Forum Discussion

autopoiesis's avatar
autopoiesis
Icon for Altostratus rankAltostratus
Aug 26, 2021

SAML Agent: [...] failed to process signed assertion, error: RSA decrypt

Context: migration from old v12 to new v15 (to new, parallel systems, not in-place upgrade)

Config done, iFiles, certs, etc all copied over, currenrly deactivating VIPs and VSs on old boxen, activating on new and testing.

Non-SAML, simple stuff AOK, but not this one app. From apm, initial SSO works (big-IP auths me against AD), but the subsequent SAML just fails:

Aug 26 13:28:25 BIG-IP_V15 notice apmd[13097]: 01490005:5: /Common/AP_auth.DEV.DOMAIN_internal_V3:Common:c60f4ccd: Following rule 'Out' from item 'Authenticated' to ending 'Allow'

Aug 26 13:28:25 BIG-IP_V15 notice apmd[13097]: 01490102:5: /Common/AP_auth.DEV.DOMAIN_internal_V3:Common:c60f4ccd: Access policy result: LTM+APM_Mode

Aug 26 13:28:25 BIG-IP_V15 notice apmd[13097]: 01490248:5: /Common/AP_auth.DEV.DOMAIN_internal_V3:Common:c60f4ccd: Received client info - Hostname: Type: Mozilla Version: 5 Platform: Win10 CPU: x64 UI Mode: Full Javascript Support: 1 ActiveX Support: 0 Plugin Support: 0

Aug 26 13:28:29 BIG-IP_V15 notice tmm1[18345]: 014d1603:5: /Common/AP_auth.DEV.DOMAIN_internal_V3:Common:c60f4ccd:SAML SSO: Using SSO config (/Common/auth.DEV.DOMAIN) with SP Connector (/Common/APPLICATION.DEV.DOMAIN_saml_sp)

Aug 26 13:28:29 BIG-IP_V15 notice tmm1[18345]: 014d1602:5: /Common/AP_auth.DEV.DOMAIN_internal_V3:Common:c60f4ccd:SAML SSO: BIG-IP as IdP (/Common/auth.DEV.DOMAIN) sent SAML response (Assertion) (size: 12022) with status (urn:oasis:names:tc:SAML:2.0:status:Success) to SP (/Common/APPLICATION.DEV.DOMAIN_saml_sp) for subject type (urn:oasis:names:tc:SAML:2.0:nameid-format:entity) value (test_user)

Aug 26 13:28:29 BIG-IP_V15 notice apmd[13097]: 014902b4:5: /Common/AP_APPLICATION.DEV.DOMAIN:Common:b5d092af: SAML Agent: /Common/AP_APPLICATION.DEV.DOMAIN_act_saml_auth_ag, Matched IdP connector (/Common/auth.DEV.DOMAIN) for SAML SP Initiated Auth (/Common/APPLICATION.DEV.DOMAIN_saml_sp) and landingURI (/)

Aug 26 13:28:30 BIG-IP_V15 err apmd[13097]: 01490204:3: /Common/AP_APPLICATION.DEV.DOMAIN:Common:b5d092af: SAML Agent: /Common/AP_APPLICATION.DEV.DOMAIN_act_saml_auth_ag failed to process signed assertion, error: RSA decrypt

Aug 26 13:28:30 BIG-IP_V15 notice apmd[13097]: 01490005:5: /Common/AP_APPLICATION.DEV.DOMAIN:Common:b5d092af: Following rule 'fallback' from item 'SAML Auth' to ending 'Deny'

SAML conf was done by hand (not from metadata), I know I have the right certs and keys (the moduli match), but have found zero useful information on how to determine exactly what aspect of "RSA decrypt" is failing. I've read all the articles (I think), to no avail.

I'm hours into this and it's driving me nuts. Any tips/info greatly appreciated!

No RepliesBe the first to reply