Forum Discussion

southern_shredd's avatar
May 30, 2022

Encryption error - SAML assertion: response is not encrypted

We are trying to configure out APM with Azure SAML authentication. After login on and succedded we can an error and the logs show the following:

modules/Authentication/Saml/SamlSPAgent.cpp: 'verifyAssertionSignature()': 5374: Verification of SAML signature #2 succeeded
SAML2Websak_act_saml_auth_ag failed to parse assertion, error: Response is not encrypted
a6559abf: Following rule 'fallback' from item 'SAML Auth' to ending 'Deny'

As a result the login is Denied. 

Is this related to the certificate or RSA encryption? We have tried various options but it comes back to the same error

3 Replies

  • Hi, 

    From the log messages, I assume you have configured the F5 as the SAML SP? 

    If so, can you have a look under the SAML SP Service configuration (Access ›› Federation : SAML Service Provider : Local SP Services), under the Security Settings tab and see if the flag "Want Encrypted Assertion" is checked? If so, uncheck it. 

    SAML encryption is a way of ensuring that the client cannot read the SAML request, but it has no real impact on the integrity of the message, this is where "Want Signed Assertion" is for. "Want Signed Assertion" should always be checked, "Want Encrypted Assertion" is an optional extra and is often (and by default) unchecked. 

    Hope this helps.