Shibboleth SP attributes character encoding

[Cantor, Scott]

On 8/31/15, 3:15 AM, "users on behalf of Robert Führicht" <users-bounces at shibboleth.net on behalf of Robert.Fuehricht at jku.at> wrote:

>According to the SP's docs, the passed attributes are supposed to be treated as
>Unicode.

UTF-8. Unicode is not an encoding, it's a character set.

> Tomcat does treat them as ISO-8859-1, and, apart from recompiling it,
>there seems no way to change that. As far as I can tell, it doesn't even try to use the
>request's advertised encoding. It doesn't matter if I proxy via AJP or HTTP, or
>if I pass them as headers or attributes.
>
>If I understood correctly, the Tomcat devs claim (see http://svn.apache.org/repos/asf/tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/buf/ByteChunk.java)
>that the Servlet API requires the ISO encoding.

I couldn't say.

>I'm not sure how to proceed with this. Did I miss some config setting somewhere
>to make this work?

That's not really up to Shibboleth. The SP isn't involved in this once the headers are set.

>It does seem to me that either Shibboleth SP or Tomcat have to be changed to support
>this, but I don't know which should "budge".

Budge how? Encoding data to 8859-1 is not going to handle Unicode data. It would just corrupt your data earlier.

>What's your take on this?

Look for a container with a different interpretation of the spec perhaps.

Otherwise your options I guess would be to access the SAML assertion directly and re-parse it yourself, or you could possibly look at changing the AttributeDecoder type in the attribute map to the XMLAttributeDecoder type [1], which passes the data as base64. 

-- Scott

[1] https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPAttributeDecoder