SAML assertion is invalid

Question

Hello,&nbsp;I try to configure saml with Keycloak and APM. &nbsp;I am correctly redirected to the login page of Keycloak but when I'm come back to F5 my session is deny. &nbsp;When I check on logs I can see "SAML assertion is invalid, error: Id of InResponseTo should match id of authentication request". &nbsp;Someone have an idea of why I have this message ?&nbsp;Thanks in advance all ! &nbsp;

alexbct · Answer

Hi Anthony, &nbsp;Have you got SAML tracer available by any chance? (https://chrome.google.com/webstore/detail/saml-tracer/mpdajninpobndbfcldcmbpnnbhibjmch?hl=en - also available for Firefox) That should give you insight in what the exact message is that you're getting back from Keycloak. Have a look specifically at the "InResponseTo=" field in the response and compare it with the "ID=" field in the original request from the F5 to Keycloak. &nbsp;There may be some more useful information here; https://support.f5.com/csp/article/K05876945&nbsp;Hope this helps.

Forum Discussion

SAML assertion is invalid

Recent Discussions

Background Tasks

APM with EntraID as idP / request signed

Should config via cli rather than gui?

APM Modern Customization - modify Header in user-common.js and form in user-logon.js

Which process is consuming higher CPU

Related Content

AD attributes in SAML assertion

Access Logs - Invalid Tenant

Enable SAML Service Provider on F5 Distributed Cloud Application

Error Encrypting a SAML Assertion from APM

err tmm1[24399]: 011f0007:3: http_process_state_prepend - Invalid action:0x107041 clientside

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS