We Keep Coding

REST API - SAML Authentication with Azure AD as IDP

Having application with SAML authentication along with Azure AD as IDP. When I hit Login SSO button the following happens:
Hits SAML Redirect URL (/Saml/SAMLLoginRedirect)
Redirects automatically to Ping Federator. Redirected URL is received with the response header of the first request. URL consist some SAMLRequest Token and RelayState value. Final response has Submit Form along with new SAMLRequest token and RelayState.
Hitting IDP (login.microsoftonline.com//saml2 with the SAMLRequest and RelayState from the final response not works as expected.
I have resolved this issue in jmeter. I have just enabled Follow Redirect so jmeter provides the response and cookie. I am extracting the Header value of first the request from URL. It is just because Jmeter has the feature of accumulating redirect sample into the original request.
So I am again hitting Ping Federator with the Token and RelayState received using URL extractor along with final response Cookie.
Further I am able to complete the IDP process successfully.
I am not able to achieve the same using RestAssured. When I disable redirect I am able to get the url from header. Processing the URL from the header value throws 500 error code though I have added the cookie information.
If I enabled redirect I am getting 200 response code along with expected response body and cookie.
But I am unable to proceed to the Ping Federator with the token and relay state received from the response. So I have to hit again the Ping Federator with the previous SAML Token again as I did with jMeter to achieve the proper response.
Problem: Unable to get the header value if I enable the redirect and further processing fails. If I disable the redirect then I am not getting Cookie and expected response when processing the URL from header value. Here all are GET request until the IDP (login.microsoftonline.com)

JMeter's HTTP Cookie Manager automatically extracts cookies from the Set-Cookie response header and sends them with the next request via Cookie request header if domain and path match and the cookie isn't expired.
RestAssured doesn't do this automatically so you will need to extract the cookies from the response and add them to the next request manually.
References:
REST Assured Tutorial 49 – How To Retrieve Single and MultiValue Headers From Response Using Rest Assured
Headers, Cookies and Parameters with REST-assured
Going forward you can just use a sniffer tool like Fiddler or Wireshark to compare requests coming from JMeter and RestAssured, given you send the same request (apart from dynamic parameteres which need to be correlated) you will get the same response

jmeter auth token issue

I have internal web application, which I have to test using Jmeter.
The application has secure protections as a username, password and auth token.
Auth token is changing with every new session. I'm unable to path through secure token. Token is include in URL, which look like
http://mytraining.application.net/(S(vj1ckr0nqyvjq3blehcl2jwl))/ApplDefault.aspx?tabid=1. Cookies has look like
Cookie: AUTH_TOK_vj1ckr0nqyvjq3blehcl2jwl=vj1ckr0nqyvjq3blehcl2jwl; AUTH_TOK_syq3r1yu4equ515xzunjobhb=syq3r1yu4equ515xzunjobhb;
So, my Jmeter able to successfully run only when I submit current token in URL.
Please let me know if you have any idea, how to avoid submitting token in all places (35) every time.
[![enter image description here][1]][1]
My AUTH_TOKEN
Regular Expression

It seems you can figure you your Auth_TOK value from the cookies
Add the next line to user.properties file (located in JMeter's "bin" folder
CookieManager.save.cookies=true
Restart JMeter to pick the property up
Add HTTP Cookie Manager to your Test Plan
Now you should be able to see Cookies stored as JMeter Variables using Debug Sampler and View Results Tree listener combination and use cookies values as part of your URL
I would also recommend checking out ASP.NET Login Testing with JMeter as my expectation is that you will have to deal with few other dynamic parameters.

First try with HTTP Cookie Manager as mentioned by Dmitri. This would work if auth token is used in Headers, like Cookie header. Jmeter automatically fetches from Set-Cookie Header, set by server, (when you add HTTP Cookie Manager) for each thread and store it locally, so that it can use in subsequent requests.
If Auth token is used in other places (but not headers) such as part of Url, request body etc, then we should explicitly capture it using Regular Expression Extractor (post processor) and
Regular Expressions Jmeter to correlate the dynamic values. Once you capture the value into a local_variable, we replace the actual values by local_variable (Reference name field in Regular Expression Extractor) wherever we observe the dynamic value in subsequent requests, here auth token, using syntax ${local_variable}.

JMeter logout POST request doesn't actually log out

I'm fairly new with JMeter and am trying to create a log in/log out script for my application with JMeter (2.13). Log in works fine but the log out request isn't logging out. If I look at the response body, it still has the page for the logged in user.
When I log out in Chrome, the request header has one cookie and the response header has set_cookie and a new cookie. In JMeter both request and response header have the same cookie.
Am I missing a step somewhere?
Some notes:
- I am using the an HTTP Cookie Manager
- The initial log out request redirects due to a 302 response.
- In both the log in and log out post requests I'm using the CSRF token that I extracted from the original GET request to go to the sign in page.
- I built the script with the recording tool (HTTP(S) Test Script Recorder)

HttpClient 4.x: how to retain cookies across multiple requests?

I need to use Apache HttpClient (4.x) to make 3 consecutive web calls and essentially log me into my app programmatically:
An HTTP GET to a login page (http://myapp01.example.com)
The server will respond to this GET with a response cookie "JSESSIONID"
An HTTP POST to the same page (using the same JSESSIONID as a request cookie)
The server now authenticates me and validates the JSESSIONID.
An HTTP GET to a different page under the same domain (http://myapp01.example.com/fizz), again using the same JSESSIONID as a request cookie
The first GET's response will contain a cookie named JSESSIONID. The POST will then log me in to the server (sending username and password data in the POST request body). This POST will also send (Set-Cookie) the JSESSIONID cookie received from the first GET. If my logins are successful, the JSESSIONID will now be authenticated, and I am logged in. I can then make the 2nd GET call (still using the same JSESSIONID) to /fizz which is ordinarily an authenticated URL.
Can this be done in HttpClient 4? I see there is a method HttpClient.getCookieStore(). but this seems to only store cookies per GET/POST/PUT/etc.
Any ideas as to how I can get this holding cookies across multiple requests, such that any cookies returned by the server are then added to subsequent requests?

Apache HttpClient takes care of that automatically (since version 2)

JMeter Cookie Manager

I am using JMeter to make a simple login test on my website. I have a Thread Group which contains a Cookie Manager, an HTTP request to the root page, then an HTTP Post which posts a username and password, and then a Results view. When I run the test and view the response, the results show that the first HTTP request correctly calls set-cookie with the JSessionID, but the second HTTP request that POSTS credentials has no cookies - shouldn't this cookie be posted from the Cookie Manager? Thanks.

In most apps that I've tested, I don't see the actual cookie information after the initial request.
If your session isn't being maintained, there are a few quick things to check:
1. there are no hard coded JSessionID values in the HTTP Requests;
2. try different cookie manager types - different applications expect different settings.