Forum Discussion
NimbostratusF5 SAML Authentication
One month ago, we opened a case to F5 about SAML Authentication, haven't got the prober answer yet. Disappointing...
While still waiting for their answer, I wish here I can reach someone who really understand the issue.
Many thanks,
This is the question we asked F5 support team,
We are testing SAML authentication (Big-IP as SP) on VE (BIGIP-11.3.0.2806.0-scsi.ova). The authentication failed, we saw the log in Access Policy -> Reports SAML Agent: /Common/bletchley_act_saml_auth_ag failed to process signed assertion, error: Digest of SignedInfo mismatch.
We are bemused by this error message, as we use openSAML java library to generate the saml response (sign the XML). Our IDP works very well with Google and Juniper etc. We double checked the response (you can see it in the attachment, samlres02.txt) Decode it into saml02.xml with (https://rnd.feide.no/simplesaml/module.php/saml2debug/debug.php) This XML file (with enveloped signature) passed the test under Firefox XML Digital Signature Tool. We also checked it with Java XML Digital Signature API(Validate.java), it also passed. If it is not a known issue on VE BIGIP-11.3.0.2806.0, can you please ask your technical team to have a look?
19 Replies
- Kevin_Stewart
Employee
Mike,
SAML support is brand new in 11.3, so doubtful that most (including myself) have tested every possible third-party integration. The error would seem to indicate that the SP didn't like the signature, so two things:
1. Can you attach the samlres02.txt document you referred to, and
2. What signature algorithm did you use? 
Mike_125354Thanks Kevin,
I tried to upload a zip file, unfortunately this site does not allow zip and xml file, even java source code.
Here is the txt file.
You can decode it to get XML content, and in xml, you can see the algorithms
DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsigsha1"
SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsigrsa-sha1"
- Mike_125354Hi, Kevin,
I uploaded the zip file(which includes Validate.Java) to my Google Drive, you can download it from
https://docs.google.com/file/d/0B-RceMGOJfLUNldRODN2aV80Rnc/edit?usp=sharing - Mike_125354Hi, Kevin,
Are you a F5 insider, or can you easily approach F5 insiders? If yes, please ask them to take a look of my analysis at
http://nano-art.blogspot.co.uk/2013/05/saml-authentication-on-f5-big-ip-part-3.html
I believe Apache Santuario is doing right, F5 is doing wrong on XML canonicalization.
Many thanks. 
hoolioCirrostratus
Hi Mike,
Can you post your case number or email me (aaron at f5 dot com). No promises, but I'll try to make sure Support properly considers the issue.
Thanks, Aaron
jussihar_118259Hello
Any updates on this?
Jussi
Brad_146558Are you experiencing a similar issue?- jussihar_118259Yes. IDP is external and I dont have access to it, the IDP admin says all is good there according to logs. F5 apm logs says: modules/Authentication/Saml/SamlSPAgent.cpp func: "verifyAssertionDigest()" line: 3625 Msg: Assertion Content without Signature modules/Authentication/Saml/SamlSPAgent.cpp func: "verifyAssertionSignature()" line: 4037 Msg: ERROR: verifying the digest of SAML R esponse failed to process signed assertion, error: Digest of SignedInfo mismatch
- boneyard
MVP
using version 11.3? i really would try a new version, like aaron mentioned 11.3 for this first with saml support and many issues have been solved since.
jussiharHello
Any updates on this?
Jussi
- Brad_146558Are you experiencing a similar issue?
- jussiharYes. IDP is external and I dont have access to it, the IDP admin says all is good there according to logs. F5 apm logs says: modules/Authentication/Saml/SamlSPAgent.cpp func: "verifyAssertionDigest()" line: 3625 Msg: Assertion Content without Signature modules/Authentication/Saml/SamlSPAgent.cpp func: "verifyAssertionSignature()" line: 4037 Msg: ERROR: verifying the digest of SAML R esponse failed to process signed assertion, error: Digest of SignedInfo mismatch
- boneyardusing version 11.3? i really would try a new version, like aaron mentioned 11.3 for this first with saml support and many issues have been solved since.
- Mike_62005
I had a battle with F5 support team. If you are interested in it, you can read my blog
http://nano-art.blogspot.co.uk/2013/05/saml-authentication-on-f5-big-ip-part-1.html
(1-4)
After a deep digging, I myself finally figured out the root cause, IDP returned a SAML response which the signature was on response part, but F5 expected a response which signature is on assertion part (WantAssertionsSigned="true").
F5 error message "Digest of SignedInfo mismatch" was not very helpful in my case. Once I had a insight on SAML (actually the hardest part is XML signature), I told myself what joke it was, as we can easily tell the signature is on response part or assertion part from Reference URI in SAML response content.
- So what exactly did you change to the configuration to make this work then?
Julio_NavarroHello Mike! How you were able to fix this? Thank you J- boneyardfrom what I read from the blog the issue is with what part of the SAML response is signed. the full response or just the assertion. what is signed in your case Navarro?
