Forum Discussion
SP SAML authentication fails after token signing cert update
We're using ADFS 3.0 as our IDP, and a virtual F5 (BIG-IP 11.6.0 Build 0.0.401 Final) as the SP. Our config worked for the past year, but we needed to renew our token signing certificate. We generated a new token signing certificate in ADFS, and replaced the old cert on the F5 with the new one (under File Management -> SSL Certificate List). Now, when we try to sign in, we get the following error:
err apd[11996]: 01490204:3: fb7b14fa: SAML Agent: /Common/XXXXX_act_saml_auth_ag failed to process signed assertion, error: Init RSA cipher from IdP cert file
The new cert and the old cert are the same algorithm and everything, biggest difference is the new cert won't expire for over 4 years. We already implemented this cert on other SPs and it worked fine everywhere else.
Any idea what the Init RSA cipher from IdP cert file means? Is there anywhere else I need to update the certificate?
Thanks!
Not sure what exactly is happening, but you are running a pretty old version of the BIG-IP. I would recommend two things:
- Export metadata from ADFS and import them to BIg-IP anew, and essentially create new IDP connector and bind it to SP config.
- Upgrade to 11.6.1 if 1 does not succeed in moving you forward past this.
- If both 1 and 2 fail to solve it, open a ticket with support to investigate further.
Not sure what exactly is happening, but you are running a pretty old version of the BIG-IP. I would recommend two things:
- Export metadata from ADFS and import them to BIg-IP anew, and essentially create new IDP connector and bind it to SP config.
- Upgrade to 11.6.1 if 1 does not succeed in moving you forward past this.
- If both 1 and 2 fail to solve it, open a ticket with support to investigate further.
- jamed_40076NimbostratusI just tried 1 with the same result. I'll have to schedule something to try 2. Thanks, I'll update the thread once we upgrade.
- Michael_KoyfmanCirrocumulus
Not sure what exactly is happening, but you are running a pretty old version of the BIG-IP. I would recommend two things:
- Export metadata from ADFS and import them to BIg-IP anew, and essentially create new IDP connector and bind it to SP config.
- Upgrade to 11.6.1 if 1 does not succeed in moving you forward past this.
- If both 1 and 2 fail to solve it, open a ticket with support to investigate further.
- jamed_40076NimbostratusI just tried 1 with the same result. I'll have to schedule something to try 2. Thanks, I'll update the thread once we upgrade.
- Mike_99062Nimbostratus
FYI, We ran into the same issue, with a similar setup running on 11.6.1 base. The IdP XML file we received didn't assign the IdP's Assertion Verification Certificate in Security Settings/Certificate Settings to the provided Certificate from the XML file. Once the External IdP Connector configuration was updated, SAML SP Auth was successful. Hope this helps someone.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com