cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

SAML Agent: [...] failed to process signed assertion, error: RSA decrypt

autopoiesis
Nimbostratus
Nimbostratus

Context: migration from old v12 to new v15 (to new, parallel systems, not in-place upgrade)

 

Config done, iFiles, certs, etc all copied over, currenrly deactivating VIPs and VSs on old boxen, activating on new and testing.

 

Non-SAML, simple stuff AOK, but not this one app. From apm, initial SSO works (big-IP auths me against AD), but the subsequent SAML just fails:

 

Aug 26 13:28:25 BIG-IP_V15 notice apmd[13097]: 01490005:5: /Common/AP_auth.DEV.DOMAIN_internal_V3:Common:c60f4ccd: Following rule 'Out' from item 'Authenticated' to ending 'Allow'

 

Aug 26 13:28:25 BIG-IP_V15 notice apmd[13097]: 01490102:5: /Common/AP_auth.DEV.DOMAIN_internal_V3:Common:c60f4ccd: Access policy result: LTM+APM_Mode

 

Aug 26 13:28:25 BIG-IP_V15 notice apmd[13097]: 01490248:5: /Common/AP_auth.DEV.DOMAIN_internal_V3:Common:c60f4ccd: Received client info - Hostname: Type: Mozilla Version: 5 Platform: Win10 CPU: x64 UI Mode: Full Javascript Support: 1 ActiveX Support: 0 Plugin Support: 0

 

Aug 26 13:28:29 BIG-IP_V15 notice tmm1[18345]: 014d1603:5: /Common/AP_auth.DEV.DOMAIN_internal_V3:Common:c60f4ccd:SAML SSO: Using SSO config (/Common/auth.DEV.DOMAIN) with SP Connector (/Common/APPLICATION.DEV.DOMAIN_saml_sp)

 

Aug 26 13:28:29 BIG-IP_V15 notice tmm1[18345]: 014d1602:5: /Common/AP_auth.DEV.DOMAIN_internal_V3:Common:c60f4ccd:SAML SSO: BIG-IP as IdP (/Common/auth.DEV.DOMAIN) sent SAML response (Assertion) (size: 12022) with status (urn:oasis:names:tc:SAML:2.0:status:Success) to SP (/Common/APPLICATION.DEV.DOMAIN_saml_sp) for subject type (urn:oasis:names:tc:SAML:2.0:nameid-format:entity) value (test_user)

 

Aug 26 13:28:29 BIG-IP_V15 notice apmd[13097]: 014902b4:5: /Common/AP_APPLICATION.DEV.DOMAIN:Common:b5d092af: SAML Agent: /Common/AP_APPLICATION.DEV.DOMAIN_act_saml_auth_ag, Matched IdP connector (/Common/auth.DEV.DOMAIN) for SAML SP Initiated Auth (/Common/APPLICATION.DEV.DOMAIN_saml_sp) and landingURI (/)

 

Aug 26 13:28:30 BIG-IP_V15 err apmd[13097]: 01490204:3: /Common/AP_APPLICATION.DEV.DOMAIN:Common:b5d092af: SAML Agent: /Common/AP_APPLICATION.DEV.DOMAIN_act_saml_auth_ag failed to process signed assertion, error: RSA decrypt

 

Aug 26 13:28:30 BIG-IP_V15 notice apmd[13097]: 01490005:5: /Common/AP_APPLICATION.DEV.DOMAIN:Common:b5d092af: Following rule 'fallback' from item 'SAML Auth' to ending 'Deny'

 

SAML conf was done by hand (not from metadata), I know I have the right certs and keys (the moduli match), but have found zero useful information on how to determine exactly what aspect of "RSA decrypt" is failing. I've read all the articles (I think), to no avail.

 

I'm hours into this and it's driving me nuts. Any tips/info greatly appreciated!

0 REPLIES 0