Where I work we use SunGard Higher Education’s web portal, Luminis (Version 4, not platform 5). We also have Single Sign On (SSO) with Google Gmail set up using SAML. The SAML process is using code adopted and adapted from VCCC, which they graciously posted to www.lumdev.net (thanks guys!).
Recently, we applied patches that upgraded the Java environment on the Luminis server from 1.5 to 1.6. It promptly broke our SSO implementation. This is nothing new, as every time we touch Luminis it breaks something (usually SSO). However this time it was a bit more difficult to figure out the fix than normal.
As it turns out, JDK 1.6 now natively includes the XML security library required to sign the SAML response for Google. Trouble is, they included an older version of the library, that doesn’t work with SAML 2.0 (which Google requires). Oracle made note of it here –> http://download.oracle.com/docs/cd/E19316-01/821-1818/gjwfc/index.html
To apply the fix specified in the post from Oracle, you might have to make sure that the JAVA_ENDORSED_DIRS parameter is explicitly set in your environment. In our Luminis 4 setup we had to add two lines to our .cprc (hidden) file:
JAVA_ENDORSED_DIRS = $JAVA_HOME/jre/lib/endorsed
and
export JAVA_ENDORSED_DIRS
Without these lines, the environment would not recognize the xmlsec.jar file we put there, and relied on the older built-in library version.
If this info helped you out, comment and let me know!
JaMmeR
I should add that in addition to the xmlsec.jar file the Oracle article tells you to put in the “endorsed” directory, you should also add the xmldsig.jar file too.
Thanks for this post. It definitely helped me out during our upgrade this past weekend. I reposted your article along with a link here on lumdev: http://www.lumdev.net/node/3218
Excellent! I’m so glad this helped you. And thank you for your original post in LumDev! We wouldn’t have SSO to Gmail if it weren’t for that!
Hours of wondering why SSO was broke and thankfully I came across your site. Thanks for the post!