[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Problems when single sign-on service URL contains XML entities



Hi,

I think I have found a bug while trying to configure mod_auth_saml to
authenticate against an identity provider whose SSO service URL contains
several query parameters separated by ampersands. The metadata I have got
for the IdP contains a line similar to this:

<md:SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="
https://aok.arcot.com/capps/auth_entry_point.htm?appId=xxxxx&amp;appType=yyyyyy&amp;StartURL=https://zzz.com
"/>

I think it is correct that the ampersands in the URL are encoded using the
&amp; entity to ensure that the XML is valid. However, mod_auth_saml is
redirecting the browser to that URL exactly as written, without
substituting & for &amp;, which is an invalid URL.

I am going to have a go at patching the code to work around this, but I
wanted to shout out first in case anyone has any pointers for me. For
example, is there already something within ZXID which can decode XML
entities? I couldn't see anything at first glance.

Also, should I decode the entities when reading the XML string into the
zx_elem_s structure? Or when reading out of it and forming the Location
HTTP request parameter? I would have said the first option, but there is a
possibility that this will cause problems when the same URL is embedded
into the SAMLRequest parameter - if the metadata is re-created from the
zx_elem_s structure, I will have to re-encode the entities at that point,
which will be more work.

Any advice would be appreciated.

Thanks,
Chris