Latest Revision of SAML HTTP POST-SimpleSign Binding Spec
The latest revision of the SAML HTTP POST-SimpleSign Binding Spec is here…
Diff version: draft-sstc-saml-binding-simplesign-02-diff
The salient difference between this new rev of this spec and the prior rev (which is at “Committee Draft” maturity level and out for Public Review) is that now we sign the SAML protocol message’s raw XML representation, rather than base64 encoding it first (as we specified in the previous revs of this spec). The reason for this change is..
Experimentation shows that many web browsers alter linefeeds when submitting form controls that span multiple lines. Since base64-encoded data often wraps, it is not possible to guarantee that the values submitted will match what the original signer produced, resulting in verification failures. Using the raw XML content as a component of the octet string addresses this issue.
..which is a direct quote from the new spec revision (at line 205).
JeffH sez check it out.