[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Problems when single sign-on service URL contains XML entities


I think I have found a bug while trying to configure mod_auth_saml to
authenticate against an identity provider whose SSO service URL contains
several query parameters separated by ampersands. The metadata I have got
for the IdP contains a line similar to this:

Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="

I think it is correct that the ampersands in the URL are encoded using the
&amp; entity to ensure that the XML is valid. However, mod_auth_saml is
redirecting the browser to that URL exactly as written, without
substituting & for &amp;, which is an invalid URL.

I am going to have a go at patching the code to work around this, but I
wanted to shout out first in case anyone has any pointers for me. For
example, is there already something within ZXID which can decode XML
entities? I couldn't see anything at first glance.

Also, should I decode the entities when reading the XML string into the
zx_elem_s structure? Or when reading out of it and forming the Location
HTTP request parameter? I would have said the first option, but there is a
possibility that this will cause problems when the same URL is embedded
into the SAMLRequest parameter - if the metadata is re-created from the
zx_elem_s structure, I will have to re-encode the entities at that point,
which will be more work.

Any advice would be appreciated.