search cancel

strange characters in x509 certificate in SAMLResponse


Article ID: 142437


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER



We're running a Policy Server and when the user gets to a Federation
protected site, then the assertion certificate gets the characters
"&#13"; added to each line of the certificate, and as such the request
fails and the user cannot access the web site.

The certificate in the assertion looks like :


How can we fix this ?




  Policy Server 12.8SP0 Build: 1761;




  Upgrade the Policy Server to 12.8SP3 to solve this issue. set to true in the
  JVMOptions.txt prevents the addition of that carriage return "&#13"
  character at the end of the certificate lines.


Additional Information


The addition of ignoreLineBreaks seems to be a best practice when using
xml builders and parsers for SAML assertion and signature. Many other
providers are using the same.

  Why we are setting ignoreLineBreaks to true by default

    "" = true will make that
    XMLUtils don't build XML with linebreaks, but it does not affect the
    verification process.

    Most of Java SAML implementations use it:


  SAML2 federation and WS-Federation fail due to presence of &#13 characters in signature and certificate blocks in AM 6.x

    The purpose of this article is to provide assistance if federation
    (SAML2 and WS-Federation) fails because the Service Provider (SP)
    cannot parse the signature or certificate generated by the Identity
    Provider (IdP) when AM is the IdP. The SP cannot parse the assertion
    because of the presence of XML encoded carriage return characters
    (&#13) at the end of lines.

    This issue can be resolved as follows depending on which version you are currently on:

    Set the property to true.