SAML Authentication

Question

We've been using SAML authentication against our Azure hosted adfs/domain, this has worked fine but recently we been seeing issue where we get the following error.&nbsp;
SAML Agent: /Common/aprof_VERINTCONNECT_USERS_act_saml_auth_ag failed to process signed assertion, error: RSA decrypt&nbsp;
In the past we were able to workaround the problem by downloading a new version of the Federation xml and importing this to the F5 and binding that to the AAA SAML Server then things worked. But as of today this workaround has stopped and are unsure why.&nbsp;
F5 Version: BIG-IP 12.1.0 Build 1.22.1447 Engineering Hotfix HF1 &nbsp;
Chris&nbsp;

niels_van_sluis · Answer

Maybe this helps:
Source: https://support.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/related/relnote-supplement-hotfix-bigip-12-0-0.htmlA534555-1
534555-1 : BIG-IP APM SAML and RSA v1.5 encryption key transport algorithm
Component: Access Policy Manager
Symptoms:
The BIG-IP APM SAML implementation by default does not support the deprecated RSA v1.5 key transport algorithm. F5 recommends against using this protocol, unless SAML interoperability is required for legacy 3rd party applications. Instead, RSA-OAEP should be used for key transport.
Symptoms differ based on BIG-IP APM usage:
1. When BIG-IP is used as SP, encrypted assertions with key transport algorithm 'RSA v1.5' will be rejected.
When BIG-IP is used as IdP, encrypted assertions will always use RSA-OAEP as key transport algorithm.
Conditions:
For BIG-IP as IdP:
- External SP requires use of RSA 1.5 as key transport algorithm for encrypted assertion or encrypted elements within assertion.
For BIG-IP as SP:
- External IdP generates assertion or encrypted elements within assertion using RSA 1.5 as key transport algorithm.
Impact:
SAML interoperability will fail with peers attempting to use RSA v1.5 key transport algorithm.
Workaround:
For BIG-IP used as SP - configure external IdP to use RSA-OAEP as encryption key transport algorithm.
There is no workaround for BIG-IP as IdP to generate encrypted assertion 
using RSA v1.5 as key transport algorithm.
Fix:
Due to customer demand, starting with BIG-IP v12.1.0, the RSA v1.5 algorithm can be enabled on BIG-IP as IdP manually via console to TMSH, using this command:
modify apm sso saml  key-transport-algorithm rsa-v1.5

NOTE: Be sure to save the configuration after changes are made via TMSH.
Starting with BIG-IP v12.1.0, support for RSA v1.5 on BIG-IP as SP is enabled by default with no required configuration.

nabarun · Answer

We are using F5 system software are running on  BIG-IP v12.1.2 , which is much more newer than the one you mentioned on this . &nbsp;
Still we are getting "SAML Agent: /Common/aprof_VERINTCONNECT_USERS_act_saml_auth_ag failed to process signed assertion, error: RSA decrypt"&nbsp;
Any other discripency ?&nbsp;

Forum Discussion

SAML Authentication

2 Replies

Bram - January 2026 Featured Member

F5 Container Ingress Services (CIS) and using k8s traffic policies to send traffic directly to pods

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

Configuration Assistance: Configure Email Alerts for HA Failover Events and Device Offline

F5 BIG-IP i11000 stuck at B7 – cannot interrupt boot / ESC not working

Can one create one virtual server with two pool members with multiple services running on it?

AWS F5_OWASP Managed Rule Blocking requests

Maintenance page / local website that includes subfolders

Related Content

F5 BIG-IP Access Policy Manager (APM) - Google Authenticator and Microsoft Authenticator

iControl REST Authentication Token Management

Doing mTLS Authentication per URL

Two-Factor Authentication With Google Authenticator And APM

SAML - LTM in front of SP

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS