Last Modified: Aug 26, 2024
Affected Product(s):
BIG-IP APM
Known Affected Versions:
15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 15.1.8.2, 15.1.9, 15.1.9.1, 15.1.10, 15.1.10.2, 15.1.10.3, 15.1.10.4
Opened: Jan 25, 2024 Severity: 3-Major
Verification of SAML signature fails with errors in /var/log/apm: err apmd[28312]: 01490000:3: modules/Authentication/Saml/SamlSPAgent.cpp func: "verifyAssertionSignature()" line: 5978 Msg: ERROR: verifying the digest of SAML Response debug apmd[28312]: 01490266:7: /Common/<striing>: modules/Authentication/Saml/SamlSPAgent.cpp: 'verifyAssertionSignature()': 6030: Verification of SAML signature #1 failed err apmd[28312]: 01490204:3: /Common/<string>: SAML Agent: /Common/sp_ap_act_saml_auth_ag failed to process signed assertion, error: Digest of SignedInfo mismatch The xml namespace added as part of ID 1397321 "xmlns:xs="http://www.w3.org/2001/XMLSchema" in the <AttributeValue> is ignored by the BIG-IP IDP canonicalize xml which results the digest calculated on Assertion without the namespace in the <AttributeValue>. The assertion sent by idp has the newly added namespace but the Signature does not include this namespace during its calculation. As a result, verification of the signature fails on the SP side.
SAML breaks and authentication fails
1) Create access profile Start -> Logon ->AD auth -> Ad query -> Allow 2) Create IDP service and its sp connector and add attribute as thumbnail photo to the idp service config 3) Attach the IDP Service config in the "SSO Configuration" of the access profile. 4) Create an iRule object with replace assertion with additional namespace tag "or" have code change for ID1397321. 5) Attach the iRule and Access profile to the IDP VS 6) Configure BIG-IP as SP 7) Access the BIG-IP SP virtual server
None
None