1 Reply Latest reply on Dec 12, 2016 4:54 AM by kshiva

xml-exc-c14n#WithComments) from Authn Request is not supported

kshiva Sep 2, 2016 10:34 AM

Hello All,

My client uses F5 BIG IP APM as IDP. When I am sending sp-metadata without any certificate, we are able to login. But due to some patch on client IDP, it requires assertions to be signed while logout. So, we decided to send certificate along with metadata.

When the client tried to access the application, the following error occurred and no response was sent to SP.

SSOv2 Canonicalization algorithm (http://www.w3.org/2001/10/xml-exc-c14n#WithComments) from Authn Request is not supported
SSOv2 Error(12) Parsing SAML Request

I was going through the forum and found that some IDP's does not support the algorithm : http://www.w3.org/2001/10/xml-exc-c14n#WithComments.

Can any one confirm if using only "http://www.w3.org/2001/10/xml-exc-c14n" in the picketlink.xml will solve the problem? Are there any other solutions, I can look into?

Please suggest.

Thanks,

Krishna

1. Re: Canonicalization algorithm (http://www.w3.org/2001/10/xml-exc-c14n#WithComments) from Authn Request is not supported

kshiva Dec 12, 2016 4:54 AM (in response to kshiva)

Hi,
I found the solution to fix the issue:

1. PicketLink provides a default algorithm http://www.w3.org/2001/10/xml-exc-c14n#WithComments which is not supported by my client IDP
2. Add "CanonicalizationMethod" to SP picketlink.xml under <PicketLinkSP> tag.
3. For this "CanonicalizationMethod" attribute add the following value: "http://www.w3.org/2001/10/xml-exc-c14n#"
The issue got resolved.
Thanks,
Krishna
Actions