Compass Security Blog

Offensive Defense

SAMLRequest Support for SAML Raider

About a year ago, the Burp extension SAML Raider [0] was released as a result of a bachelor thesis [1] in collaboration with Compass Security. This Burp extension automates most of the steps, which are necessary to test a SAML single sign-on process and perform according attacks. With SAML Raider, an authentication bypass vulnerability in a Service Provider was found [2]. More information is available in our first blog post about SAML Raider here: SAML Burp Extension [5].

We did some bugfixing and added new features to SAML Raider in the past year. In version 1.2.0, we introduced the new ability to intercept and edit SAMLRequest Messages. The current version is 1.2.1, which is available here [3] on GitHub. It will also be in the official Burp Suite BApp store [4] shortly.

Decode SAMLRequest Message

There are several Burp Extensions [6] like SAML ReQuest [7], SAML Editor or SAML Encoder which allows you to edit SAMLRequests. We also got asked [8] if this feature is supported in SAML Raider, which was not the case. Because this would be a nice feature, we implemented it in version 1.2.0.

What is a SAMLRequest?

A SAMLRequest is the SAML message, which is sent from the user (browser) to the Identity Provider, to “ask” for an assertion. Usually, the SAMLRequest is sent to the Identity Provider, which will respond with a login form to ask for the credentials. If the login was successful, the SAMLResponse is sent back to the client, which is then forwarded to the Service Provider.

A SAMLRequest is sent via POST to the Identity Provider and looks like this:


So, it’s quite clear, that this is not so practical for quick editing and testing.

SAMLRequest in SAML Raider

SAML Raider is now able to properly decode a SAMLRequest and display it in the SAML Raider tab:


Now it is very easy to modify the SAMLRequest. The SAMLRequest is automatically encoded back in it’s original format and forwarded to the target, if the Forward button is clicked.

But why do you need to view/edit the SAMLRequest? With this new feature, you can read what the client is sending exactly to the Identity Provider and perform fuzzing or testing the Identity Provider itself.

So, if you have any questions, issues or features requests, don’t hesitate to contact us or open an Issue on GitHub [0].



  1. Hi,

    I would like to know how the edited SAML response is resigned with IdP’s private key. I have imported the Private Key but not able to view the imported Private Key in XML Signature (Message editor).

    • Emanuel Duss

      May 30, 2018 at 08:06

      You have to import the certificate as well. The private key alone is not sufficient to sign the assertion.

      1) Did you also import the certificate?
      2) Did you import the private key when you have selected the certificate?
      3) Is the “Private Key” checkbox enabled in the Certificate tab?
      4) Can you send a screenshot of the imported certificate and the Private Key checkbox and from the certificate drop down in the SAML message editor?

  2. Hi Emanuel Duss,

    Thanks for your quick response.

    Since it is an evaluation copy, Private Key check box is disabled in Burp Suite. Is there a way you can help us to enable this in evaluation copy . In case if it is not possible in evaluation version can you please share any email ID to reach out for professional help for tool based on that we will procure this tool.

    • Emanuel Duss

      May 30, 2018 at 13:43


      There is no difference in SAML Raider if you have the Burp Suite professional or the free version.

      Please provide a screenshot of the Certificate tab where you have imported the certificate AND the private key.

      • Hi Emanuel Duss ,

        Thanks for your Quick response. Now I am able to see the Imported certificate in Message editor. I have tried importing the certificate after accessing the url, hence I was not able to see the imported certificate.

        I have another Query. While importing PROD Private key I am getting “Error importing private key.(malformed sequence in RSA private key)”. I have copied the Private key separately in a .pem file and tried to import it. Can you please help on this.

  3. Hi Emanuel Duss ,

    It worked… Thank you so much…

    One more doubt.
    Can we use SAML raider for testing Azure AD on boarded applications.?

    • Emanuel Duss

      June 14, 2018 at 13:03

      Hi Anuja

      Cool. I’m glad it worked in the end.

      If the application uses SAML, you can use SAMLRaider for that, independent on the underlying software, because SAML is an open standard.

      Happy Hacking ;-)


  4. Emanuel Duss

    June 25, 2018 at 16:26

    Hi Anuja

    What logs do you mean? The plugin output and errors are shown in the dialog when you load the extension.

    Best regards,

    • Hi Emanuel Duss,

      I would like to get the error logs. For example, for the first test case I have tried applying XSW1 attack and for the next time I may apply XSW2 attack. Is there any chance to see these logs ?? So that i can attach these logs in test case document instead of taking screen shots of error pages.


      • Emanuel Duss

        June 26, 2018 at 11:04

        Hi Anuja

        No, the results are not logged. You have to save it for yourself.

        Best regards,

  5. Hi.

    Thank you for making this tool. Unfortunately I cannot quite get it to work. I want to intercept SAML messages, edit them, and resign them. I did as you suggested in the other comments (import certificiate, import private key in DER format) but “private key” is still greyed out (see What am I doing wrong?

    PS: I start with a .jks file and get certificate and private key from that.

    • Emanuel Duss

      February 13, 2020 at 17:16

      Hi Sune

      Your’re welcome :)

      I assume the private key is in the wrong format.

      So if you use the DER format, can you read your key file using the following command:

      # openssl rsa -inform der -in key.test
      writing RSA key
      -----BEGIN RSA PRIVATE KEY-----
      -----END RSA PRIVATE KEY-----

      This should be possible without entering a passphrase.


      • Hello again and thank you for your reply.

        I cannot replicate my error from last time, but I still can’t get it to work. I export my private key with KeyStore Explorer from my JKS file to both PEM and binary format. I can indeed read the binary key like you suggested, and it shows the same as the PEM key file. However both of them gives me “error(null)” when trying to import them in Burp tool.

        • Emanuel Duss

          February 21, 2020 at 11:49

          Hello :)

          Does this private key match the public key from the certificate in the SAML Raider Certificate tabs? You can only import the private key if this is the key that belongs to the certificate that you have selected.

          Best regards,

          • Thank you again. We use several different certificates and keys, so I must have messed them up.

            I have another question. Can your tool – or another you know of – also resign SAMLrequests? Fx take the following
            I know you can decode and reencode the request as this blog post says, but can you also recalculate the signature with a private key?

        • Emanuel Duss

          March 10, 2020 at 17:05

          Hi Sune

          OK, glad to see that it worked now ;-)

          No, I think it’s not possible at the moment to sign such SAML Requests. I’m also not aware of any tool that can do it quickly. Let me know if you found one!


  6. Really enjoyed your article as its highly informative

Leave a Reply

Your email address will not be published. Required fields are marked *