SP encodes protocol in IDP URL when using HTTP-POST binding

Basics

Technical

Logistics

Basics

Technical

Logistics

Description

When the SP is configured to use HTTP-POST binding to forward a client to the IDP, the URL in the html form action contains an encoded ":" within the protocol. For example:

The colon character should not be encoded in URLs when it is used as part of the protocol.

Browsers appear to handle this ok, however we have application proxies which do not.

Environment

Win2k3/Apache & Win2k3/IIS6

Activity

Show:

Scott Cantor June 23, 2009 at 12:46 PM

Closing after releases.

Scott Cantor February 6, 2009 at 1:22 PM

http://svn.middleware.georgetown.edu/view/cpp-xmltooling?view=rev&revision=562

http://svn.middleware.georgetown.edu/view/cpp-sp?view=rev&revision=2939

Scott Cantor February 6, 2009 at 10:34 AM

That's part of the logic that protects against XSS. I'm not about to remove it or alter that, but I'll consider an option to control which characters are encoded for people that want to assume the risk themselves.

Fixed

Pinned fields

Click on the next to a field label to start pinning.

Details

Assignee

Scott Cantor

Reporter

Daniel Mifsud

Fix versions

2.2

Affects versions

2.1

Created February 5, 2009 at 10:33 PM

Updated June 23, 2009 at 12:46 PM

Resolved February 6, 2009 at 1:22 PM

Configure