API Gateway version --> 9.4 CA SSO 12.8

Configured the API gateway to use Authenticate against ca sso for authentication and authorization.
The policy only fails when special characters are included in username or password 

Simplified steps to reproduce: Policy 
Set Context variables for username and password: username=A10,   password=fi&erwall
Set Context variables for creds message XML format
 

<Please see attached file for image>

<Please see attached file for image>

Release:
Component: APIGTW

Inorder for this to work with specific characters need to escape as below,
 

<Please see attached file for image>

The issue is not with the product it is an XML limitation 

I have played around with this a bit and also checked on our internal documentation. 

"Require XPath credentials" assertion has the limitations on XML 

If you test the data in any XPath tester, you would see, that the & for example will need to be escaped with amp; 

You could use the "Evaluate Regular Expression" and replace the & in the password with &amp;

https://www.freeformatter.com/xpath-tester.html

XML Input

<creds>
<username>A10</username>
<password>fi&rewall</password>
</creds>

XPath expression

/creds/password

Errors with 

Unable to perform XPath operation. The reference to entity "rewall" must end with the ';' delimiter. You most likely forgot to escape '&' into '&amp;'

Attached sample policy sample-policy.xml

The following flow

IsProtect to SSO

Set context variable username and password that contains special character “&”

Evaluate Regular Expression  fi&rewall change it to fi&amp;rewall, save to context variable password1

Set context variable “creds”

<creds>

<username>${username}</username>

<password>${password1}</password>

</creds>

XPath

/creds/username

/creds/password

$creds Authenticate Against CA Single Sign-On