Forum Discussion
CX_280703
Nimbostratus
NimbostratusError Encrypting a SAML Assertion from APM
Running F5 APM as an idP I am trying to encrypt a SAML Assertion using a third party certificate however I get an error in the APM logs along the lines of the following:
SSOv2 SAML configuration: SAML_RES=/Common/mySAML&SAML_RES_LIST=/Common/mySAML&SAML_SSO=
SSOv2 SAML Resource from configuration: /Common/mySAML
SSOv2 Using SAML SP Connector /Common/mySAML from SAML SSO ?0?
SSOv2 Error creating EncryptedData element - cannot use SP certificate: /Common/TEST_Cert.crt
SSOv2 Error creating encrypted assertion -
SSOv2 Error(12) creating encrypted SAML assertion
SSOv2 plugin error(12) in sso/sso.c:428
SSOv2 SAML configuration: SAML_RES=/Common/mySAML&SAML_RES_LIST=/Common/mySAML&SAML_SSO=
SSOv2 SAML Resource from configuration: /Common/mySAML
SSOv2 Using SAML SP Connector /Common/mySAML from SAML SSO
SSOv2 Error creating EncryptedData element - cannot use SP certificate: /Common/TEST_Cert.crt
SSOv2 Error creating encrypted assertion -
SSOv2 Error(12) creating encrypted SAML assertion
SSOv2 Plugin error(12) in sso/sso.c:428
The certificate is a self signed certificate:
DSA
2048 bit
I have tried another RSA certificate and have no issues encrypting the Assertion, only issues from this one and the fact that its a DSA is the only thing I can see that is really different. Any thoughts on why this certificate would fail? or how to get more info?
Thanks
Certificates in question are used for a symmetric key transport when assertion (or parts of it) needs to be encrypted by APM as IdP.
According to SAML 2.0 specification, or more precisely xmlenc-core (https://www.w3.org/TR/2002/REC-xmlenc-core-20021210/), there are only two algorithms that can be used for key transport:
Key Transport REQUIRED RSA-v1.5 http://www.w3.org/2001/04/xmlencrsa-1_5 REQUIRED RSA-OAEP http://www.w3.org/2001/04/xmlencrsa-oaep-mgf1p
With later RSA-OAEP algorithm not recommended to be used due to potential security implications!
Therefore, according to SAML specification, DSA certificates are not allowed to be used for encryption.
Sergei_MiadzvezAltocumulus
Certificates in question are used for a symmetric key transport when assertion (or parts of it) needs to be encrypted by APM as IdP.
According to SAML 2.0 specification, or more precisely xmlenc-core (https://www.w3.org/TR/2002/REC-xmlenc-core-20021210/), there are only two algorithms that can be used for key transport:
Key Transport REQUIRED RSA-v1.5 http://www.w3.org/2001/04/xmlencrsa-1_5 REQUIRED RSA-OAEP http://www.w3.org/2001/04/xmlencrsa-oaep-mgf1p
With later RSA-OAEP algorithm not recommended to be used due to potential security implications!
Therefore, according to SAML specification, DSA certificates are not allowed to be used for encryption.
CX_280703Perfect thanks Sergei! This is along the lines of what I was thinking must be hapening. I will change them to RSA.