Secure Proxy Server and SiteMinder with SAML2.0 Partnership using HTTP Header redirection
With Secure Proxy Server and SiteMinder SAML2.0 Partnership using HTTP Header redirection ,SP partnership is configured with HTTP header redirection where a Static Attribute is set In the SP mapped Attribute.
A SMSAMLDATA cookie is getting generated upon assertion consumption and the Headers are generated for the mapped Attribute
The problem is with the Headers are getting encoded if it contains any special characters
Observed: The values of every header from the SMSAMLDATA cookie are urlencoded.
test_att --> http%3a%2f%2ftest%2esiteminder%2ecom
Expected: The values are not urlencoded like all other SiteMinder HTTP Headers
test_att --> http://test.siteminder.com
Why the Header is getting URL encoded ?
- The encoding is being performed on the SP side by the SAMLDataPlugin
- This is a secure coding best practice to encode the HTTP headers (and other contexts like db queries, URLs, file paths etc) that may contain sensitive or untrusted data.
- This prevents injection attacks like XSS (Cross-Site Scripting) because the characters are treated as data and not as characters that can be executed.
- The following OWASP link provides this explanation in more detail:
Conclusion --> The Encoding of headers by the SAMLDataPlugin is done on purpose to prevent XSS (Cross-Site Scripting) per OWASP recommendations .
This is performed by Design .