UTF8 in asserted attribute values
Andrew Morgan
morgan at orst.edu
Tue Apr 1 18:51:30 EDT 2014
I am running IDP v2.3.8 with a relying party setup for Google SAML SSO.
It has been working fine for a long time, but recently a user complained
that he could not login to Google. The error message returned by Google's
ACS page is:
Google Apps - This account cannot be accessed because the login
credentials could not be verified.
I noticed that this user has a name with a UTF8 character (middle name
Ünsal). If I set that name on my test user, I get the same error message.
I am releasing "cn" to Google as part of a release-to-anyone filter
policy. The SAML response contains it like this:
<saml2:Attribute FriendlyName="cn" Name="urn:oid:2.5.4.3"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue
xsi:type="xs:string">Test, ECS
Ünsal</saml2:AttributeValue></saml2:Attribute>
Has anyone come across this before? Is there any trick to releasing UTF-8
encoded attributes? Is this Google's problem?
Thanks,
Andy
More information about the users
mailing list