Hi to All,
I have Siteminder 12.8sp on Linux Centos 7 with JDK 1.8.0_151 I configured siteminder as IDP and I have another system like SP (in this case it's a Netscaler, but I don't think it matters.). HTTP-POST binding,The problem is that the SAML tokens generated by siteminder have "strange" characters in the tags of the signatures and the certificate. These characters are that make me think of the "newline" character. I paste the decoded tokens below (I took them from POST, but I verified that I find them also in the smtrace policy server logs).
<Response xmlns="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://dev-app.cen.poliziadistato.it/cgi/samlauth" ID="_6cf2b3197405aa0dd55323ba36600c728890" IssueInstant="2019-05-13T07:45:40Z" Version="2.0">
[cut]</ds:SignedInfo> <ds:SignatureValue> I8LUIhLSY40RitYi4b5zTzBMa2Bd0ZFxcTy72poIiVjHcucq7JHrlh0IFSc3a3p5wW7ckRFs0Zrq 0EZ4nPfzn5Aa1u0XU83h4DDawjR6EmnhWGr3vdYce4BS9Oq68T616O8r+rg9RK0r3WgUXz/fO59K 5TrrjOm5nBGBjpauCxQ= </ds:SignatureValue> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data> <ds:X509Certificate> MIIB2DCCAUGgAwIBAgIRAIWG/xsSzTpy85Id3zNga14wDQYJKoZIhvcNAQELBQAwKjEMMAoGA1UE CgwDQ0VOMQwwCgYDVQQLDANDRU4xDDAKBgNVBAMMA0NFTjAeFw0xNzEyMTQxMTMzNTNaFw0yNzEw MjMxMDMzNTNaMCoxDDAKBgNVBAoMA0NFTjEMMAoGA1UECwwDQ0VOMQwwCgYDVQQDDANDRU4wgZ8w DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJ1JpmfPkBemEKDbr6495rbHtZ0ym5MYQ6Wqk0USRPxO +CFMx5gYr7uQsy/44vRT6jSW7cEuiyG0fwidjLATV05zOdcadttEH3M3gMzTxoYuYZSlnmfj2ETY LftSL7+6FQiqdOjG4SkkvQIGPMC2oH84eJfymSiu81OGEEbjS7nzAgMBAAEwDQYJKoZIhvcNAQEL BQADgYEAGG7CnEaNy3yuswhGNJ+iF0n2MMlPgoOzKgSMEiCD0XS89bMtuIlibJ8Em3oidhuwXa/C B86wDhHFPJGg+cXe7K30Qph87EdEEz+THb6DdT5Bntmki6N0kYE8s7OSFHVi6lcpNYcCrnU0fWP5 rmUxRbBV2SRlwXDGIDqZLsy6A7k= </ds:X509Certificate> </ds:X509Data>[cut]
I used the same configuration that I have on an older system (Siteminder 12.8sp, JDK 1.80.151 on a different policy store, same certificate) . In the old environment everything works and there are not those characters at the end of each line in the certificate and signature tags. Apparently the configurations are the same. Has it already happened to you? Do you have any suggestions?Thanks in advanceMarco
in the new enviroment Without Signing I have no error!
This is a known issue with 12.8 GA and is fixed in 12.8 SP1 .I strongly recommend to install 12.8SP2 though as there many issues with 12.8 GA and 12.8 SP1
if you still want resolution on 12.8 GA, follow below
1. Download "xmlsec-2.1.2.jar" file from internet.
2. Shutdown Policy Server
3. Rename "/bin/endorsed/xmlsec-2.1.0.jar" to xmlsec-2.1.0.jar_backup
4. Copy "xmlsec-2.1.2.jar" file to "/bin/endorsed/"
5. Backup "/config/JVMOptions.txt"
6. Update "/config/JVMOptions.txt" file as below sample.
a) Updating the file path from pointing to xmlsec-2.1.0.jar to xmlsec-2.1.2.jar
b) Adding "-Dorg.apache.xml.security.ignoreLineBreaks=true"
7. Startup Policy Server
I updated to 12.8sp2 and everything works! Thanks!Marco