UTF8 in asserted attribute values

Andrew Morgan morgan at orst.edu
Tue Apr 1 18:51:30 EDT 2014

I am running IDP v2.3.8 with a relying party setup for Google SAML SSO. 
It has been working fine for a long time, but recently a user complained 
that he could not login to Google.  The error message returned by Google's 
ACS page is:

   Google Apps - This account cannot be accessed because the login
   credentials could not be verified.

I noticed that this user has a name with a UTF8 character (middle name 
Ünsal).  If I set that name on my test user, I get the same error message.

I am releasing "cn" to Google as part of a release-to-anyone filter 
policy.  The SAML response contains it like this:

<saml2:Attribute FriendlyName="cn" Name="urn:oid:" 
xsi:type="xs:string">Test, ECS 

Has anyone come across this before?  Is there any trick to releasing UTF-8 
encoded attributes?  Is this Google's problem?


More information about the users mailing list