HTTP 500 on SAML2 Federation after upgrading Policy Server to R12.8

Document ID : KB000110150
Last Modified Date : 09/08/2018
Show Technical Document Details
Question:
We have upgraded our Policy Servers to R12.8, and right after the upgrade we get errors on some SAML2 Federation applications where after authentication the target is returning an HTTP 500 error. As per their logs we are seeing the problem is caused by certificate errors, but no certificate was changed on both sides. On our Policy Server logs & traces everything looks correct, and we see no errors happening.

Why is this happening and how can we solve this?
Environment:
Policy Server R12.8
Java JDK 1.8.0_161 x64
Answer:

The problem is caused as the certificate used to sign the assertion is including carriage return characters, which are being converted when the assertion is being signed by the Policy Server:

...
<ds:SignatureValue>  
og3E2SPImuQ0hCDEL8tUNaIusVlaAzNasYm0FWLuWcpncFY1JOD/u7k8XZzBcRkwYFbsMiLxYlXr&#13;  
BDbtu58Ss/giUgDYQrmu889HY1ommWNiCXClrXaHsW3Ps60atENub8qYlqQM+GtDvdkdu482FOrI&#13;  
HWMiP2QEkSNvr+hQ5E9NWeH+KqRUoqPreXSYKAwauy9/Trf8J4fHzYou3WIqWQWTpjDDpTNXnOKc&#13;  
CT91RfIb3KGLpxhRblcMfC2CCacTLLexeWh2kK+VxMKdM/fWeVXxoRyV4RZpXo6JxCmu7BZRt2AO&#13;  
YZij82I3Awtokp0EKfyDcQcSmWtJvK8TuIfO2ZMu5kNOrLyD9HAq1bMsFVgn9Orhu+EJggNHsfPs&#13;  
iDJDsxA8ICfn8Jv7A/FZAS6nWSS9Pyko1bfWXvM7ygvbY8GCRy3z+Q/uvGAt0u4+whx+Dq78FqmL&#13;  
O3LeFU8FmD3bjOYWSAX7ZPXqHYFcoqaZtpVcqNkcPk8CnYwFaWO3XarQDNP2d5oujd4zGBVnXsAP&#13;  
q8+54Y4dkrEZmUXxHn+v8kBJngcbJcFrJA2U1aLyDEfQxc+sNyS8EhHnCQgFdDASHCZtL7BLdrWU&#13;  
s57aKI4UFc8XjLZT5QKpdW/y0CaQeeizY6u46e7SxklyCpU8GmVwCZUMKkYE9U1jZdn5yX+IvHJ=  
</ds:SignatureValue> 
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">  
<ds:X509Data>  
<ds:X509Certificate>  
MIAAwgcgNVBAvcxCzAJYTAbUCAQkdCAYDVQICzTCCQIEMRYwFw1Zm9yZHNoTdGFm&#13;
wFQYaMRcDXJlQHEw5SBvbiBUcmTdG9rZVudEGVQA1UDEjMCEChMaEtlc3RyUmVkI&#13;
dGQAgZWwgQ3VsdGgNVBAluZyBM29ucBxIjMlc3RjZXJ0LtTGXRlc3RyZWwunJlZG&#13;
wggY28udWsEi0GCSMAqGQEBSIb3DAQUBDwAAr4IwggBAQDWLEKAoIeW8Ia3n8IeA&#13;
23i87499etf+STsfh0jRGPgGJ++t3kfGXMJE0ijD4PNclKGkaxGXUCNUn2ROyyLg&#13;
AANkHEFuuXkM2vzpEOD+1KvPWfqayV+pLQoFdzbm5sTmGAU0X/MfDdGqVM6bPPCF&#13;
TUM3/WOIF6NUc85c9c9AvAFIQFJZBGPxc8AY3qDb40zG7evzenUnaxRWMitMSLHm&#13;
fLINXHtHewEQWgIB31Je/Ph3GeOCPO5FeTb6jgxmh7hNitf7uMisY6s9JHzQDxc+&#13;
CeI8jnH5CFMZfV5eDooqUGEzIMjajrNRyUI0KKF4DYK3Y66+v0Es++M2KILoUnt0&#13;
n+BAAGgAkiG9w0OCAQEAUBAVE9AgMQUFLhOAAWE7oBNM53DANBgkqhbsBOX3SLjY&#13;
s1fiCPUJ2xOguIHigKpWmiApEKaZGEOASu1NgAp1P1ZZlNGnxuoagM3jXpW1R/AN&#13;
0AHdrdCYjaDHAaCFsot9uYvI43LmT4cn0//PvpvCLVBRv4nt7+g/AHhr9UIoo/el&#13;
woJwfTS02hEvMae7mPTS02hEHZ2lsQeqVy6yom67nIRQULrtMZww+/atogk2W9me&#13;
Bx0WsTc+nXwtHliwFIEzVuPdpQGCOvCfN0mqJSmHw7LmNCkZV/9MdLmrfweuRSJB&#13;
GSe+BZfjV1chPI3NeT8uZOEnsOtpt2/7dhxUoVuX+bqeYLoJB1N6mOeuKFu8B0st&#13;
nA==
</ds:X509Certificate> 
</ds:X509Data>  
</ds:KeyInfo>  
</ds:Signature>  
...


Notice the "&#13;" being appended at the end of each line. This is causing the error on the target application as the server is not interpreting the carriage return character "&#13;" and returning the HTTP 500 error. 

Xmlsec is the jar file used at Policy Server for encrypting the XML content. When the R12.8 Policy Server generates the assertion, it does not add or encodes the carriage return character, but when it signs/encrypts, the encoded carriage return character appears, and this is caused by a problem on xmlsec-2.1.0.jar version. This was not happening on your previous Policy Server version as this jar has been upgraded in R12.8:
R12.52 & R12.7.2: xmlsec-1.4.3.jar 
R12.8: xmlsec-2.1.0.jar 

In order to solve this issue you need to upgrade your Policy Server to R12.8.1 when it is available.