ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.
HTTP 500 on SAML2 Federation after upgrading Policy Server to R12.8
Article ID: 110150
CA Single Sign On Secure Proxy Server (SiteMinder)CA Single Sign On SOA Security Manager (SiteMinder)CA Single Sign-On
We have upgraded our Policy Servers to R12.8, and right after the upgrade we get errors on some SAML2 Federation applications where after authentication the target is returning an HTTP 500 error. As per their logs we are seeing the problem is caused by certificate errors, but no certificate was changed on both sides. On our Policy Server logs & traces everything looks correct, and we see no errors happening.
Why is this happening and how can we solve this?
Policy Server R12.8 Java JDK 1.8.0_161 x64
The problem is caused as the certificate used to sign the assertion is including carriage return characters, which are being converted when the assertion is being signed by the Policy Server:
Notice the " " being appended at the end of each line. This is causing the error on the target application as the server is not interpreting the carriage return character " " and returning the HTTP 500 error.
Xmlsec is the jar file used at Policy Server for encrypting the XML content. When the R12.8 Policy Server generates the assertion, it does not add or encodes the carriage return character, but when it signs/encrypts, the encoded carriage return character appears, and this is caused by a problem on xmlsec-2.1.0.jar version. This was not happening on your previous Policy Server version as this jar has been upgraded in R12.8: R12.52 & R12.7.2: xmlsec-1.4.3.jar R12.8: xmlsec-2.1.0.jar
In order to solve this issue you need to upgrade your Policy Server to R12.8.1 when it is available.