Delegated Auth with

Eric Dalquist eric.dalquist at
Thu Nov 3 17:58:03 GMT 2011

The code did work and what I'm seeing on the wire shows unescaped values 
being sent to Apache. We did a little digging into the mod_log_forensic 
source and it HTML escapes : | % in its log messages since it uses those 
for separators. So with that it would appear that these values are not 
HTML escaped within Apache.

Not sure if it helps at all but this is all we see in the shibd logs for 
the request:

2011-11-03 12:14:56 DEBUG Shibboleth.Listener [445]: dispatching message 
2011-11-03 12:14:56 DEBUG OpenSAML.MessageEncoder.SAML2Redirect [445]: 
validating input
2011-11-03 12:14:56 DEBUG OpenSAML.MessageEncoder.SAML2Redirect [445]: 
marshalling, deflating, base64-encoding the message
2011-11-03 12:14:56 DEBUG OpenSAML.MessageEncoder.SAML2Redirect [445]: 
marshalled message:
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" 
ForceAuthn="1" ID="_42d46dae4a480b651303b05cb3385eb9" 
2011-11-03 12:14:56 DEBUG OpenSAML.MessageEncoder.SAML2Redirect [445]: 
message encoded, sending redirect to client

On 11/03/2011 12:34 PM, Cantor, Scott wrote:
> On 11/3/11 1:19 PM, "Eric Dalquist"<eric.dalquist at>  wrote:
>> We turned on mod_log_forensic and see the following for the request in
>> the forensic log:
>> +22677:4eb2cc10:13|GET /secure/printenv
>> HTTP/1.1||Connection:Keep-Alive|Accept:applicatio
>> n/vnd.paos+xml|PAOS:ver="urn%3aliberty%3apaos%3a2003-08";"urn%3aoasis%3ana
>> mes%3atc%3aSAML%3a2.0%3aprofiles%3aSSO%3aecp"
> Those constants are URL encoded. That isn't allowed, if that's literally
> what it's seeing.  I could add code to be permissive of course, but it
> isn't there now, and the spec doesn't say anything about it being allowed.
> You said the code you were using worked against the SP I suggested trying,
> but it wouldn't work if the header looked like that.
>> That seems to show the PAOS header coming through as expected. Is there
>> any way to turn up logging for mod_shib and/or the SP so that it dumps
>> out what it is seeing for headers?
> It sees whatever Apache sees.
> -- Scott
> --
> To unsubscribe from this list send an email to users-unsubscribe at

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 7430 bytes
Desc: S/MIME Cryptographic Signature
Url : 

More information about the users mailing list