Saml token convert to jwt
Hello, I create a iRule for convert saml token to JWT (json web token). It works well but I get a signatur error. I try many option and formats. But nothing works. I'm shure you can help me easily. I have creat a working access Profile with saml. Bigip is SP and an external IdP. Here my iRule. when ACCESS_ACL_ALLOWED { set hamacsha256 secret set secret_key "secret" get data from saml Session (APM->Manage Sessions-> Variables -> View) set user [ACCESS::session data get session.saml.last.nameIDValue] set sub [ACCESS::session data get session.saml.last.attr.name./EmployeeID] set nbf [ACCESS::session data get session.saml.last.validityNotBefore] set exp [ACCESS::session data get session.saml.last.validityNotOnOrAfter] set email [ACCESS::session data get session.saml.last.attr.name./identity/claims/emailaddress] set surname [ACCESS::session data get session.saml./Common/xyz_auth_ag.attr.name./identity/claims/surname] set givenname [ACCESS::session data get session.saml./Common/xyz_auth_ag.attr.name./identity/claims/givenname] set aud [ACCESS::session data get session.saml.last.assertionIssuer] set gpid [ACCESS::session data get session.saml.last.attr.name./GPID] Name of the cookie set cookie_name "xyz-JWT" set cookie header set cookie_header "[b64encode "{\r\n \"alg\": \"HS256\", \r\n \"typ\": \"JWT\"\r\n}"]" set cookie payload set cookie_payload "[b64encode "{\r\n \"user\": \"$user\",\r\n \"sub\": \"$sub\",\r\n \"nbf\": \"$nbf\",\r\n \"exp\": \"$exp\",\r\n \"email\": \"$email\",\r\n \"surname\": \"$surname\",\r\n \"givenname\": \"$givenname\",\r\n \"aud\": \"$aud\",\r\n \"gpid\": \"$gpid\"\r\n}"]" set cookie data for signatur set cookie_data [concat "[b64encode [URI::encode $cookie_header]].[b64encode [URI::encode $cookie_payload]]"] test some other version set cookie_data "[URI::encode [b64encode $cookie_header]]\".\"[URI::encode [b64encode $cookie_payload]]" set cookie_data "[URI::encode $cookie_header]\".\"[URI::encode $cookie_payload]]" set cookie_data $cookie_header"."$cookie_payload log local0. "cookie_data $cookie_data" create signatur set cookie_sig "[CRYPTO::sign -alg hmac-sha256 -key $secret_key $cookie_data]" convert signatur in some version set cookie_sig_b64 "[b64encode $cookie_sig]" set cookie_sig_b64_url "[URI::encode $cookie_sig_b64]" set cookie_sig_url_b64 "[b64encode $cookie_sig_url]" log local0. "sig_b64= $cookie_sig_b64" log local0. "sig_b64_url= $cookie_sig_b64_url" log local0. "sig_url_b64= $cookie_sig_url_b64" verify signatur if { [CRYPTO::verify -alg hmac-sha256 -key $secret_key -signature $cookie_sig $cookie_data] } { log local0. "Data verified" } create full JWT set cookie "$cookie_header.$cookie_payload.$cookie_sig_url_b64" HTTP::cookie insert name $cookie_name value $cookie log local0. "$cookie_name $cookie" } send to client when HTTP_RESPONSE { HTTP::cookie insert name $cookie_name value $cookie } If I verify the cookie with jwt.io (webseite). I get alway a signatur error. All other works. The json notation for signatur is HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), secret ) secret base64 encoded I think I have a mistake in format for cookie_data. In the version you can see some of my tests. How can help me? Cheers, NetSnoopy
F5 dual-certificate deployment to fix SHA-1 Deprecate issue
Hi From this information SHA-1 Deprecate >> link from qualys My customer sha-1 certificate is mark as insecure already. (He using APM and certificate expire on 2018) If we renew certificate to SHA-256, older client can't do the job so Can F5 perform dual-certificate deployment? If newer user using chrome access to APM >> APM use certificate SHA256 If older user using chrome access to APM >> APM use certificate SHA-1 (of course it's mark as insecure but we can't do something about this to make older user can work) Right now using APM 11.4.1 lastest HF Thank you
SHA2 Certificate Migration
I am currently in the process of migrating all of my managed SSL certificates from a SHA1 to a SHA2 signing algorithm. Based on other discussions, I'm still unclear on how I should be going about doing this. I have successfully renewed a certificate which was previously signed with SHA1 with SHA2. I did not have to create a new key and the import was very successful. However, the owner of our internal PKI brought up a concern because the F5 defaults to SHA1 when creating a CSR even though the signature can be overwritten with SHA2. Their concern is that the key is created differently when requesting SHA1 vs SHA2. I'm not sure if that is truly the case which is why I'm asking for clarification. Should I be creating CSRs through the F5 gui which has a SHA1 signing algorithm as I always have while asking for a SHA2 signing or should I use openssl to create a CSR specifying SHA2?