Forum Discussion

jamed_40076's avatar
jamed_40076
Icon for Nimbostratus rankNimbostratus
Jun 08, 2016

SP SAML authentication fails after token signing cert update

We're using ADFS 3.0 as our IDP, and a virtual F5 (BIG-IP 11.6.0 Build 0.0.401 Final) as the SP. Our config worked for the past year, but we needed to renew our token signing certificate. We generated a new token signing certificate in ADFS, and replaced the old cert on the F5 with the new one (under File Management -> SSL Certificate List). Now, when we try to sign in, we get the following error:

 

err apd[11996]: 01490204:3: fb7b14fa: SAML Agent: /Common/XXXXX_act_saml_auth_ag failed to process signed assertion, error: Init RSA cipher from IdP cert file

 

The new cert and the old cert are the same algorithm and everything, biggest difference is the new cert won't expire for over 4 years. We already implemented this cert on other SPs and it worked fine everywhere else.

 

Any idea what the Init RSA cipher from IdP cert file means? Is there anywhere else I need to update the certificate?

 

Thanks!

 

  • Not sure what exactly is happening, but you are running a pretty old version of the BIG-IP. I would recommend two things:

     

    1. Export metadata from ADFS and import them to BIg-IP anew, and essentially create new IDP connector and bind it to SP config.
    2. Upgrade to 11.6.1 if 1 does not succeed in moving you forward past this.
    3. If both 1 and 2 fail to solve it, open a ticket with support to investigate further.
  • Not sure what exactly is happening, but you are running a pretty old version of the BIG-IP. I would recommend two things:

     

    1. Export metadata from ADFS and import them to BIg-IP anew, and essentially create new IDP connector and bind it to SP config.
    2. Upgrade to 11.6.1 if 1 does not succeed in moving you forward past this.
    3. If both 1 and 2 fail to solve it, open a ticket with support to investigate further.
    • jamed_40076's avatar
      jamed_40076
      Icon for Nimbostratus rankNimbostratus
      I just tried 1 with the same result. I'll have to schedule something to try 2. Thanks, I'll update the thread once we upgrade.
  • Not sure what exactly is happening, but you are running a pretty old version of the BIG-IP. I would recommend two things:

     

    1. Export metadata from ADFS and import them to BIg-IP anew, and essentially create new IDP connector and bind it to SP config.
    2. Upgrade to 11.6.1 if 1 does not succeed in moving you forward past this.
    3. If both 1 and 2 fail to solve it, open a ticket with support to investigate further.
    • jamed_40076's avatar
      jamed_40076
      Icon for Nimbostratus rankNimbostratus
      I just tried 1 with the same result. I'll have to schedule something to try 2. Thanks, I'll update the thread once we upgrade.
  • FYI, We ran into the same issue, with a similar setup running on 11.6.1 base. The IdP XML file we received didn't assign the IdP's Assertion Verification Certificate in Security Settings/Certificate Settings to the provided Certificate from the XML file. Once the External IdP Connector configuration was updated, SAML SP Auth was successful. Hope this helps someone.