https://sts.windows.net/xxx-xxx ) to obtain the SAML Request.
    • From this point we get the following parameters that are used in the next step: SAMLRequest, SigAlg, Signature

    • This step is working as expected and we get all expected parameters.

  2. GET to login.microsoftonline.com/clientID/saml2?SAMLRequest=XX&SigAlg=XX&Signature=XX
    • From this point we get the following parameters that are used in the next step: esctx, canary, ApiCanary, flowToken, originalRequest, hpgact, hpgid, hpgrequestid, x-ms-request-id, buid, ctx

    • This step is working as expected and we get all the expected parameters.

  3. POST to login.microsoftonline.com/common/GetCredentialType?mkt=en-US
    • We made a POST using JSON format to pass, amount others, the flowToken, originalRequest and the username.

    • This step is working as expected and we get the expected response verifying that the user has password to continue with the login.

  4. POST to login.microsoftonline.com/clientID/login
    • We made a POST using format application/x-www-form-urlencoded to pass, amount others, the flowToken, login, password, canary, hpgrequestid and ctx.

    • This step is working as expected and we get the expected response.

  5. POST to login.microsoftonline.com/clientID/kmsi
    • We made a POST using format application/x-www-form-urlencoded to pass amount others the flowToken, canary, hpgrequestid and ctx.

    • This step is not working and we do not get the SAMLResponse to give it back to our IdP. (We get a 200 but in the response says that we are missing a parameter)

We verify many times that we are passing all the cookies and headers to every step (HTTP Request) in the Test Plan and so far we get the same responses and cookies as if we were in the browser.

Could you please tell us:

  1. Is it possible to simulate this authentication flow using JMETER?

  2. If it is, are we calling all the right entry points to make a successful login or are we missing some?

  3. We were searching for documentation about this authentication flow, but without success, so, is there any documentation about this topic and all the endpoints to be called?

Thanks a lot in advance.

Best regards,
Daniel

azure-active-directory
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ShashiShailaj-MSFT avatar image
1 Vote"
ShashiShailaj-MSFT answered ·

Hello @DanielJ-0638 ,

I believe you should disable KMSI check from your testing workflow in your UAT environment. Ideally you are doing the performance/load testing on Azure AD authentictaion endpoints which should not require the testing the KMSI interrupt. In general the Azure AD sign-in flow gives users the option to remain signed in until they explicitly sign out using KMSI. This does not change Azure AD session lifetime but allows sessions to remain active when users close and reopen their browser. The KMSI was introduced to help reduce the number of times users are prompted to sign into any Azure AD application . when it is enabled and user chooses to keep themseleves signed it at the prompt, a persistent cookie is returned to the session. But I do not think you need this step to test the performance/resiliency of the auth endpoints .

You can disable this in your UAT test environment by going to Azure AD portal > Company Branding > Show option to remain signed in > Set this to NO.

6141-companybrand.jpg

Set the option to NO .

6151-branding.jpg

Hope this helps. In case the information provided is helpful , please do accept it as answer to that it is helpful to other members of the community searching for similar queries.

Thank you.



companybrand.jpg (45.7 KiB)
branding.jpg (5.8 KiB)
· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DanielJ-0638 avatar image
0 Votes"
DanielJ-0638 answered ·

Hello @shashishailaj,

Thanks a lot for your answer, I really appreciate it.

As you suggested, I disabled the KMSI in our UAT environment and run the tests again and all worked as expected and I got the SAML Response.

But in our case we need to run these tests in our Production environment. We have to do it this way because we need to measure the response / load timings in the Production environment in order to be compliant with some SLAs.

Therefore, do you know a way to still be able to login (get the SAML Response) with the KMSI enabled using JMETER, please? Or maybe some documentation where I can find some information about how the KMSI works in case I am missing a parameter?

And don't worry, in case I don't find the solution, after some time I will accept you answer because it is working with the KMSI disabled.

Thanks a lot again,

Best regards,
Daniel

· 1 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@DanielJ-0638 , I am trying to find more information on this and will update you .

Thank you.

1 Vote 1 · ·
SalamEmad-9456 avatar image
0 Votes"
SalamEmad-9456 answered ·

Hi .

I am scripting same but when i do the first request i get the SAML Reqeust and Relay and i capture them, however when i do execute the second step to generate the token, nothing gets generated i get a crappy js script that i cant interpret, can someone please share some script? I am keen to know how it gets developed.

Thanks,

· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.