Support lowercase percent-encoded sequences for URL encoding (#20)

Co-authored-by: zogoo <[email protected]>
saml-idp · Sep 26, 2024 · ade27c3 · ade27c3
1 parent 1071d67
commit ade27c3
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/lib/saml_idp/request.rb b/lib/saml_idp/request.rb
@@ -170,7 +170,11 @@ def valid_external_signature?
         OpenSSL::Digest::SHA1
       end
 
-      cert.public_key.verify(signature_algorithm.new, raw_signature, query_request_string)
+      result = cert.public_key.verify(signature_algorithm.new, raw_signature, query_request_string)
+      # Match all percent-encoded sequences (e.g., %20, %2B) and convert them to lowercase
+      # Upper case is recommended for consistency but some services such as MS Entra Id not follows it
+      # https://datatracker.ietf.org/doc/html/rfc3986#section-2.1
+      result || cert.public_key.verify(signature_algorithm.new, raw_signature, query_request_string.gsub(/%[A-F0-9]{2}/) { |match| match.downcase })
     rescue OpenSSL::X509::CertificateError => e
       log e.message
       collect_errors(:cert_format_error)