2 min read - Text Only
What is canonicalization?
Canonicalization is the process of taking multiple pieces of data and serializing it together in an unambiguous way. If any of the pieces change, then the output is also changed. This is especially useful in verifying data that can be reorganized in transit.
In practice, canonicalization is an incredibly difficult process to get right. See Duo Finds SAML Vulnerabilities Affecting Multiple Implementations (archived), where Kelby shares a vulnerability that affects multiple SAML implementations.
Do not blame the users or library authors when the same issue keeps appearing. Instead, the specification and technology is prone to misuse. So, alternatives should be considered.