1

I am working with a SAML request using the HTTP-redirect binding. I read in another post that the following steps are required in order to retrieve the original content of a SAML request (SAMLRequest parameter in the URL):

  1. URL decoding
  2. Base64 decoding
  3. Inflating the content

Although those steps are quite clear to me, I can't get the SAML request in the XML format. I believe the mistake is in the third step, maybe there is more than one way to inflate bytes? This is the Java function which executes the three above, given the argument which is the value of the SAML parameter in the URL.

private String decodeMessage(String SAMLContent) {
        try {
            //URLDecode, Base64 and inflate data

            //URLDecode
            SAMLContent = URLDecoder.decode(SAMLContent, "UTF-8");

            //Base64 decoding
            SAMLContent = new String(Base64.getDecoder().decode(SAMLContent), "UTF-8");

            //Inflating data
            try {
                byte[] compressed = new byte[10 * SAMLContent.getBytes().length];
                Inflater i = new Inflater(true);
                i.setInput(SAMLContent.getBytes(), 0, SAMLContent.getBytes().length);
                int finalSize = i.inflate(compressed);
                //Exception is thrown here
                SAMLContent = new String(SAMLContent.getBytes(), 0, finalSize, "UTF-8");
                i.end();


            } catch (DataFormatException ex) {
                JOptionPane.showMessageDialog(null, "DFE: " + ex.getMessage());
            }

        } catch (UnsupportedEncodingException ex) {
            JOptionPane.showMessageDialog(null, "UEE: " + ex.getMessage());
        }

        return SAMLContent;

    }

If I copy and paste the output of the first step here, I can see the well-formatted XML at the bottom of the page, so at least the URL decoding works as intended. If you have any solution please let me know, thanks.

Stefano
  • 327
  • 1
  • 4
  • 17

1 Answers1

3

This is how I do it. The flow is detect the request is HTTP-Redirect, base64 decode the request and then inflate it. The following links are to code that does all this in github.

Receive the request

Decode the request

Inflate the XML

If you get

Incorrect header check

check this answer

and you might need to change the inflate code to:

return new String(inflatedData, 0, inflatedBytesLength, "UTF-8");
codebrane
  • 4,290
  • 2
  • 18
  • 27
  • Hi, I checked the links you provided, especially the last one. However, the inflating code returns me "Incorrect header check". I updated the code to show the current version, you have any idea? Thank you – Stefano Mar 24 '20 at 17:12
  • @Stefano I've added a note about the encoding when inflating. You might need to add it. – codebrane Mar 24 '20 at 18:43
  • thank you, but I couldn't resolve the issue. I already specify the UTF-8 every time I use the "new String" statement, and also I already declare the offset and size parameters. I really have no clue and cannot find anything around, so if you have other tips please let me know. Thanks again for now – Stefano Mar 24 '20 at 19:38
  • @Stefano you could have a look at this https://stackoverflow.com/questions/11399350/gzinflate-in-java/11401785#11401785 in case it's the wrapping. The code assumes true. You could try false instead of the value of useWrap passed in. i.e. Inflater decompresser = new Inflater(false); – codebrane Mar 24 '20 at 20:33
  • I will give it a look. Can you confirm that at least i'm following the correct procedure? After copying the value of the SAMLRequest parameter in the URL, i have to urldecode it, base64 decode it and then inflate it? – Stefano Mar 24 '20 at 23:23
  • after trying again and again with the wrapping as true and other parameters, it now shows a new error, thrown by the inflating operation: "invalid code set length". Have you ever encountered it? I updated the code again in case you need it – Stefano Mar 26 '20 at 01:06
  • you could try seeing if it's valid saml using the online tool https://www.samltool.com/decode.php – codebrane Mar 26 '20 at 10:06