ForgeRock Identity Platform
Does not apply to Identity Cloud

SAML2 federation and WS-Federation fail due to presence of &#13 characters in signature and certificate blocks in AM 6.0.0.x, 6.5.0.x, 6.5.1 and 6.5.2.x

Last updated Feb 24, 2021

The purpose of this article is to provide assistance if federation (SAML2 and WS-Federation) fails because the Service Provider (SP) cannot parse the signature or certificate generated by the Identity Provider (IdP) when AM is the IdP. The SP cannot parse the assertion because of the presence of XML encoded carriage return characters (&#13) at the end of lines.

2 readers recommend this article


Federation fails when using SP initiated SSO; the SP may see references such as "Invalid SAML signature" in their logs and will not be able to parse the signature or certificate blocks.

The Federation debug log will show the signature and certificate blocks with &#13 at the end of lines, for example:

<ds:SignatureValue> 0n4tZCrMzco4uc91FvbWE+hSn6dJENYmxS8WJyEAlHjcBro3hOu07CK+rQqyTGU+OljbaUHF+zI/&#13; Mgror3t3X+IeYcVg8PnRkmT1SXegl1wqmwZd/zg2WWXszC8W+XaQrlgIG+BNxg5j66HkDkTzegrE&#13; ... </ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate> CwUAA4IBAQBIRSXFrUyt1JxaJUCKidkS5FHcsTI3u3k+MMYBkQhLZB8lAomTwkqRPRx+rOvqLEW/&#13; EwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMR0w&#13; ... </ds:X509Certificate>

Recent Changes

Upgraded to, or installed AM 6.0.0.x, 6.5.0.x, 6.5.1 or 6.5.2.x


The cause varies according to which version of AM you are using:

  • AM to AM 6.5.2.x - the property is not enabled.
  • AM 6,,, or - there is a known issue with the xmlsec library used in these versions.

AM to AM 6.5.2.x

The xmlsec library used in AM has been upgraded to 2.1.2, which resolves the known issue in earlier versions. However, this issue can still occur if the property is not enabled (which it isn't by default).

An RFE exists to change this: OPENAM-14939 (Enable "" by default ). This is resolved in AM 6.5.3 and later.

AM 6,,, or

The xmlsec library used in AM 6 to is 2.1.1. This version of the xmlsec library has a known issue that causes line breaks to be replaced with the XML encoded carriage return characters (&#13) when the ignorelinebreak property is enabled. This property is enabled when either (or both) of the following JVM options are set to true:

If the XML parser used by the SP to process the assertion is not permissive, these characters will cause federation to fail. However, if the XML parser is permissive (as used by AM), federation will succeed; this explains why this issue does not affect AM if it is acting as the SP.


This issue can be resolved as follows depending on which version you are currently on:

  • AM to AM 6.5.2.x: set the property to true.
  • AM 6,,, or 
    1. Upgrade to AM or later; you can download this from BackStage.
    2. Set the property to true.

Setting this property to true using the Apache Tomcat™ web container

You can set this property as follows:

  1. Add the following line to the file (typically located in the /tomcat/bin/ directory):
  2. Restart the web container.

If the file doesn't exist, you should create it in the same directory as the file (also typically located in the /tomcat/bin/ directory).

See Also

FAQ: SAML certificate management in AM 5.x and 6.x

SAML Federation in AM

SAML v2.0 Guide

Related Training


Related Issue Tracker IDs

OPENAM-14939 (Enable "" by default )

OPENAM-13577 (xmlsec 2.1.1.jar used in AM6 have issues when linebreaks enabled)

Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.