Uploaded image for project: 'OpenSAML - C++'
  1. OpenSAML - C++
  2. CPPOST-61

[HTTP-Redirect binding] [Message encoding] There should be no '%0A' in the SAMLRequest parameter value

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 2.4
    • Fix Version/s: 2.4.1
    • Component/s: SAML 2
    • Labels:
      None
    • Operating System:
      Linux
    • CPU Type:
      x86
    • C/C++ Compiler:
      Multiple

      Description

      I was checking the shibboleth-sp compatibility with a proprietary implementation of SAML2. When using the HTTP-Redirect binding for the SSO profile, the IdP-side saml2 implementation failed to parse the SAMLRequest parameter.

      From what I've seen in the shibboleth-sp-2.4 sources, i uses OpenSAML C++ 2.4.

      Here is the SAMLRequest parameter as found in the URL sent to the browser:
      SAMLRequest=fZFdT8MgFIb%2FSsN9S6EuW8japG4XLpnarNMLbwx0bCWhUDlU57%2B3H2pmTHZ3%0AAi8PvA9L4I1uWd752uzkWyfBB%2BdGG2DjRoo6Z5jloIAZ3khgvmJlfr9lNIpZ%0A66y3ldUoyAGk88qalTXQNdKV0r2rSj7ttimqvW8ZxiBC3raRPPOm1TKy7oTL%0AWglhtfR1BGDxAKa4eCz3KFj3L1GGD8xfgjgDREdX6Uh0WvcTW8Q0GZdDPjTA%0A2p6UQcFmnaLXZLEQh4ST5ChmNzPRDySZS3Gs6JxQmhz6GEAnNwY8Nz5FNCYk%0AjElI6J7MGJkzQl5QUHx3vFXmoMzpuhAxhYDd7fdFOBV5lg7GEn0AZctBKxsv%0Adheir2P5j12U%2FZe4xBfIid%2Byh56xWRdWq%2BozyLW2HysnuZcpIghn05G%2Fv559%0AAQ%3D%3D%0A

      You can notice there are '%0A' strings which are the URL-encoded form of linefeeds ('\n').

      However, the saml2-bindings-2.0-os specification states in the DEFLATE encoding (3.4.4.1 lines 585-586) :
      " 3 - The compressed data is subsequently base64-encoded according to the rules specified in IETF RFC 2045 [RFC2045]. Linefeeds or other whitespace MUST be removed from the result."

      Therefore, no '%0A' should appear in the URL-encoded Base64 data. Doing so is likely to cause compatibility problems.

        Attachments

          Activity

            People

            Assignee:
            cantor.2@osu.edu Scott Cantor
            Reporter:
            serve-o Olivier Serve
            Watchers:
            0 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: