Shibboleth Developers

["Scott Cantor" <>]

> The attributes I am consuming on my SP are multi-line (base64 encoded, but
> with no constraint about whitespace, so they can include newlines).  With
> Apache and Shibboleth this is not an issue, but with IIS, I seem to only
get
> the first line of the assertion.

I'm fairly certain that's IIS. I seem to recall that the original export
option had to strip newlines to make IIS happy (and of course that didn't
help anyway because of size). I can tell you that it is stripping whitespace
in 1.3:

            for (pos=serialized, pos2=serialized; *pos2; pos2++)
                if (isgraph(*pos2))
                    *pos++=*pos2;

In general, this is not a good use of headers. They're not perfect, just
better than all the alternatives for simple data.

> I know there is a work around by using exportAssertion and querying for
the
> SAML assertion, then parsing out my attribute, but that feels non-optimal.

On the contrary, it's probably what you should do if you're not prepared to
write a decoder to fix it.

> I am curious if the behavior I am seeing is correct or controllable in
some
> way (perhaps an attribute decoder option to remove whitespace or more
> specifically newlines?).

Sure, have at it. Decoders aren't terribly complicated.
 
> I don't have a 1.3 deployment that I can test against anymore, but I don't
> recall this limitation being in the 1.3/IIS world (I know I did some
testing
> in the 1.3 world regarding attribute size, but I might have done that
> testing with 0 whitespace, I don't recall).

I think you'll find it's the same.

-- Scott