I was checking the shibboleth-sp compatibility with a proprietary implementation of SAML2. When using the HTTP-Redirect binding for the SSO profile, the IdP-side saml2 implementation failed to parse the SAMLRequest parameter.
From what I've seen in the shibboleth-sp-2.4 sources, i uses OpenSAML C++ 2.4.
Here is the SAMLRequest parameter as found in the URL sent to the browser:
You can notice there are '%0A' strings which are the URL-encoded form of linefeeds ('\n').
However, the saml2-bindings-2.0-os specification states in the DEFLATE encoding (18.104.22.168 lines 585-586) :
" 3 - The compressed data is subsequently base64-encoded according to the rules specified in IETF RFC 2045 [RFC2045]. Linefeeds or other whitespace MUST be removed from the result."
Therefore, no '%0A' should appear in the URL-encoded Base64 data. Doing so is likely to cause compatibility problems.