Solutions

SAML2 federation fails due to presence of &#13 characters in signature and certificate blocks in AM 6, 6.0.0.1, 6.0.0.2, 6.0.0.3 and 6.0.0.4

Last updated Oct 25, 2018

The purpose of this article is to provide assistance if SAML2 federation fails because the Service Provider (SP) cannot parse the signature or certificate generated by the Identity Provider (IdP) due to the presence of &#13 characters at the end of the lines, when AM is the IdP.


1 reader recommends this article

Symptoms

Federation fails when using SP initiated SSO; the SP may see references such as "Invalid SAML signature" in their logs and will not be able to parse the signature or certificate blocks.

The Federation debug log will show the signature and certificate blocks with &#13 at the end of lines, for example:

<ds:SignatureValue>
0n4tZCrMzco4uc91FvbWE+hSn6dJENYmxS8WJyEAlHjcBro3hOu07CK+rQqyTGU+OljbaUHF+zI/&#13;
Mgror3t3X+IeYcVg8PnRkmT1SXegl1wqmwZd/zg2WWXszC8W+XaQrlgIG+BNxg5j66HkDkTzegrE&#13;
...
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
CwUAA4IBAQBIRSXFrUyt1JxaJUCKidkS5FHcsTI3u3k+MMYBkQhLZB8lAomTwkqRPRx+rOvqLEW/&#13;
EwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMR0w&#13;
...
</ds:X509Certificate>

Recent Changes

Upgraded to, or installed AM 6, 6.0.0.1, 6.0.0.2, 6.0.0.3 or 6.0.0.4.

Causes

The xmlsec library used in these versions is 2.1.1, which has a known issue that causes line breaks to be replaced with these characters when the ignorelinebreak property is enabled. This property is enabled using either of the following JVM options:

-Dorg.apache.xml.security.ignoreLineBreaks=true
-Dcom.sun.org.apache.xml.internal.security.ignoreLineBreaks=true

If the XML parser used by the SP to process the assertion is not permissive, these characters will cause federation to fail. However, if the XML parser is permissive (as used by AM), federation will succeed; this explains why this issue will not affect you if AM is also acting as the SP. 

Solution

This issue can be resolved by upgrading to AM 6.0.0.5 or later; you can download this from BackStage.

Workaround

You can workaround this issue by upgrading the xmlsec library to version 2.1.2 on the AM acting as the IdP:

  1. Download xmlsec-2.1.2.jar from: http://central.maven.org/maven2/org/apache/santuario/xmlsec/2.1.2
  2. Navigate to the /path/to/tomcat/webapps/openam/WEB-INF/lib directory and:
    1. Copy the downloaded xmlsec-2.1.2.jar to this location.
    2. Rename xmlsec-2.1.1.jar to avoid any conflicts (for example, change it to xmlsec-2.1.1.jar.old).
  3. Edit the setenv.sh file (typically located in the /tomcat/bin/ directory) to add the following JAVA_OPTS:
    JAVA_OPTS='-Dorg.apache.xml.security.ignoreLineBreaks=true'
  4. Restart the web application container in which AM runs to apply these changes.

See Also

FAQ: SAML certificate management in AM/OpenAM

SAML Federation in AM/OpenAM

SAML v2.0 Guide

Related Training

N/A

Related Issue Tracker IDs

OPENAM-13577 (xmlsec 2.1.1.jar used in AM6 have issues when linebreaks enabled)



Copyright and TrademarksCopyright © 2018 ForgeRock, all rights reserved.
Loading...