+ else {
+ // With POST, the input string is concatenated from the decoded form controls.
+ // GET should be this way too, but I messed up the spec, sorry.
+
+ // NOTE: SimpleSign for POST means POST binding, which means we verify over the
+ // base64-decoded XML. This sucks, because we have to decode the base64 directly.
+ // Serializing the XMLObject doesn't guarantee the signature will verify (this is
+ // why XMLSignature exists, and why this isn't really "simpler").
+
+ unsigned int x;
+ pch = httpRequest->getParameter("SAMLRequest");
+ if (pch) {
+ XMLByte* decoded=Base64::decode(reinterpret_cast<const XMLByte*>(pch),&x);
+ if (!decoded) {
+ log.warn("unable to decode base64 in POST binding message");
+ return;
+ }
+ input = string("SAMLRequest=") + reinterpret_cast<const char*>(decoded);
+ XMLString::release(&decoded);
+ }
+ else {
+ pch = httpRequest->getParameter("SAMLResponse");
+ XMLByte* decoded=Base64::decode(reinterpret_cast<const XMLByte*>(pch),&x);
+ if (!decoded) {
+ log.warn("unable to decode base64 in POST binding message");
+ return;
+ }
+ input = string("SAMLResponse=") + reinterpret_cast<const char*>(decoded);
+ XMLString::release(&decoded);
+ }
+
+ pch = httpRequest->getParameter("RelayState");
+ if (pch)
+ input = input + "&RelayState=" + pch;
+ input = input + "&SigAlg=" + sigAlgorithm;