Secure Proxy Server and SiteMinder with SAML2.0 Partnership using HTTP Header redirection

With Secure Proxy Server and SiteMinder SAML2.0 Partnership using HTTP Header redirection ,SP partnership is configured with HTTP header redirection where a Static Attribute is set In the SP mapped Attribute.

A SMSAMLDATA cookie is getting generated upon assertion consumption and the Headers are generated for the mapped Attribute

The problem is with the Headers are getting encoded if it contains any special characters

Observed: The values of every header from the SMSAMLDATA cookie are urlencoded.

test_att --> http%3a%2f%2ftest%2eexample%2ecom

Expected: The values are not urlencoded like all other SiteMinder HTTP Headers

test_att --> http://test.example.com

Why the Header is getting URL encoded ? 

- The encoding is being performed on the SP side by the SAMLDataPlugin

- This is a secure coding best practice to encode the HTTP headers (and other contexts like db queries, URLs, file paths etc) that may contain sensitive or untrusted data.

- This prevents injection attacks like XSS (Cross-Site Scripting) because the characters are treated as data and not as characters that can be executed. 

- The following OWASP link provides this explanation in more detail:

https://www.owasp.org/index.php/Injection_Theory

Conclusion --> The Encoding of headers by the SAMLDataPlugin is done on purpose to prevent XSS (Cross-Site Scripting) per OWASP recommendations . 

This is performed by Design .