Jeremiah, I can confirm that those characters show in the decoded response. I can also see (when selecting text) a non printing character in chrome saml tracer, but not in firefox saml tracer. The new line characters do not show in the certificate in the payload even though it also has broken lines. Our shibboleth IdP handles the response (we use cas to perform the authn), so I have not had to deal with this.
Ray On Wed, 2024-10-16 at 13:39 -0700, Jeremiah Garmatter wrote: Hello, I'm reaching out about this again because another one of my SPs recently migrated their SAML software and the new software they use can't handle the newline characters either. I only have until the end of the month to come up with a solution before they swap over their software completely. Has anyone else heard of the SAML2 module of CAS sending these encoded newline characters, "
", within the SAML2 response's signature? I haven't found any documentation related to it and I could really use the help to disable these characters or prevent them from appearing in the SAML2 response. See the screenshot of what I'm talking about: [saml2-newlines.png] On Friday, September 13, 2024 at 12:18:35 AM UTC-4 Jeremiah Garmatter wrote: Hello, After an upgrade from CAS 6.6.3 to CAS 7.0.4.1 one of my service providers can no longer receive signed assertions sent from my CAS server without experiencing errors. We use the SAML2 module for this SP. After some back and forth with the SP they found that our signed SAML assertions contain xml-encoded "carriage return" values, "
", within the <SignatureValue> XML attribute. I can confirm that CAS 6.6.3 SAML2 did not include these characters while 7.0.4.1 does (confirmed by passing the base64 encoded saml response into "base64 -d" to decode). Anyway, the SP can't parse the signed assertions now. Something about a .NET issue on their side trying to parse the <SignatureValue>. The "fix" we came to involved disabling assertion signing so the SP doesn't have to deal with the issue. Has anyone else heard of this? Any idea when the carriage returns began to appear in the SignatureValue? I'm looking for any information related to this. If you know a way to make CAS remove the carriage returns per-service I would love to hear it (I didn't find a mention in the CAS documentation). Thanks and have a good one! -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/52c679cb82bbfc5addf11e6761fc0643714e8291.camel%40uvic.ca.
