Forum Discussion
APM - Okta Encrypted Assertion
Good day,
We have recently started to use APM as SP for some of our sites and Okta as idP. We followed this guide Okta Integration Guide for Web Access Management with F5 BIG-IP as a basis when doing the setups. We had them working as expected but now our Okta team has requested to enable encrypted assertion.
We have been unable to get it to work. WE have tired different self-signed certs and CA certs. Along with changing the different encryption options in Okta (Encryption Algorithm, Key Transport Algorithm). In the session log we see "SAML Agent: failed to process encrypted assertion, error: Cipher value from EncryptedKey element not found" regardless of what we try.
I have not found much details/info on enabling encrypted assertion so any guides, documents, or links would be appreciated. I have opened a support case to get assistance also.
Thank you
- NicotrelNimbostratus
From support case with F5: "BIG-IP as SP does not support RetrievalMethod for decrypting encrypted assertions from IdPs.
We have the following Request for Feature Enhancement: ID 485387, "[RFE] BIG-IP does not support RetrievalMethod Element while processing encrypted assertion."
Work around: To work around the problem, you can reconfigure the IdP to use embedded EncryptedKey instead of using RetrievalMethod."
I am working with our team that works manages Okta to see if this change can be done.
Jason
- svsCirrostratus
Hi,
did you have any luck with changing the behavior of Okta? For 15.1.x it seems that the issue is still not resolved and while reconfiguring the Okta IdP there is only the Key Transport Algorithm, which doesn't change anything.
The issue is tracked under ID 485387 (https://techdocs.f5.com/kb/en-us/products/big-ip_apm/releasenotes/product/relnote-apm-11-5-0.html#rn_ki_apm_1150), which is not listed in the Bug Tracker.
From my understanding it seems to be not possible to encrypt the assertion between F5 BIG-IP and Okta. Or is my understanding wrong?
Regards
- NicotrelNimbostratus
After discussing with our security team, they agreed that we could go with non-encrypted for the assertion. We are only on 13.1 so we have not done anymore research testing with this.
Jason
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com