Forum Discussion

SteveD1979's avatar
Icon for Cirrostratus rankCirrostratus
May 23, 2023

Issue with SAML Auth access policy

Hey I've set up the BIG-IP as a service provider with an external IDP.  I keep getting a deny with SAML Agent: /Common/authweb_dev_act_saml_auth_ag failed to parse assertion, error: $fmt.  If i go into the security settings for the SP config and uncheck want encrypted assertion and the IDP disables encyrption it works fine.  It's a real basic setup i just don't know what I'm doing wrong.

3 Replies

  • Maybe different certs are used for SAML signing and another for encription as this is rare but possible.

  • Thanks I'm using the same cert and key exported from the cert that is in the SSL profile tied to the VIP the access policy is tied to.  I exported the metadata file with those settings and sent it to the IDP and they sent me their metadata file which I used to create the connector.  This is the first time I've set this up so it's for me to know if it's my configuration or theirs.  Now I'm also getting an issue where all of the attributes they send over in the XML file when it's unecrypted are showing up under one variable value instead of each individual one.  Maybe there is an issue with 17.1?

    • Nikoolayy1's avatar
      Icon for MVP rankMVP

      Better open a support case if you think that there is an issue.





      17.1 Is really new so  I wouldn't be using it except for if there is a need for JWT Oauth encrypted tokens that are supported by it.