Have you tried
thanks for the quick answer. I've tried to set this standalone.xml like this:
<property name="org.apache.catalina.connector.URI_ENCODING" value="UTF-8"/>
<property name="org.apache.catalina.connector.USE_BODY_ENCODING_FOR_QUERY_STRING" value="true"/>
and just now tried to set it as a system property on startup of jboss.
Unfortunately this did not help. I think this parameter only works for GET requests. As described in the Tomcat FAQ https://wiki.apache.org/tomcat/FAQ/CharacterEncoding#Q3 the recommended way to set the encoding of POST requests is via a filter. How such a filter looks like can be seen here:
http://www.outjected.com/blog/2012/01/18/fighting-with-jsf-request-charset-jboss-tomcat.html and it is included in Tomcat by default.
The Tomcat FAQ advises to "Disable any valves or filters that may read request parameters before your character encoding filter or jsp page has a chance to set the encoding to UTF-8.". As valves are called before filters, this makes sense and when debugging the filter, you can see that the parameters are already parsed. This works when disabling Picketlink.
PL Authenticators extend the Tomcat FormAuthenticator. The FormAuthenticator does have a setter for character Encoding.(http://svn.apache.org/repos/asf/tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java).
In the war file, in the context.xml, try setting characterEncoding="UTF-8" in the authenticator element.
I've set it in jboss-web.xml but with no effect. As far as I know this is the recommended way for JBoss 7.
I'm not so clear on how picketlink handles this internally, but from what I've seen in https://svn.apache.org/repos/asf/tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java the characterEncoding is set in the authenticate(Request, HttpServletResponse, LoginConfig) method just before accessing the parameters.
While the picketlink authenticator at https://github.com/picketlink/federation/blob/5dcd7e173a8260e14614eb6cccbb24f05e9db5af/picketlink-bindings/picketlink-tomcat-common/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/AbstractSPFormAuthenticator.java extends the FormAuthenticator, it does not call super.authenticate() so the parameter in FormAuthenticator is never used.
The parameters are accessed in PLs authenticate method at line 303 (to get the SAML messages).