[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: SAML Attribute Parsing
|
Hello!
I have a very specific question about saml attribute parsing. Please see the attribute in question below:
<saml2:Attribute FriendlyName="ou" Name="urn:oid:2.5.4.11" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue>First part of the string
 second part of the string</saml2:AttributeValue> </saml2:Attribute> The situation is as follows
- We (the SP) run shibboleth with apache and forward the request to an internal application server
- The IdP also runs shibboleth
- On our side shibboleth received the encrypted saml2 attribute with a string containing '
'
and decoded it to the data as seen above
- The output we then saw in the http header of the internal application server for that string was 'First
part of the string\r
second part of the string' which broke the http header format, ultimately leading to a rejected request for the user.
Of course we already communicated this to the IdP and the data source has already been fixe.
However apart from this we also asked ourselves:
- Is the attribute valid as it is? Should it have been sent this way by the IdP software?
- Is this something that should have been parsed by the SP? If yes: should it have been parsed this way?
Peter Brand, who I have been communicating with, suggested that there may be some rules that could apply (e.g. https://www.w3.org/TR/xml11/#sec-common-syn
and https://www.w3.org/TR/xml11/#sec-line-ends)
Thanks,
Katrin
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]