We're running a Policy Server and when the user gets to a Federation
protected site, then the assertion certificate gets the characters
"
"; added to each line of the certificate, and as such the request
fails and the user cannot access the web site.
The certificate in the assertion looks like :
<ds:X509Certificate>
MIIEDjCCAvagAwIBAgIEVnkidjANBgkqhkiG9w0BAQsFADCByDELMAkGA1UEBhMCSVQxDjAMBgNV
BAcTBUl0YWx5MTcwNQYDVQQKEy5JbnRlc2EgU2FuIFBhb2xvIC0gRE8gTk9UIFVTRSBUSElTIENF
...
...
</ds:X509Certificate>
How can we fix this ?
Policy Server 12.8SP0 Build: 1761;
Upgrade the Policy Server to 12.8SP3 to solve this issue.
org.apache.xml.security.ignoreLineBreak set to true in the
JVMOptions.txt prevents the addition of that carriage return "
"
character at the end of the certificate lines.
The addition of ignoreLineBreaks seems to be a best practice when using
xml builders and parsers for SAML assertion and signature. Many other
providers are using the same.
Why we are setting ignoreLineBreaks to true by default
"org.apache.xml.security.ignoreLineBreaks" = true will make that
XMLUtils don't build XML with linebreaks, but it does not affect the
verification process.
Most of Java SAML implementations use it:
opensaml
apache/wss4j
eidas
seam/security
apache/camel
https://github.com/onelogin/java-saml/issues/213
SAML2 federation and WS-Federation fail due to presence of 
 characters in signature and certificate blocks in AM 6.x
The purpose of this article is to provide assistance if federation
(SAML2 and WS-Federation) fails because the Service Provider (SP)
cannot parse the signature or certificate generated by the Identity
Provider (IdP) when AM is the IdP. The SP cannot parse the assertion
because of the presence of XML encoded carriage return characters
(
) at the end of lines.
This issue can be resolved as follows depending on which version you are currently on:
Set the org.apache.xml.security.ignoreLineBreak property to true.
https://backstage.forgerock.com/knowledge/kb/article/a59018067