1

I'm setting up a service to be a SAML2.0 Service Provider (SP). As such, I need to generate SAML Requests and I need to accept SAML Responses. SAML Responses (with IDP initiated assertions) may come without request. This is just the world of SSO and SAML, and I have this much working.

My sense is that SAML Requests or Responses may or may not be deflated. It seems to be good practice for a SP to deflate SAML Requests.

Requests and Responses are also Base 64 Encoded. But here lies my question. Let us say that I get a SAML Response. It is Base 64 Encoded. When I decode that, I get a byte array. Assuming that this is NOT deflated, I now need to get a string out of that byte array in order to treat it as XML.

What encoding should I assume for that string?

So, in the c#/.NET/MVC world:

    public ActionResult ConsumeSamlAssertion(string samlResponse)
    {
        if (string.IsNullOrWhiteSpace(samlResponse))
        {
            return Content("Consumption URL hit without a SAML Response");
        }

        // MVC Already gives me this URL-decoded

        byte[] bytes = Convert.FromBase64String(samlResponse);

        // For this question, assume that this is not deflated.

        string samlXmlIfAscii = Encoding.ASCII.GetString(bytes);
        string samlXmlIfUtf8 = Encoding.UTF8.GetString(bytes);

        // Which is correct?  Or is there a different one?

Is this in some standard I have missed (which isn't for want of looking)?

Many thanks.

Stephan G
  • 3,289
  • 4
  • 30
  • 49

2 Answers2

2

I can't find anything authoritative in the SAML2 specification on what encoding to use. I've used UTF8 and it works.

Regarding the deflate step - that depends on the binding. In the redirect binding where the message is passed in the query string, it is deflated. In the POST binding where it is past as a form field it is not deflated.

Also I'd suggest that you look at existing SAML2 stacks for .NET instead of rolling your own. It's a lot of work doing SAML2 right, and it's easy to get security issues such as XML signature wrapping.

Anders Abel
  • 67,989
  • 17
  • 150
  • 217
  • 1
    Hey Anders, thanks! Curious about the .NET stacks. The only one I've looked at in any detail is Component Space. It seems to give the option of using SAML to do everything including brush my teeth, which is great. It's a bit pricey, which isn't the end of the world, although it seems like I want SAML for just one little tiny thing. Mostly though, looking at the doc, it seems like simply the configuration for their dll is itself complicated and maybe overkill. Do you have other suggestions? Appreciate the frank answer. – Stephan G Apr 18 '16 at 14:08
  • I'm the author/maitainer of github.com/KentorIT/authservices so that's the .NET SAML2 lib I know best (and of course the one I think is best ;-) – Anders Abel Apr 19 '16 at 07:33
1

SAML requests and responses are in XML format, so this boils down to the question how to encode XML data. See for example: Meaning of - <?xml version="1.0" encoding="utf-8"?>

The default encoding for XML (if no preamble is present, or it does not specify an encoding) is UTF-8. Therefore, we can say that the XML specification authoritatively specifies that UTF-8 CAN be used.

Whether all SAML implementations, and the SAML specification itself, allow other encodings is unclear to me, but using UTF-8 should be safe.

Florian Winter
  • 4,750
  • 1
  • 44
  • 69