POST data are URL encoded
When testing SAML with 2.0, I see that if the SAML Response is sent trough POST, it is URL encoded, and it should not.
With 1.9, the SAMLRequest in POST is like this:
PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIElEPSJfNkNBQzU5NkE2QzU0RjJFNzk0QzU5M0I0RUVERkYwNDIiIEluUmVzcG9uc2VUbz0iXzg1Q0RERDE3MkQ3NDlBOEIyQkQ1MTE5RDEzNDhFQ0ZGIiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAxOC0wMy0wMlQxODoxNTo1N1oiIERlc3RpbmF0aW9uPSJodHRwOi8vbWVsbG9uLmV4YW1wbGUuY29tL21lbGxvbi9wb3N0UmVzcG9uc2UiPjxzYW1sOklzc3Vlcj5odHRwOi8vYXV0aC5leGFtcGxlLmNvbS9zYW1sL21ldGFkYXRhPC9zYW1sOklzc3Vlcj48c2Ft…SJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIiBGcmllbmRseU5hbWU9InVpZCI+PHNhbWw6QXR0cmlidXRlVmFsdWU+ZHdobzwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJtYWlsIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIiBGcmllbmRseU5hbWU9Im1haWwiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlPmR3aG9AYmFkd29sZi5vcmc8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48L3NhbWw6QXR0cmlidXRlU3RhdGVtZW50Pjwvc2FtbDpBc3NlcnRpb24+PC9zYW1scDpSZXNwb25zZT4=
With 2.0, for the exactly same SAML SP, the SAMLRequest in POST is like this:
PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIElEPSJfQTU3QTcwNEZCRTU2QzZFNDFDQUFERDA1OEE3OTAyNzIiIEluUmVzcG9uc2VUbz0iXzk3ODhEOUU0QjNBNEUwM0M1OTE5NUI0QzQ0M0QwQzg5IiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAxOC0wMy0wMlQxODoyMjo0MVoiIERlc3RpbmF0aW9uPSJodHRwOi8vbWVsbG9uLmV4YW1wbGUuY29tL21lbGxvbi9wb3N0UmVzcG9uc2UiPjxzYW1sOklzc3Vlcj5odHRwczovL2F1dGgub3BlbmlkLmNsdWIvc2FtbC9tZXRhZGF0YTwvc2FtbDpJc3N1ZXI%2BPF…ybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkPC9zYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPjwvc2FtbDpBdXRobkNvbnRleHQ%2BPC9zYW1sOkF1dGhuU3RhdGVtZW50PjxzYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD48c2FtbDpBdHRyaWJ1dGUgTmFtZT0idWlkIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIiBGcmllbmRseU5hbWU9InVpZCI%2BPHNhbWw6QXR0cmlidXRlVmFsdWU%2BY291ZG90PC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU%2BPC9zYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD48L3NhbWw6QXNzZXJ0aW9uPjwvc2FtbHA6UmVzcG9uc2U%2B
And we have this error:
[Fri Mar 02 19:22:43.281515 2018] [auth_mellon:debug] [pid 5393] auth_mellon_handler.c(268): [client 127.0.0.1:60994] loaded IdP "https://auth.openid.club/saml/metadata" from "/etc/apache2/mellon/idp-metadata.xml".
[Fri Mar 02 19:22:43.281553 2018] [auth_mellon:error] [pid 5393] [client 127.0.0.1:60994] Error processing authn response. Lasso error: [-409] Unsupported protocol profile
This is because the value is URL encoded, and it should not. This should only be the case with GET.