strange characters in x509 certificate in SAMLResponse

book

Article ID: 142437

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

 

We're running a Policy Server and when the user gets to a Federation
protected site, then the assertion certificate gets the characters
"&#13"; added to each line of the certificate, and as such the request
fails and the user cannot access the web site.

The certificate in the assertion looks like :

    <ds:X509Certificate>
    MIIEDjCCAvagAwIBAgIEVnkidjANBgkqhkiG9w0BAQsFADCByDELMAkGA1UEBhMCSVQxDjAMBgNV&#13;
    BAcTBUl0YWx5MTcwNQYDVQQKEy5JbnRlc2EgU2FuIFBhb2xvIC0gRE8gTk9UIFVTRSBUSElTIENF&#13;
    ...
    ...
    </ds:X509Certificate>

How can we fix this ?

 

Environment

 

  Policy Server 12.8SP0 Build: 1761;

 

Resolution

 

  Upgrade the Policy Server to 12.8SP3 to solve this issue. 

  org.apache.xml.security.ignoreLineBreak set to true in the
  JVMOptions.txt prevents the addition of that carriage return "&#13"
  character at the end of the certificate lines.

 

Additional Information

 

The addition of ignoreLineBreaks seems to be a best practice when using
xml builders and parsers for SAML assertion and signature. Many other
providers are using the same.

  Why we are setting ignoreLineBreaks to true by default

    "org.apache.xml.security.ignoreLineBreaks" = true will make that
    XMLUtils don't build XML with linebreaks, but it does not affect the
    verification process.

    Most of Java SAML implementations use it:

    opensaml
    apache/wss4j
    eidas
    seam/security
    apache/camel

  https://github.com/onelogin/java-saml/issues/213

  SAML2 federation and WS-Federation fail due to presence of &#13 characters in signature and certificate blocks in AM 6.x

    The purpose of this article is to provide assistance if federation
    (SAML2 and WS-Federation) fails because the Service Provider (SP)
    cannot parse the signature or certificate generated by the Identity
    Provider (IdP) when AM is the IdP. The SP cannot parse the assertion
    because of the presence of XML encoded carriage return characters
    (&#13) at the end of lines.

    This issue can be resolved as follows depending on which version you are currently on:

    Set the org.apache.xml.security.ignoreLineBreak property to true.

  https://backstage.forgerock.com/knowledge/kb/article/a59018067