How can I use JMeter to authenticate to a SAML server and proceed with performance testing?

Question

I'm having trouble finding a helpful guide or answer to the following issue. Using JMeter, how can I authenticate to a SAML server (SAML 2.0 assertion) and then proceed with performance testing?

The application-under-test behaves as follows:

1. In a browser, go to https://application_url/login (GET Status Code 302)
2. Going to the above URL will redirect you to the authentication server, as follows: https://saml_auth_server_url/?SAMLRequest=(value) (GET Status Code 302)
3. There is a second GET on the above URL which adds &client-request-id=(value) to the end of the SAMLRequest string (GET Status Code 200)
4. Redirect to https://application_url (GET Status Code 302)

After this sequence happens, I can navigate to all child URLs of https://application_url (e.g. https://application_url/quicklinks) and I will get data back instead of a Status Code 403 Unauthorized.

How can I set this all up in a JMeter script so it works on playback?

Please let me know if you need any more information. Thank you.

Answer 1

It's a matter of correlation, you need to extract all these dynamic parameters like SAMLRequest, authenticity_token, etc. from previous responses using suitable JMeter Post-Processors and replace recorded values with the JMeter Variables from the Post-Processors.

You can use How to Load Test SAML SSO Secured Websites with JMeter as a reference, but only as a reference because your SAML authentication setup might be different and depending on response types you might want to choose other/better Post-Processors.