mod_shib chokes UTF8 character

Luo, Pan pan.luo at ubc.ca
Mon Jun 28 18:42:39 UTC 2021 

Hi Peter,

 I guess we would havenoticed decades ago. ;)
That's what I thought too.

Unfortunately, we don't have control of IdP. It is a third party service: https://support.arlo.co/hc/en-gb/articles/360037740232-Single-sign-on-SSO-and-SAML

I have the SP debug turned on and decrypted SAML looks fine including the UTF-8 character in the console. If you search "Lee" in the log (https://pastebin.com/Vx5jf6Py), you can see it does include the character. However, when the attribute is passed to mod_shib, it choked. The error log I included in my previous email was from apache.

I'm wondering if it is has something to do with apache config or runtime? Or even mod_shib compile environment?

Cheers,
Pan

On 26 Jun 2021, at 04:20, Peter Schober <peter.schober at univie.ac.at<mailto:peter.schober at univie.ac.at>> wrote:

[CAUTION: Non-UBC Email]

* Luo, Pan <pan.luo at ubc.ca<mailto:pan.luo at ubc.ca>> [2021-06-26 02:39]:
We have a user whose name includes an UTF8 character (O’Brien). The
character "’" chokes mod_shib when parsing the attribute.

It's not that general of a problem -- if the SP wouldn't support UTF-8
(which is also what the standard mandates, IIRC) I guess we would have
noticed decades ago. ;)
FWIW, I have not had any such problems including when testing with
names like "ρεťẹя ŜçҺởьəŗ" (generated by Dick Visser's great -- but
now seemingly defunct -- "UTF-8 Generator"[1]). The SP processes these
just fine.

"We have a user" suggests you also control the IDP -- what's the IDP
implementaction? Can you turn up the SP's logging to include the
decrypted SAML assertion? Can you disable encryption for this SP at
the IDP and check the SAML during transit in the browser (using
SAMLTracer)? Does the problem occur at all your SPs or only this one?

-peter

[1] https://www.tienhuis.nl/utf8-generator
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20210628/1ccd2020/attachment.htm>

More information about the users mailing list