Shibboleth SP attributes character encoding

Cantor, Scott cantor.2 at
Mon Aug 31 09:34:56 EDT 2015

On 8/31/15, 3:15 AM, "users on behalf of Robert Führicht" <users-bounces at on behalf of Robert.Fuehricht at> wrote:

>According to the SP's docs, the passed attributes are supposed to be treated as

UTF-8. Unicode is not an encoding, it's a character set.

> Tomcat does treat them as ISO-8859-1, and, apart from recompiling it,
>there seems no way to change that. As far as I can tell, it doesn't even try to use the
>request's advertised encoding. It doesn't matter if I proxy via AJP or HTTP, or
>if I pass them as headers or attributes.
>If I understood correctly, the Tomcat devs claim (see
>that the Servlet API requires the ISO encoding.

I couldn't say.

>I'm not sure how to proceed with this. Did I miss some config setting somewhere
>to make this work?

That's not really up to Shibboleth. The SP isn't involved in this once the headers are set.

>It does seem to me that either Shibboleth SP or Tomcat have to be changed to support
>this, but I don't know which should "budge".

Budge how? Encoding data to 8859-1 is not going to handle Unicode data. It would just corrupt your data earlier.

>What's your take on this?

Look for a container with a different interpretation of the spec perhaps.

Otherwise your options I guess would be to access the SAML assertion directly and re-parse it yourself, or you could possibly look at changing the AttributeDecoder type in the attribute map to the XMLAttributeDecoder type [1], which passes the data as base64. 

-- Scott


More information about the users mailing list