SAML enrollment with non ASCCI characters

Hi,

On pro 7.1.3

It looks that SAML enrollment has a bug in 7.1.3.
User logs into SAML for the first time > seafile creates the user with attribute mapping

Accentuated characters in sn attribute (Prénom) is badly encoded into seafile

image

I suppose it will be the case for all mapped attributes.

Regards

Hi,

Could it be related to this post ?

@lian, any idea ?

Regards

In my case, the issue was not in Seafile, but in my OIDC issuer (Lemonldap was using a wrong DB charset, so wasn’t encoding properly accents in the sessions, and was sending those wrong chars to Seafile)

1 Like

HI @dani

Good hint.

In my case, SSO session are well encoded on LLNG

See picture

image

But HTTP Headers passed into Apache in front of seahub are badly encoded

givenname:Pr%c3%a9nom

And SAML attribute is badly encoded too

  <saml:Attribute FriendlyName="givenName" Name="urn:oid:2.5.4.42"
                NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
                <saml:AttributeValue>Prénom</saml:AttributeValue>
            </saml:Attribute>

I’ll look into LLNG to find the clue.

Regards

What charset / collation is set on the DB storing the sessions ? (is it MySQL / MariaDB ?)

Hi,

on postgres

 SHOW SERVER_ENCODING;
 server_encoding
-----------------
 UTF8
(1 ligne)

Strangely is it

psql --list

UTF_8 for encoding
fr_utf8 for Collationnement | Type caract.

Nom | Propriétaire | Encodage | Collationnement | Type caract. | Droits d’accès
-----------±-------------±---------±----------------±-------------±----------------------
bucardo | bucardo | UTF8 | fr_FR.UTF-8 | fr_FR.UTF-8 |
lemonldap | lemonldap | UTF8 | fr_FR.UTF-8 | fr_FR.UTF-8 |
postgres | postgres | UTF8 | fr_FR.UTF-8 | fr_FR.UTF-8 |
template0 | postgres | UTF8 | fr_FR.UTF-8 | fr_FR.UTF-8 | =c/postgres +
| | | | | postgres=CTc/postgres
template1 | postgres | UTF8 | fr_FR.UTF-8 | fr_FR.UTF-8 | =c/postgres +
| | | | | postgres=CTc/postgres

Hi,

LLNG is well configured to enforce UTF-8 encoding in the SAML attributes, as it is done on all SPs of the French SAML federation

Then the problem is on the application side

Looking at the Shibboleth SP session

/Shibboleth.sso/Session

**givenName** : Prénom

it is well encoded.

Then i don’t understand why seafile gets this string

Prénom Nom

Regards

Hi

A workaround from the devs was to change this line of code (in seahub/thirdpart/shibboleth/middleware.py) from

  158         if nickname.strip():  # set nickname when it's not empty
  159             p.nickname = nickname

to

  158         if nickname.strip():  # set nickname when it's not empty
  159             p.nickname = nickname.encode("iso-8859-1”).decode('utf8')

This patch worked well

Users are now filled with

Prénom Nom
François Dupond

But seahub.log still logs bad encoding

[ERROR] shibboleth.middleware:144 make_profile {'contact_email': 'prenom.nom@domaine.fr', 'givenname': 'Prénom', 'surname': 'Nom'}
[ERROR] shibboleth.middleware:144 make_profile {'contact_email': 'francois.dupond@exemple.org', 'givenname': 'françois', 'surname': 'Dupond’}

The patch looks like a a workaround : it will not be included a future release, as is it language-dependent.

I wonder if the issue should not been solved earlier in the transaction, at the SP or Apache level, to encode HTTP Headers into UTF-8.

I tried many options on apache vhost config, such as

#encoding
AddDefaultCharset utf-8
xml2EncDefault utf-8

With no success

I think i found an issue on Shibboleth project (13 years before, never solved…)
https://issues.shibboleth.net/jira/browse/SSPCPP-2

The solution is to re-encode attributes, e.g. with:

String value= request.getHeader("givenName");
value= new String( value.getBytes("ISO-8859-1"), "UTF-8");

This is what the patch does, so it’s good.

Well, if there is no generic solution to catch French accentuated attributes, i can do one of the following

  • add a macro in our LLNG IDP to convert accentuated to non accentuated characters (only for this SP)
  • replace thesee characters in the LDAP (givenname and sn may not contains some, only displayname should [but it’s not mandatory])

Hello,

with german characters we have problems aswell. We working with SAML2 ( Shibboleth ) SSO sind 7.0.x and it worked fine until we upgraded to 7.1.5.
If there is an upcoming hotfix for this issue we would be glad :slight_smile:

Kind regards,

2 Likes