SAML assertion on Windows not encoding data correctly compared to Linux

  • 7013266
  • 12-Sep-2013
  • 18-Sep-2013

Environment

NetIQ Access Manager 3.2
All Access Manager components running on Windows 2008 R2
NetIQ Identity Server acting as SAML2 IDP server

Situation

Access Manager Identity (IDP) server setup to federate with a 3rd party SAML2 Service Provider (SP). Most users are able to SSO without any issues, however some random users cannot. Looking at the few users that seem to fail, what one can see if that the attributes sent within the assertion include extended characters.

Steps to dup:

a) setup a SAML relationship between NAM IDP and remote SP

b) send extended chars in the AttributeStatement or NAM Identifier section of assertion eg. /UserAttribute[@ldap:targetAttribute="cn"] nêil
/UserAttribute[@ldap:targetAttribute="title"] Wastêr
/UserAttribute[@ldap:targetAttribute="mail"] nêil_cashell@netiq.com

c) view the contents of the assertion sent on Windows and Linux.

I used the http://www.motobit.com/util/base64-decoder-encoder.asp app to save the base64 decoded string to a binary format, and then used Notepad++ to view the data in UTF8 format

- Linux will show correct UTF8 encoded data
- Windows will not show up the UTF8 encoded data correctly.

Notepad++ will detect the encoding as Windows iso format. If we view the value for "cn" attribute it will appear correctly: nêil. However if you change the Notepad++ viewing encoding to UTF8 (don't select "Convert" to UTF8), you will see the following undecodable char for the ê in nêil.

n몬

Resolution

Fixed in 3.2.2 IR1