Office 365 returns "80041317" error when validating SamlResponse generated by CA SSO (Siteminder)

Document ID : KB000009125
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

Office 365 failing to validate Signature generated by CA SSO (Previously Siteminder) with numeric error, "80041317".

In addition to this error being a certificate mismatch, it was also found that linebreaks in the <ds:SignatureValue> generated by CA SSO was causing the error on the Office 365 side.

This is caused by Java as it adds a break line after the 76th character to produce separate lines.

Example of signature generated by CA SSO

<ds:SignatureValue>

cFJ+WoUc7wunkon3cqwYtScbzIPFZ4V6UAeoVTv4nErnNyHcfENxHXcioOzU24oDIZ9apRVjk609

x1WswHmckV33Ojacyg6Scz9GTaOD1JyED05caYoZvLkAlFwsFDoXhwgMzLkHrQ9u1Yefb/lTD+4U

1IdfVMfVps2ineo2WFGzR9VZBpkUSZQjyX/+Gey/s9SUiQGK/lhjH3if0QtngWp+89v9/4QUfl3R

xZmk8OrZq9oc9q2i5zEQVuKER96vMP0H9uDy9YyVQIBYgKx9QOnxLzvOxb3slblsxMQCwc/5MDmt

+hKNKGqX6c3bIzPFBicZaw8vD4CqKDMyhy3GPA==

</ds:SignatureValue>

Environment:
CA SSO 12.5, 12.51, 12.52, 12.6, 12.7
Cause:

This is caused by Java as it adds a break line after the 76th character to produce separate lines.

 

Resolution:

It is possible to disable the linebreaks in Signature from CA SSO policy Server.
Within CA SSO policy server, the Java option org.apache.xml.security.ignoreLineBreaks must be set to true and the policy server restarted for the change to take effect. Details for the change as follows:

1. Open <siteminder_install>/siteminder/config/JVMOptions.txt

2. Add -Dorg.apache.xml.security.ignoreLineBreaks=true as system property.