Should SAMLResponse contain extra line breaks?

Question

I have been working on a solution that retrieves SAMLResponse from third-party IdP and we simply decode that SAMLResposne with jdk Base64 decoder, However one of the cases is where we get SAMLResponse with line breaks (\n) after some characters and when we try to decode it with,

...
byte[] base64DecodedResponse = Base64.getDecoder().decode(authnResponse);
...

This authnResposne is SAMLResponse from HTTP header which has \n new line, this failed to parse in above code. I have been looking for a confirmation whether any SAMLResponse received by SPs must be in Base64 encoded format hence should never contain line breaks or it can be and SP should handle it.

Applying fix from SP side is simple, simply .replaceAll("\n","") will do the job, but is it really industry standard to EDIT the SAMLResponse?

Answer 1

For those who looking for wisdom here,

Editing SAMLResponse after it's signed is bad practice.

According to SAML documentation, SAMLResponse encoding can have either BASE 64 Content-Transfer encoding RFC-2045 or Base64 Encoding RFC-4648.

From SAML 2.0 core-doc, section 5

Profiles MAY specify alternative signature mechanisms such as S/MIME or signed Java objects that contain SAML documents. Caveats about retaining context and interoperability apply

This leads to the justification that SPs should be able to decode Standard and MiMe decoding, hence a try and catch block with Base64.getMimeDecoder() to get around this issue.

Answer 2

You probably need to use Base64.Decoder getUrlDecoder()

SAML2 is supposed to be encoded in base64url - basically Base 64 Encoding with URL and Filename Safe Alphabet https://www.rfc-editor.org/rfc/rfc4648#section-5.

getUrlDecoder also should reject embedded newlines in the base64 so it may not do you any good.

I would be interested in knowing which SAML provider you are using.