Bug ID 1473589: SAML SP fails with error 'Response/assertion is not signed' on receiving the assertion

Last Modified: Jun 15, 2024

Affected Product(s):
BIG-IP APM, Install/Upgrade(all modules)

Known Affected Versions:
17.1.1, 17.1.1.1, 17.1.1.2, 17.1.1.3

Opened: Jan 04, 2024

Severity: 3-Major

Symptoms

SP shows access denied page In SP APM logs you see the error "Response/assertion is not signed" SAML Agent: /Common/basestar_sp_policy_act_saml_auth_ag failed to parse assertion, error: $fmt

Impact

Unable to access SP

Conditions

-- Upgrade to 17.1.0 -- Configure BIG-IP as SP with "Want Signed Assertion" and "Want Encrypted Assertion" enabled in the SP service config -- Response from the IDP is received without a signature element

Workaround

-- If using BIG-IP as IdP enable 'Response must be signed' in the spconnector config -- If using other IdPs ensure to send an assertion Response with a signature XML element.

Fix Information

None

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips