I am thinking how to gain and analyze the information in the real SSO (request/response) messages, for some commercial SSO solutions.
The challenge is that most commercial SSO solutions are black-box or gray-box. I know the OpenID/SAML protocols. Based on these standards, SSO vendors(idps) customized their own SSO solutions, such as Google ID SSO, Paypal Access SSO, Facebook Connect SSO, and many more.
As the SSO token/assertion is transmitted through network, is it possible to analyze them (SSO request/response messages) by the help of network sniffing?
I know many of them are already encrypted by TLS/HTTPS. Is it possible to turn them into HTTP and analyze?
Any other methodology can help commercial SSO's analysis, except searching official whitepapers online? For example, browser-based analysis.