Forum Discussion
Nicotrel
Nimbostratus
NimbostratusAPM - Okta Encrypted Assertion
Good day,
We have recently started to use APM as SP for some of our sites and Okta as idP. We followed this guide Okta Integration Guide for Web Access Management with F5 BIG-IP as a basis when ...
NicotrelNimbostratus
NimbostratusFrom support case with F5: "BIG-IP as SP does not support RetrievalMethod for decrypting encrypted assertions from IdPs.
We have the following Request for Feature Enhancement: ID 485387, "[RFE] BIG-IP does not support RetrievalMethod Element while processing encrypted assertion."
Work around: To work around the problem, you can reconfigure the IdP to use embedded EncryptedKey instead of using RetrievalMethod."
I am working with our team that works manages Okta to see if this change can be done.
Jason
svs
Cirrostratus
CirrostratusHi,
did you have any luck with changing the behavior of Okta? For 15.1.x it seems that the issue is still not resolved and while reconfiguring the Okta IdP there is only the Key Transport Algorithm, which doesn't change anything.
The issue is tracked under ID 485387 (https://techdocs.f5.com/kb/en-us/products/big-ip_apm/releasenotes/product/relnote-apm-11-5-0.html#rn_ki_apm_1150), which is not listed in the Bug Tracker.
From my understanding it seems to be not possible to encrypt the assertion between F5 BIG-IP and Okta. Or is my understanding wrong?
Regards
- Nicotrel
After discussing with our security team, they agreed that we could go with non-encrypted for the assertion. We are only on 13.1 so we have not done anymore research testing with this.
Jason
- svs
Thanks for your reply. That confirms, that Okta doesn't provide a workaround for that. I wonder if there are limitations with other IdPs as well. This one was really surprising for me.