Bug ID 1772317

Bug Tracker
ID 1772317

Bug ID 1772317: [APM][SAML SP] sp fails authentication with error "SAML assertion is invalid, error: NameID is missing"

Last Modified: Feb 19, 2025

Affected Product(s):
BIG-IP APM(all modules)

Known Affected Versions:
17.1.0, 17.1.0.1, 17.1.0.2, 17.1.0.3, 17.1.1, 17.1.1.1, 17.1.1.2, 17.1.1.3, 17.1.1.4, 17.1.2, 17.1.2.1

Opened: Dec 12, 2024

Severity: 3-Major

Symptoms

SAML authentication fails and following log is seen on BIG-IP as sp: "SAML Agent: /Common/web_auth_act_saml_auth_subsession_ag SAML assertion is invalid, error: NameID is missing, but idp-connector's identity location is set to subject"

Impact

Authentication fails

Conditions

-- SAML auth is configured as SP on BIG-IP as part of per-request policy -- assertion has an encrypted subject "<saml2:Subject><saml2:EncryptedID><xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"...."

Workaround

Disable "encrypt-subject " in idp config

Fix Information

None

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips