Forum Discussion
jamed_40076
Nimbostratus
NimbostratusSP SAML authentication fails after token signing cert update
We're using ADFS 3.0 as our IDP, and a virtual F5 (BIG-IP 11.6.0 Build 0.0.401 Final) as the SP. Our config worked for the past year, but we needed to renew our token signing certificate. We generated a new token signing certificate in ADFS, and replaced the old cert on the F5 with the new one (under File Management -> SSL Certificate List). Now, when we try to sign in, we get the following error:
err apd[11996]: 01490204:3: fb7b14fa: SAML Agent: /Common/XXXXX_act_saml_auth_ag failed to process signed assertion, error: Init RSA cipher from IdP cert file
The new cert and the old cert are the same algorithm and everything, biggest difference is the new cert won't expire for over 4 years. We already implemented this cert on other SPs and it worked fine everywhere else.
Any idea what the Init RSA cipher from IdP cert file means? Is there anywhere else I need to update the certificate?
Thanks!
Not sure what exactly is happening, but you are running a pretty old version of the BIG-IP. I would recommend two things:
- Export metadata from ADFS and import them to BIg-IP anew, and essentially create new IDP connector and bind it to SP config.
- Upgrade to 11.6.1 if 1 does not succeed in moving you forward past this.
- If both 1 and 2 fail to solve it, open a ticket with support to investigate further.
Michael_Koyfma1Cirrus
Not sure what exactly is happening, but you are running a pretty old version of the BIG-IP. I would recommend two things:
- Export metadata from ADFS and import them to BIg-IP anew, and essentially create new IDP connector and bind it to SP config.
- Upgrade to 11.6.1 if 1 does not succeed in moving you forward past this.
- If both 1 and 2 fail to solve it, open a ticket with support to investigate further.
jamed_40076I just tried 1 with the same result. I'll have to schedule something to try 2. Thanks, I'll update the thread once we upgrade.
Michael_KoyfmanCirrocumulus
Not sure what exactly is happening, but you are running a pretty old version of the BIG-IP. I would recommend two things:
- Export metadata from ADFS and import them to BIg-IP anew, and essentially create new IDP connector and bind it to SP config.
- Upgrade to 11.6.1 if 1 does not succeed in moving you forward past this.
- If both 1 and 2 fail to solve it, open a ticket with support to investigate further.
- jamed_40076I just tried 1 with the same result. I'll have to schedule something to try 2. Thanks, I'll update the thread once we upgrade.
Mike_99062FYI, We ran into the same issue, with a similar setup running on 11.6.1 base. The IdP XML file we received didn't assign the IdP's Assertion Verification Certificate in Security Settings/Certificate Settings to the provided Certificate from the XML file. Once the External IdP Connector configuration was updated, SAML SP Auth was successful. Hope this helps someone.