Federation fails when using SP initiated SSO; the SP may see references such as "Invalid SAML signature" in their logs and will not be able to parse the signature or certificate blocks.
The Federation debug log will show the signature and certificate blocks with
at the end of lines, for example:
<ds:SignatureValue> 0n4tZCrMzco4uc91FvbWE+hSn6dJENYmxS8WJyEAlHjcBro3hOu07CK+rQqyTGU+OljbaUHF+zI/ Mgror3t3X+IeYcVg8PnRkmT1SXegl1wqmwZd/zg2WWXszC8W+XaQrlgIG+BNxg5j66HkDkTzegrE ... </ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate> CwUAA4IBAQBIRSXFrUyt1JxaJUCKidkS5FHcsTI3u3k+MMYBkQhLZB8lAomTwkqRPRx+rOvqLEW/ EwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMR0w ... </ds:X509Certificate>
Upgraded to, or installed AM 6.x.
AM 6, 184.108.40.206, 220.127.116.11, 18.104.22.168 or 22.214.171.124
The xmlsec library used in AM 6 to 126.96.36.199 is 2.1.1, which has a known issue that causes line breaks to be replaced with these characters when the ignorelinebreak property is enabled. This property is enabled using either of the following JVM options:
If the XML parser used by the SP to process the assertion is not permissive, these characters will cause federation to fail. However, if the XML parser is permissive (as used by AM), federation will succeed; this explains why this issue will not affect you if AM is also acting as the SP.
AM 188.8.131.52 and later
The xmlsec library used in AM 184.108.40.206 and later has been upgraded to 2.1.2, which resolves the known issue above; however, this issue can still occur if the org.apache.xml.security.ignoreLineBreak property is not enabled (which it isn't by default). An RFE exists to change this: OPENAM-14939 (Enable "org.apache.xml.security.ignoreLineBreaks=true" by default ).
This issue can be resolved by upgrading to AM 220.127.116.11 or later and then setting the org.apache.xml.security.ignoreLineBreak property; you can download this from BackStage.
Example using Apache Tomcat™ web container
You can set this property as follows:
- Add the following line to the setenv.sh file (typically located in the /tomcat/bin/ directory):
- Restart the web container.
If the setenv.sh file doesn't exist, you should create it in the same directory as the catalina.sh file (also typically located in the /tomcat/bin/ directory).