For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Mike_125354's avatar
Mike_125354
Icon for Nimbostratus rankNimbostratus
May 16, 2013

F5 SAML Authentication

One month ago, we opened a case to F5 about SAML Authentication, haven't got the prober answer yet. Disappointing...   While still waiting for their answer, I wish here I can reach someone who...
security
Mike_62005's avatar
Mike_62005
Icon for Nimbostratus rankNimbostratus
May 12, 2014

I had a battle with F5 support team. If you are interested in it, you can read my blog

 

http://nano-art.blogspot.co.uk/2013/05/saml-authentication-on-f5-big-ip-part-1.html

 

(1-4)

 

After a deep digging, I myself finally figured out the root cause, IDP returned a SAML response which the signature was on response part, but F5 expected a response which signature is on assertion part (WantAssertionsSigned="true").

 

F5 error message "Digest of SignedInfo mismatch" was not very helpful in my case. Once I had a insight on SAML (actually the hardest part is XML signature), I told myself what joke it was, as we can easily tell the signature is on response part or assertion part from Reference URI in SAML response content.

 

  • Filip_Verlaeckt's avatar
    Filip_Verlaeckt
    Historic F5 Account
    Jul 25, 2014
    So what exactly did you change to the configuration to make this work then?
  • Julio_Navarro's avatar
    Julio_Navarro
    Icon for Cirrostratus rankCirrostratus
    Mar 23, 2015
    Hello Mike! How you were able to fix this? Thank you J
  • boneyard's avatar
    boneyard
    Icon for MVP rankMVP
    Apr 05, 2015
    from what I read from the blog the issue is with what part of the SAML response is signed. the full response or just the assertion. what is signed in your case Navarro?