Shibboleth Developers

["Scott Cantor" <>]

> SAML POST Profile specifies UTF-8 encoded XMLs to be encoded with
> base64.

There's no requirement to use UTF-8 anywhere in SAML that I can think of.
 
> This base64 encoding causes the problem, as it does not treat
> the response xml as UTF-8.

It doesn't matter what it thinks the encoding is. Base64 operates on the 
octets and produces ASCII, which should transmit cleanly no matter what the 
container thinks the encoding is. At the other end, you get back the octets, 
and the XML parser in the SP follows the encoding specified in the XML 
declaration (or assumes UTF-8).

At least, that's my understanding of the process. If I'm wrong, it would be 
in the base64 step, I guess, but I'm pretty sure base64 is ignorant of 
character encoding of the data being encoded, for the simple reason that it 
works on binary data too.

> I probably found the root of this problem inside opensaml2.

I don't think so.

> Here, at method populateVelocityContext,
> 
>  String messageXML = XMLHelper.
>       nodeToString(
>         messageContext.getOutboundSAMLMessage().getDOM());

I would assume nodeToString runs ignorant of the container transfer encoding, 
and would probably produce UTF-8 XML by default.

>  String encodedMessage =
>       Base64.encodeBytes(
>         messageXML.getBytes(), Base64.DONT_BREAK_LINES);
> 
> I think that messageXML.getBytes() should be messageXML.getBytes("utf-8").

I don't see that it matters. XML is self-describing in a sense, and if the 
transport medium is safe (and base64 is), it shouldn't affect anything. In 
fact, this is exactly *why* we use base64. WS-Federation sticks the XML 
directly into the form, HTML-encoded, but that is extremely messy and 
vulnerable to this kind of problem.

> You are right that sysadmins should set the correct locale, but since
> SAML2 POST Profile _strictly requires_ the use of UTF-8 it should be
> better idea to enforce this inside the Java code and not on platform
> or container locales.

Where are you getting the idea that SAML 2 strictly requires UTF-8? It 
wouldn't be the first time I forgot something I wrote myself, but I don't 
recall writing that in the spec, and I don't see it in the spec now.

-- Scott