OpenSAML 3.4.1 saml2p:Response SignatureValue contains necoded CR

Nate Klingenstein ndk at
Fri Aug 13 17:45:40 UTC 2021


The dev at list is typically the appropriate one for OpenSAML questions.  This was more clear on the Shibboleth website before it was redesigned.

I have an informed hunch, but I seriously defer to the cryptographers on this one to avoid wasting your time.

Take care,

Signet, Inc.
The Art of Access ®

-----Original message-----
From: Ivaylo Milev
Sent: Friday, August 13 2021, 9:30 am
To: users at
Subject: OpenSAML 3.4.1 saml2p:Response SignatureValue contains necoded CR

Hi guys,

Apologies if this is not the right list, but I am trying to get OpenSAML to generate a saml2p:Response without any line breaks (or whitespace for that matter), and could not find the OpenSAML specific list (got 404).

I have tried providing the option to the JVM, but the output generated by OpenSAML 3.4.1 still includes the  in the SignatureValue.

I know xml dig signature processors *should* be able to deal with /n and /r/n cases, but I suspect a .NET client using Sustainsys2 doesn't.

Anyhow, I would appreciate any guidance on how to produce a Response that has no  characters (or CRLFs) in the SignatureValue, or one that has been cannonicalized to exclude any superflous whitespace altogether.



PS  I have been led to use by the below: <> <>


For Consortium Member technical support, see

To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list