Encryption error - SAML assertion: response is not encrypted

Question

We are trying to configure out APM with Azure SAML authentication. After login on and succedded we can an error and the logs show the following:

modules/Authentication/Saml/SamlSPAgent.cpp: 'verifyAssertionSignature()': 5374: Verification of SAML signature #2 succeeded

-----------------------
SAML2Websak_act_saml_auth_ag failed to parse assertion, error: Response is not encrypted
......................
a6559abf: Following rule 'fallback' from item 'SAML Auth' to ending 'Deny'

As a result the login is Denied.

Is this related to the certificate or RSA encryption? We have tried various options but it comes back to the same error

alexbct · Answer

Hi,&nbsp;
From the log messages, I assume you have configured the F5 as the SAML SP?&nbsp;
If so, can you have a look under the SAML SP Service configuration (Access ›› Federation : SAML Service Provider : Local SP Services), under the Security Settings tab and see if the flag "Want Encrypted Assertion" is checked? If so, uncheck it.&nbsp;

SAML encryption is a way of ensuring that the client cannot read the SAML request, but it has no real impact on the integrity of the message, this is where "Want Signed Assertion" is for. "Want Signed Assertion" should always be checked, "Want Encrypted Assertion" is an optional extra and is often (and by default) unchecked.&nbsp;
Hope this helps.&nbsp;

southern_shredd · Answer

Thanks that seems to have resolved that error. The login is now successfull both on Azure and on APM how we seem to another error when we receive the successfull token

The error seem to be wiht the replyURL being incorrect? Wich URL should we configure for this and in which format?

We have tried the Entity ID URL, we have tried the initial hostname URL but still get an error

1): our.website.com/saml/sp/profile/post/acs
2): entityid url

AADSTS50011: The reply URL 'https://login.microsoftonline.com/ourappliaction' specified in the request does not match the reply URLs configured for the application 'https://login.microsoftonline.com/azureentityid/saml2'

alexbct · Answer

Nice! one error down, let's see how many there are left to go... 😉 Sounds like you're close though.&nbsp;
Purely going on ReplyURL, you should have the following:&nbsp;https://app.example.com/saml/sp/profile/post/acs&nbsp;
(https://techdocs.f5.com/en-us/bigip-15-0-0/big-ip-access-policy-manager-per-request-policies/implementing-seamless-sso-azure-saml-mfa/overview-saml-azure-mfa/azure-ad-saml-mfa-prerequisites-to-configure.html)&nbsp;
...but there may be more to this as that will depend a bit on both the AzureAD configuration as well as the APM configuration. Now that you've resolved the issue with the encryption, it may be a good idea to create a new metadata file on the F5 and re-import it in to AzureAD. This way, you'll let the F5 decide which information should be imported where in the AzureAD SAML config.&nbsp;
&nbsp;

Forum Discussion

Encryption error - SAML assertion: response is not encrypted

3 Replies

Recent Discussions

Transaction looks successful but file not downloading

F5Access | MacOS Sonoma

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

F5 loadbalancer not working

Related Content

Decrypt, Encrypt, Decrypt, Encrypt, Encrypt....

Let's Encrypt

Automate Let's Encrypt Certificates on BIG-IP

Encrypting Cookies

Cookie Encryption