Carriage returns in SAML2 <SignatureValue>

[Jeremiah Garmatter]

Hello,

After an upgrade from CAS 6.6.3 to CAS 7.0.4.1 one of my service providers can no longer receive signed assertions sent from my CAS server without experiencing errors. We use the SAML2 module for this SP.

After some back and forth with the SP they found that our signed SAML assertions contain xml-encoded "carriage return" values, "&#xd", within the <SignatureValue> XML attribute. I can confirm that CAS 6.6.3 SAML2 did not include these characters while 7.0.4.1 does (confirmed by passing the base64 encoded saml response into "base64 -d" to decode).

Anyway, the SP can't parse the signed assertions now. Something about a .NET issue on their side trying to parse the <SignatureValue>. The "fix" we came to involved disabling assertion signing so the SP doesn't have to deal with the issue.

Has anyone else heard of this? Any idea when the carriage returns began to appear in the SignatureValue? I'm looking for any information related to this. If you know a way to make CAS remove the carriage returns per-service I would love to hear it (I didn't find a mention in the CAS documentation).

Thanks and have a good one!

[Jeremiah Garmatter]

Hello,

I'm reaching out about this again because another one of my SPs recently migrated their SAML software and the new software they use can't handle the newline characters either. I only have until the end of the month to come up with a solution before they swap over their software completely.

Has anyone else heard of the SAML2 module of CAS sending these encoded newline characters, "&#xd", within the SAML2 response's signature?

I haven't found any documentation related to it and I could really use the help to disable these characters or prevent them from appearing in the SAML2 response.

See the screenshot of what I'm talking about:

[Ray Bon]

Jeremiah,

I can confirm that those characters show in the decoded response. I can also see (when selecting text) a non printing character in chrome saml tracer, but not in firefox saml tracer.

The new line characters do not show in the certificate in the payload even though it also has broken lines.

Our shibboleth IdP handles the response (we use cas to perform the authn), so I have not had to deal with this.

Ray

[Dmitriy Kopylenko]

Add this JVM system property: 

-Dorg.apache.xml.security.ignoreLineBreaks=true

--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/48041002-b2dc-41f7-8425-8e74fb5c459fn%40apereo.org.

[Jeremiah Garmatter]

Thank you Dmitriy,

That property did the trick!

I deploy with a systemd unit file and embedded tomcat so I added "-Dorg.apache.xml.security.ignoreLineBreaks=true" to my java call in the unit file.

I can confirm the special characters are no longer generated within the signature.

I was able to authenticate to both of my troublemaking Service Providers with this fix.

[Miguel Martínez De Espronceda Cámara]

Hello,

Just to confirm that we also had this issue. In our case it was '&#13;'.

We applied Dmitriy's trick and solved the issue. 

-Dorg.apache.xml.security.ignoreLineBreaks=true

Thank you

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/0d30bc28-87ad-42c0-96b0-b9c5834ec9bdn%40apereo.org.

--

Miguel Martínez de Espronceda Cámara Project Manager Universidad de Navarra IT Services Tel: +34 948 425 600 x803156 mmmca...@unav.es

Este mensaje puede contener información confidencial. Si usted no es el destinatario o lo ha recibido por error, por favor, bórrelo de sus sistemas y comuníquelo a la mayor brevedad al remitente. Los datos personales incluidos en los correos electrónicos que intercambie con el personal de la Universidad de Navarra podrán ser almacenados en la libreta de direcciones de su interlocutor y/o en los servidores de la Universidad durante el tiempo fijado en su política interna de conservación de información. La Universidad de Navarra gestiona dichos datos con fines meramente operativos, para permitir el contacto por email entre sus trabajadores/colaboradores y terceros. Puede consultar la Política de Privacidad de la Universidad de Navarra en la dirección: https://www.unav.edu/aviso-legal

 

This email message may contain confidential information. If you are not the intended recipient of this message or their agent, or if this message has been addressed to you in error, please immediately alert the sender by reply email and then delete this message and any attachments.  The personal information included in email messages exchanged with employees of the University of Navarra may be stored in the database of your interlocutor and/or the servers of the University for the time-period stipulated by its internal information storage policy. The University stores such data for purely administrative purposes, to facilitate e-mail contact between its employees and third parties. The University of Navarra Privacy Policy may be accessed at https://www.unav.edu/aviso-legal      

 

Antes de imprimir este mensaje o sus documentos anexos, asegúrese de que es necesario. Proteger el medio ambiente está en nuestras manos.
Before printing this e-mail or attachments, be sure it is necessary. It is in our hands to protect the environment.

[Jeremiah Garmatter]

Looks like this has been corrected in 7.0.10. See commit: https://github.com/apereo/cas/commit/5cd377d936d16f697f6f42315802917a98d25296