We have recently started to use APM as SP for some of our sites and Okta as idP. We followed this guide Okta Integration Guide for Web Access Management with F5 BIG-IP as a basis when doing the setups. We had them working as expected but now our Okta team has requested to enable encrypted assertion.
We have been unable to get it to work. WE have tired different self-signed certs and CA certs. Along with changing the different encryption options in Okta (Encryption Algorithm, Key Transport Algorithm). In the session log we see "SAML Agent: failed to process encrypted assertion, error: Cipher value from EncryptedKey element not found" regardless of what we try.
I have not found much details/info on enabling encrypted assertion so any guides, documents, or links would be appreciated. I have opened a support case to get assistance also.
From support case with F5:
"BIG-IP as SP does not support RetrievalMethod for decrypting encrypted assertions from IdPs.
We have the following Request for Feature Enhancement: ID 485387, "[RFE] BIG-IP does not support RetrievalMethod Element while processing encrypted assertion."
Work around:
To work around the problem, you can reconfigure the IdP to use embedded EncryptedKey instead of using RetrievalMethod."
I am working with our team that works manages Okta to see if this change can be done.
did you have any luck with changing the behavior of Okta? For 15.1.x it seems that the issue is still not resolved and while reconfiguring the Okta IdP there is only the Key Transport Algorithm, which doesn't change anything.
After discussing with our security team, they agreed that we could go with non-encrypted for the assertion. We are only on 13.1 so we have not done anymore research testing with this.
Thanks for your reply. That confirms, that Okta doesn't provide a workaround for that. I wonder if there are limitations with other IdPs as well. This one was really surprising for me.
