Federation fails when using SP initiated SSO; the SP may see references such as "Invalid SAML signature" in their logs and will not be able to parse the signature or certificate blocks.
The Federation debug log will show the signature and certificate blocks with
at the end of lines, for example:<ds:SignatureValue> 0n4tZCrMzco4uc91FvbWE+hSn6dJENYmxS8WJyEAlHjcBro3hOu07CK+rQqyTGU+OljbaUHF+zI/ Mgror3t3X+IeYcVg8PnRkmT1SXegl1wqmwZd/zg2WWXszC8W+XaQrlgIG+BNxg5j66HkDkTzegrE ... </ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate> CwUAA4IBAQBIRSXFrUyt1JxaJUCKidkS5FHcsTI3u3k+MMYBkQhLZB8lAomTwkqRPRx+rOvqLEW/ EwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMR0w ... </ds:X509Certificate>
Upgraded to, or installed AM 6.0.0.x, 6.5.0.x, 6.5.1 or 6.5.2.x
The cause varies according to which version of AM you are using:
- AM 22.214.171.124 to AM 6.5.2.x - the org.apache.xml.security.ignoreLineBreak property is not enabled.
- AM 6, 126.96.36.199, 188.8.131.52, 184.108.40.206 or 220.127.116.11 - there is a known issue with the xmlsec library used in these versions.
AM 18.104.22.168 to AM 6.5.2.x
The xmlsec library used in AM 22.214.171.124 has been upgraded to 2.1.2, which resolves the known issue in earlier versions. However, this issue can still occur if the org.apache.xml.security.ignoreLineBreak property is not enabled (which it isn't by default).
An RFE exists to change this: OPENAM-14939 (Enable "org.apache.xml.security.ignoreLineBreaks=true" by default ). This is resolved in AM 6.5.3 and later.
AM 6, 126.96.36.199, 188.8.131.52, 184.108.40.206 or 220.127.116.11
The xmlsec library used in AM 6 to 18.104.22.168 is 2.1.1. This version of the xmlsec library has a known issue that causes line breaks to be replaced with the XML encoded carriage return characters (
) when the ignorelinebreak property is enabled. This property is enabled when either (or both) of the following JVM options are set to true:-Dorg.apache.xml.security.ignoreLineBreaks=true -Dcom.sun.org.apache.xml.internal.security.ignoreLineBreaks=true
If the XML parser used by the SP to process the assertion is not permissive, these characters will cause federation to fail. However, if the XML parser is permissive (as used by AM), federation will succeed; this explains why this issue does not affect AM if it is acting as the SP.
This issue can be resolved as follows depending on which version you are currently on:
- AM 22.214.171.124 to AM 6.5.2.x: set the org.apache.xml.security.ignoreLineBreak property to true.
AM 6, 126.96.36.199, 188.8.131.52, 184.108.40.206 or 220.127.116.11:
- Upgrade to AM 18.104.22.168 or later; you can download this from BackStage.
- Set the org.apache.xml.security.ignoreLineBreak property to true.
Setting this property to true using the Apache Tomcat™ web container
You can set this property as follows:
- Add the following line to the setenv.sh file (typically located in the /tomcat/bin/ directory): JAVA_OPTS=-Dorg.apache.xml.security.ignoreLineBreaks=true
- Restart the web container.
If the setenv.sh file doesn't exist, you should create it in the same directory as the catalina.sh file (also typically located in the /tomcat/bin/ directory).