Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP APM
Known Affected Versions:
11.3.0, 11.4.0, 11.4.1, 11.5.1, 11.5.2, 11.5.3, 11.5.4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.5.10, 11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2
Fixed In:
12.1.0
Opened: Dec 04, 2013 Severity: 5-Cosmetic
A BIG-IP system configured as a Service Provider (SP) supports only rsa-oaep for key transport (http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p). When the BIG-IP system configured as SP receives a SAML assertion with an unsupported encryption algorithm (for example, rsa-1_5 for key transport instead of rsa-oaep), the BIG-IP system fails to report that algorithms are unsupported, and proceeds to the decryption phase, which fails. The only issue here is the error reported does not directly point to the cause of failure which makes troubleshooting more difficult.
Troubleshooting could take longer.
A BIG-IP system configured as an SP receives a SAML assertion that is encrypted or contains encrypted attributes.
There is no workaround.
Unsupported algorithm will be logged correctly now.