SAML Response Destination gets "URL encoded" on IDP 2.x
cantor.2 at osu.edu
Wed Apr 20 12:38:08 EDT 2016
I looked at the two code bases. They're vastly different. V3 pulls the location URL directly from metadata or the request and eventually wraps it in a java.net.URI that it converts back to a String. That's apparently fairly non-invasive even if the original URL isn't safe. I would imagine the only real reason to even do the conversion at all is to enforce the schemes allowed without us implementing any URL parsing, which I'm all for.
The old code base does a pretty aggressive conversion of the original URL into a java.net.URL, then pulls all the individual pieces out one by one (including the query parameters) inside a URLBuilder custom class, and then reconstructs the whole thing. There's no chance a dangling unencoded equals sign would survive that.
The V2 code was very clearly not warranted, but that's water under the bridge since it was thrown out.
TL;DR, the original URL requested is not correct and there's no way you'd get V2 to handle it short of major code surgery or a local patch.
More information about the users