APM - Okta Encrypted Assertion

Question

Good day,&nbsp;
We have recently started to use APM as SP for some of our sites and Okta as idP. We followed this guide Okta Integration Guide for Web Access Management with F5 BIG-IP as a basis when doing the setups. We had them working as expected but now our Okta team has requested to enable encrypted assertion.&nbsp;
We have been unable to get it to work. WE have tired different self-signed certs and CA certs. Along with changing the different encryption options in Okta (Encryption Algorithm, Key Transport Algorithm). In the session log we see "SAML Agent:  failed to process encrypted assertion, error: Cipher value from EncryptedKey element not found" regardless of what we try.&nbsp;
&nbsp;I have not found much details/info on enabling encrypted assertion so any guides, documents, or links would be appreciated. I have opened a support case to get assistance also.&nbsp;
Thank you&nbsp;

nicotrel · Answer

From support case with F5:
"BIG-IP as SP does not support RetrievalMethod for decrypting encrypted assertions from IdPs.&nbsp;
We have the following Request for Feature Enhancement: ID 485387, "[RFE] BIG-IP does not support RetrievalMethod Element while processing encrypted assertion."&nbsp;
Work around:
To work around the problem, you can reconfigure the IdP to use embedded EncryptedKey instead of using RetrievalMethod."&nbsp;
I am working with our team that works manages Okta to see if this change can be done.&nbsp;
Jason&nbsp;

svs · Answer

Hi,&nbsp;did you have any luck with changing the behavior of Okta? For 15.1.x it seems that the issue is still not resolved and while reconfiguring the Okta IdP there is only the Key Transport Algorithm, which doesn't change anything.&nbsp;The issue is tracked under ID 485387 (https://techdocs.f5.com/kb/en-us/products/big-ip_apm/releasenotes/product/relnote-apm-11-5-0.html#rn_ki_apm_1150), which is not listed in the Bug Tracker.&nbsp;From my understanding it seems to be not possible to encrypt the assertion between F5 BIG-IP and Okta. Or is my understanding wrong?&nbsp;&nbsp;Regards

nicotrel · Answer

After discussing with our security team, they agreed that we could go with non-encrypted for the assertion. We are only on 13.1 so we have not done anymore research testing with this.&nbsp;Jason

svs · Answer

Thanks for your reply. That confirms, that Okta doesn't provide a workaround for that. I wonder if there are limitations with other IdPs as well. This one was really surprising for me.

Forum Discussion

APM - Okta Encrypted Assertion

Recent Discussions

MAC address of deleted VS IP address still responsive

Different common name ssl acces 403 forbiddent

dynamic signature detection

DNS HM Probe issue

F5 looses the token for the first call

Related Content

Decrypt, Encrypt, Decrypt, Encrypt, Encrypt....

Let's Encrypt

Load Balancing TCP TLS Encrypted Syslog Messages

Automate Let's Encrypt Certificates on BIG-IP

Encrypting Cookies

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS