in base 64 in IDP 3.4.0 responses
Sam Buchanan
sam.buchanan at gmail.com
Thu Jul 5 10:45:47 EDT 2018
I've been testing IDP 3.4.0 snapshots, and I'm finding that parts of the
signature and encrypted data in the response include XML-encoded carriage
returns. It seems not unlike an issue addressed a few years ago
https://issues.shibboleth.net/jira/browse/JSPT-50 but in a different area
of the XML. I work with at least one SP will break on this if it remains in
3.4. Is there something I can do to prevent the 
 being generated? I'm
unfamiliar with the codebase and haven't yet tracked down where they're
introduced.
Sorry if this should go to another list. I can't tell where it's best to
send questions about unreleased versions.
SAML response example, with some "..." abbreviations:
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response
Destination="
http://localtest:8888/simplesaml/module.php/saml/sp/saml2-acs.php/qa-idp"
ID="_b9f88857a65dfde9454786e4e6887565"
InResponseTo="_43d571f998bbd934ee064bba29ef63469eb93e3d9d"
IssueInstant="2018-07-04T15:40:47.907Z" Version="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
https://signonqa.domain/idp/shibboleth</saml2:Issuer>
<ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
"/>
<ds:Reference
URI="#_b9f88857a65dfde9454786e4e6887565">
<ds:Transforms>
<ds:Transform
Algorithm="
http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>/1TFvcwSkf1eyzTFnEJeDL1onQdXHloyiuFspKiCP7I=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
OGIPYFwFcSlrcRb9DDmUdnZZME4y0sMpLUmioXt5vrCUk1vg0XVUzSXRvvePl8yyy/KaNkH8XI1l
wZyTSYe20XwLd3+LN8h59iNC791/qEg7yT+FhiH00xxg5lOBdwrhoWPZilgB4RhcpEhRYaENeCt5
qCJd2e5m/Uf/CMC4XK93mqvqQDhpeKqsWjAw3rKPaA6qIfZjb8vQLPpJeRnPAgh7NCXWmYIT4EMe
PJD0WP3W/Yxjy9ParsmzEDAb1bpYuS/Z0IEiIYSN0LncQplJDredu/qAufe/unh5sMXr8Vzbm/+7
aJdMNfId46GP777KX5BJYq8apN/3+OmONNORbA==
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDNzCCAh+gAwIBAgIUZGP9KZJycCCasgIn1by4rR44RvowDQYJKoZIhvcNAQELBQAwHjEcMBoG
A1UEAwwTc2lnbm9ucWEubW5zdGF0ZS51czAeFw0xNzEyMTgwMzI1NTBaFw0zNzEyMTgwMzI1NTBa
MB4xHDAaBgNVBAMME3NpZ25vbnFhLm1uc3RhdGUudXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
...
TYRZQNwMYgL3R03DhRiFze7fgwmltF/Xnl8MSH03Ddl96YosK8c7k3IHmaMaWKxrpeoKMvVqiTWk
Mq2Y9ahrTuDTNmVunaZcYamkHV8JjZdna3tOrvItlm1OAD+ClZAatve++gwShQ1GsBTD5coTnqOb
sKW3Ss2FNS5N7dryjpNUkzerrFb9e9jpHNGn42Wl62s0+NHGX3rQ0EcK9thsb4Ok4Na/EP+UpozZ
0xmDmsHxwI4nE9iFdf3x0iKnTwp0S8/AC+AlnEw=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2p:Status>
<saml2p:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</saml2p:Status>
<saml2:EncryptedAssertion
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<xenc:EncryptedData Id="_61631a441c457e33be9fa75f449f24bb"
Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns:xenc="
http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<xenc:EncryptedKey
Id="_25197ef48d4df756d4928d53a2a5fb30"
Recipient="
http://localtest:8888/simplesaml/module.php/saml/sp/metadata.php/qa-idp"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod
Algorithm="
http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p" xmlns:xenc="
http://www.w3.org/2001/04/xmlenc#">
<ds:DigestMethod
Algorithm="
http://www.w3.org/2000/09/xmldsig#sha1" xmlns:ds="
http://www.w3.org/2000/09/xmldsig#"/>
</xenc:EncryptionMethod>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIID8DCCAtigAwIBAgIJAIahUxslYqbbMA0GCSqGSIb3DQEBBQUAMFgxCzAJBgNVBAYTAlVTMRIw
EAYDVQQIEwlNaW5uZXNvdGExEzARBgNVBAcTClNhaW50IFBhdWwxDzANBgNVBAoTBkpvYmxvZzEP
...
6zB2dsPglueHbD1kvhqvSKCUtgcCJIauYLaIEzY3Y/0e+mw6IBpXFMiayQ==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
<xenc:CipherData xmlns:xenc="
http://www.w3.org/2001/04/xmlenc#">
<xenc:CipherValue>Lwv1flvfJNXx0rR2OmqHHeTb7tLhGMkS7oqESruJtiVSzBHWcw5ME/OM8YqZLCpfu89KmgtzYQ47
eltlAvPImhDLhHuTs3920RdNkOIT/gLF3Wp3KWcP30qNgpmDUW2P3dZGV+cKoZsp6mCl1mT7zzq9
8YvU5Ljlie1CPlVKDufFD7gOr1QXuWiPwNxw6QTFBuisZmKZYi+dxMLDi0zerL3SJ/J+6FnMtIvk
D6K1DZztVr9PtoLecQ8ZbJ1vgbpxg7rqUX0A7YPGRps/PRTehOBDUDmMyaHLJoA5onCqAAUoCKlv
hHckJPt9dm/RXvQRjjjcdv6un5wlLNYdQWMpFA==</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedKey>
</ds:KeyInfo>
<xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:CipherValue>Hbblx/phsxSe9uWeIkNSIAH0QJBubGp/Rv5Afd3lyKUCm1wOpfapixtmorWse9Sz1bXTiU+gkWBh
rGwiX+oF3K44MLmj3DTxKjGZEz9sQIdEwTuiRxa8823iefW4xKsYwLv2d5txnijqVF6u+7FY1KJz
4IJKW5uGYH1PbQAYfo7sEu99JBXTSkAuZpVQuix/xmdekIe+TfNv/crKYPjbcd3egDp/IHbu8sbn
Bn+R0OUaL+KVOsAMsAEipaR+OnSfRIJoRraMyp/XmC8W3L53tGIay10+Z46KAFoZdE6OlCb+mMyp
CGIZh4SFicOLaCZdQ7uvjr2RRNwvn4lUTcagdrgwMRqxFDSeqW3miOHIQVYK/yyELhHE+RhBCAOe
...
eFUKR8nIaJwnEC8x+V2ax43v2tKUlXiAV1KeNUTLwA6kNycokgcx9nCeu8WYSxUzDepHBn/wWJxy
E7PfkQhQln9MT1ZdcsQnXND2xHckNtJqEUBDrVF5naYljPg1pmL5d6uJa/UHGC85Z0l3ixUx8Fip
AFqqqbM=</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</saml2:EncryptedAssertion>
</saml2p:Response>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180705/0371ce75/attachment.html>
More information about the users
mailing list