Forum Discussion

Nimbostratus

Dec 03, 2021

SAML assertion is invalid

Hello, I try to configure saml with Keycloak and APM. I am correctly redirected to the login page of Keycloak but when I'm come back to F5 my session is deny. When I check on logs...

application delivery

BIG-IP Access Policy Manager (APM)

saml

AlexBCT

Cumulonimbus

Dec 09, 2021

Hi Anthony,

Have you got SAML tracer available by any chance? (https://chrome.google.com/webstore/detail/saml-tracer/mpdajninpobndbfcldcmbpnnbhibjmch?hl=en - also available for Firefox)

That should give you insight in what the exact message is that you're getting back from Keycloak. Have a look specifically at the "InResponseTo=" field in the response and compare it with the "ID=" field in the original request from the F5 to Keycloak.

There may be some more useful information here; https://support.f5.com/csp/article/K05876945

Hope this helps.

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

GitHub Awesome-F5

Forum Discussion

SAML assertion is invalid

AppWorld 2026: Save the Date and Join Our Community In Person!

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

Problems connecting to vpn after upgrading to ubuntu 24.04

How can I run the ‘Network Map’ feature from the CLI or how can I view this information?

SSLO Policy Condition - Server Certificate (Issuer DN)

f5 client certificate forwarding

How to configure pool to go down if multiple members are down

Related Content

AD attributes in SAML assertion

SAML F5 SP - Microsoft Entra

Sharing User Credentials Between SAML IDP and SP Policies in F5 APM

Access Logs - Invalid Tenant

Error Encrypting a SAML Assertion from APM

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS