Looks like this has been corrected in 7.0.10. See commit: https://github.com/apereo/cas/commit/5cd377d936d16f697f6f42315802917a98d25296
On Friday, October 25, 2024 at 11:08:16 PM UTC-4 Miguel Martínez De Espronceda Cámara wrote: > Hello, > Just to confirm that we also had this issue. In our case it was ' '. > We applied Dmitriy's trick and solved the issue. > *-Dorg.apache.xml.security.ignoreLineBreaks=true* > Thank you > > El lun, 21 oct 2024 a las 16:00, Jeremiah Garmatter (<j-gar...@onu.edu>) > escribió: > >> Thank you Dmitriy, >> >> That property did the trick! >> I deploy with a systemd unit file and embedded tomcat so I added >> "-Dorg.apache.xml.security.ignoreLineBreaks=true" to my java call in the >> unit file. >> I can confirm the special characters are no longer generated within the >> signature. >> I was able to authenticate to both of my troublemaking Service Providers >> with this fix. >> >> On Saturday, October 19, 2024 at 3:35:45 AM UTC-4 Dmitriy Kopylenko wrote: >> >>> Add this JVM system property: >>> *-Dorg.apache.xml.security.ignoreLineBreaks=true* >>> >>> >>> >>> On Fri, Oct 18, 2024 at 15:29 Jeremiah Garmatter <j-gar...@onu.edu> >>> wrote: >>> >>>> Hello, >>>> >>>> I'm reaching out about this again because another one of my SPs >>>> recently migrated their SAML software and the new software they use can't >>>> handle the newline characters either. I only have until the end of the >>>> month to come up with a solution before they swap over their software >>>> completely. >>>> >>>> Has anyone else heard of the SAML2 module of CAS sending these encoded >>>> newline characters, "
", within the SAML2 response's signature? >>>> I haven't found any documentation related to it and I could really use >>>> the help to disable these characters or prevent them from appearing in the >>>> SAML2 response. >>>> See the screenshot of what I'm talking about: >>>> [image: saml2-newlines.png] >>>> >>>> >>>> On Friday, September 13, 2024 at 12:18:35 AM UTC-4 Jeremiah Garmatter >>>> wrote: >>>> >>>>> Hello, >>>>> >>>>> After an upgrade from CAS 6.6.3 to CAS 7.0.4.1 one of my service >>>>> providers can no longer receive signed assertions sent from my CAS server >>>>> without experiencing errors. We use the SAML2 module for this SP. >>>>> >>>>> After some back and forth with the SP they found that our signed SAML >>>>> assertions contain xml-encoded "carriage return" values, "
", within >>>>> the >>>>> <SignatureValue> XML attribute. I can confirm that CAS 6.6.3 SAML2 did >>>>> not >>>>> include these characters while 7.0.4.1 does (confirmed by passing the >>>>> base64 encoded saml response into "base64 -d" to decode). >>>>> >>>>> Anyway, the SP can't parse the signed assertions now. Something about >>>>> a .NET issue on their side trying to parse the <SignatureValue>. The >>>>> "fix" >>>>> we came to involved disabling assertion signing so the SP doesn't have to >>>>> deal with the issue. >>>>> >>>>> Has anyone else heard of this? Any idea when the carriage returns >>>>> began to appear in the SignatureValue? I'm looking for any information >>>>> related to this. If you know a way to make CAS remove the carriage >>>>> returns >>>>> per-service I would love to hear it (I didn't find a mention in the CAS >>>>> documentation). >>>>> >>>>> Thanks and have a good one! >>>>> >>>> >>>>> -- >>>> - Website: https://apereo.github.io/cas >>>> - List Guidelines: https://goo.gl/1VRrw7 >>>> - Contributions: https://goo.gl/mh7qDG >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "CAS Community" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to cas-user+u...@apereo.org. >>>> To view this discussion on the web visit >>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/48041002-b2dc-41f7-8425-8e74fb5c459fn%40apereo.org >>>> >>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/48041002-b2dc-41f7-8425-8e74fb5c459fn%40apereo.org?utm_medium=email&utm_source=footer> >>>> . >>>> >>> -- >> - Website: https://apereo.github.io/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to cas-user+u...@apereo.org. >> > To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/0d30bc28-87ad-42c0-96b0-b9c5834ec9bdn%40apereo.org >> >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/0d30bc28-87ad-42c0-96b0-b9c5834ec9bdn%40apereo.org?utm_medium=email&utm_source=footer> >> . >> > > > -- > [image: Universidad de Navarra] <http://www.unav.es/> *Miguel Martínez de > Espronceda Cámara* > Project Manager > Universidad de Navarra > IT Services > Tel: +34 948 425 600 x803156 <+34%20948%2042%2056%2000> > mmmca...@unav.es > > *Este mensaje puede contener información confidencial. Si usted no es el > destinatario o lo ha recibido por error, por favor, bórrelo de sus sistemas > y comuníquelo a la mayor brevedad al remitente. Los datos personales > incluidos en los correos electrónicos que intercambie con el personal de la > Universidad de Navarra podrán ser almacenados en la libreta de direcciones > de su interlocutor y/o en los servidores de la Universidad durante el > tiempo fijado en su política interna de conservación de información. La > Universidad de Navarra gestiona dichos datos con fines meramente > operativos, para permitir el contacto por email entre sus > trabajadores/colaboradores y terceros. Puede consultar la Política de > Privacidad de la Universidad de Navarra en la dirección: * > *https://www.unav.edu/aviso-legal* <https://www.unav.edu/aviso-legal> > > > > *This email message may contain confidential information. If you are not > the intended recipient of this message or their agent, or if this message > has been addressed to you in error, please immediately alert the sender by > reply email and then delete this message and any attachments. The personal > information included in email messages exchanged with employees of the > University of Navarra may be stored in the database of your interlocutor > and/or the servers of the University for the time-period stipulated by its > internal information storage policy. The University stores such data for > purely administrative purposes, to facilitate e-mail contact between its > employees and third parties. The University of Navarra Privacy Policy may > be accessed at https://www.unav.edu/aviso-legal > <https://www.unav.edu/aviso-legal> * > > > > > *Antes de imprimir este mensaje o sus documentos anexos, asegúrese de que > es necesario. Proteger el medio ambiente está en nuestras manos.Before > printing this e-mail or attachments, be sure it is necessary. **It is in > our hands to protect the environment.* > -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/587b955d-3dd9-401a-b7ae-82ad589678a3n%40apereo.org.
