What is Claims X-Ray in ADFS

In this blog we will discuss what is Claims X-Ray in ADFS, we will talk about Claims X-Ray ADFS help tool, we will add Claims X-Ray tool as Relying Party Trust in ADFS server and we will also test ADFS server authentication using Claims X-Ray tool and then we will analyze Claims X-Ray Token Response page.

Watch video

Join us on YouTube and watch this video to learn how to use Claims X-Ray tool with ADFS to test authentication and how to analyze ADFS authentication using Fiddler Trace.

What is Claims X-Ray in ADFS

Claims X-Ray tool is an online service that is used to debug and troubleshoot problems with claims issuance. Using this tool you can test if ADFS server is issuing the claims or not. You can also test if user is getting authenticated or not.

When you test authentication using Claims X-Ray, this tool interacts with your ADFS server and it tests if the ADFS server is issuing the claims or not. So this tool is very useful when you are troubleshooting issues related to ADFS.

Before we use this tool, we need to add this tool as a Relying Party Trust with ADFS server. If we will try to test authentication using this tool without adding it in relying party trust, we will get error.

Claims X-Ray ADFS help

Claims X-Ray tool helps us to test or troubleshoot ADFS authentication. This process involves 3 steps:
Adding Claims X-Ray tool as a Relying Party Trust in ADFS
Adding ADFS server details in Claims X-Ray tool and testing authentication
Analyzing the token received from ADFS server.

Add Claims X-Ray tool as a Relying Party Trust

To add Claims X-Ray tool as a relying party trust, go to this link, go to Relying Party Trust Management section, and click Download to download the script.

add claims x ray tool as relying party trust 1

Go to ADFS server, open Windows PowerShell and run this script. On the prompt, leave default settings and click Apply changes.

claims x ray script

Once the script is executed successfully, go to ADFS Management console, expand Services, and click Relying Party Trusts. You should see Claims Xray added as relying party trust as shown below.

claims x ray relying party trust

Claims X-Ray tool helps you to test ADFS server authentication. Once Claims X-Ray is added as a Relying Party Trust in your ADFS server, this tool can communicate with your ADFS server.

Test ADFS authentication with Claims X-Ray tool

To test ADFS authentication using Claims X-Ray tool, click this link and click Next.

claims x ray tool

On the next page of Claims X-Ray tool, under Federation instance type Federation Service Name of your ADFS server. You can find the Federation Service Name of ADFS server by going to ADFS Management console, right click server name and click Edit Federation Service Properties as shown below:

edit federation service properties in adfs server

On the Federation Service Properties, you will find Federation Service name as shown below:

adfs server federation service name

Under Authentication type on the Claims X-Ray tool, you can select one of the available authentication methods. For this demo I will select Forms.

forms based authentication claims x ray tool

In the above image you can see we have added ADFS server Federation Service Name and we selected Forms as authentication method.

Under Token request select WS-FED (SAML 1.1), check Force fresh authentication and click Test Authentication.

token request in claims x ray tool

You will be redirected to your ADFS server sign-in page as shown below that indicates Claims X-Ray tool can communicate with our ADFS server and ADFS server can issue tokens to Claims X-Ray tool.

adfs redirection

Type the username and password of a user account of your organization and click Sign in.

As soon as you will click Sign in, you will be redirected to the Claims X-Ray Token Response page where you can analyze the token received from ADFS server.

claims x ray token response page
Analyze Claims X-Ray Token Response page

On the Claims X-Ray Token Response page you will find the information related to the claims, information related to the security token, and much more.

So let’s analyze Claims X-Ray Token Response page and let’s see what sort of information we can find here.

As shown in below image, you can see we used FormsAuthentication while testing authentication, you can see UPN (User Principal Name) and the name of the user that we used during testing, you can see this user signed in from the internal network, you can see the IP address of the machine from where we tested authentication, and you can see the ADFS endpoint name (/adfs/ls) that answered Claims X-Ray authentication request.

analyze claims x ray token response page
analyze claims x ray token response page 2

Under Token Validity section on the Token Response page, you will see access token that was issued by the ADFS server to Claims X-Ray tool.

token validity under claims x ray tool

Important: By default an access token is valid for 1 hour.

Under Token Signing Certificate section on the Token Response page, you will find the details about the token-signing certificate of your ADFS server. In this section you will find the Subject Name of the token-signing certificate, you will see the Issuer name (ADFS server Federation Service Identifier), you can see the valid from and valid till date of the certificate, you can see the thumbprint of your ADFS server token-signing certificate, and the signature algorithm used in token-signing certificate.

token signing certificate claims x ray tool

Under Raw Token section of Claims X-Ray Token Response page, you will the token issued by the ADFS server to Claims X-Ray tool.

In this token you can see the date when this token was created and when it is going to be expired, you can see the application name to whom this token was issued, and you can see the token type is SAML 1.0.

raw token in claims x ray token response page

Conclusion

In this blog we learnt what is Claims X-Ray in ADFS, how to use Claims X-Ray ADFS Help tool, we learnt how to add Claims X-Ray tool as a Relying Party Trust, we learnt how to test ADFS authentication with Claims X-Ray tool, and we learnt how to analyze Claims X-Ray Token Response page.

If you found this article helpful and informative, please share it within your community and do not forget to share your feedback in the comments. Please join us on our YouTube channel for the latest videos on Cloud technology and join our Newsletter for the early access of the blogs and updates.

We welcome you to browse our other articles on ADFS (Active Directory Federation Services):
What is ADFS
What is federation trust in ADFS
ADFS deployment types
How to install ADFS on Windows Server 2016
ADFS claims based architecture
Set up ADFS for Microsoft 365 for Single Sign-On
ADFS endpoints explained
What is ADFS relying party trust, ADFS Claim Rules
ADFS Authentication Flow
What is ADFS Federation Metadata
What is ADFS Claims Provider Trust
ADFS Certificates explained
How to install ADFS proxy server

Happy Learning!!