Forum Discussion
CX_280703
Nimbostratus
NimbostratusError Encrypting a SAML Assertion from APM
Running F5 APM as an idP I am trying to encrypt a SAML Assertion using a third party certificate however I get an error in the APM logs along the lines of the following:
SSOv2 SAML config...
Certificates in question are used for a symmetric key transport when assertion (or parts of it) needs to be encrypted by APM as IdP.
According to SAML 2.0 specification, or more precisely xmlenc-core (https://www.w3.org/TR/2002/REC-xmlenc-core-20021210/), there are only two algorithms that can be used for key transport:
Key Transport REQUIRED RSA-v1.5 http://www.w3.org/2001/04/xmlencrsa-1_5 REQUIRED RSA-OAEP http://www.w3.org/2001/04/xmlencrsa-oaep-mgf1p
With later RSA-OAEP algorithm not recommended to be used due to potential security implications!
Therefore, according to SAML specification, DSA certificates are not allowed to be used for encryption.
Sergei_Miadzvez
Altocumulus
AltocumulusCertificates in question are used for a symmetric key transport when assertion (or parts of it) needs to be encrypted by APM as IdP.
According to SAML 2.0 specification, or more precisely xmlenc-core (https://www.w3.org/TR/2002/REC-xmlenc-core-20021210/), there are only two algorithms that can be used for key transport:
Key Transport REQUIRED RSA-v1.5 http://www.w3.org/2001/04/xmlencrsa-1_5 REQUIRED RSA-OAEP http://www.w3.org/2001/04/xmlencrsa-oaep-mgf1p
With later RSA-OAEP algorithm not recommended to be used due to potential security implications!
Therefore, according to SAML specification, DSA certificates are not allowed to be used for encryption.
CX_280703Nimbostratus
NimbostratusPerfect thanks Sergei! This is along the lines of what I was thinking must be hapening. I will change them to RSA.