Symptoms

The BIG-IP APM SAML implementation by default does not support the deprecated RSA v1.5 key transport algorithm. F5 recommends against using this protocol, unless SAML interoperability is required for legacy 3rd party applications. Instead, RSA-OAEP should be used for key transport. Symptoms differ based on BIG-IP APM usage: 1. When BIG-IP is used as SP, encrypted assertions with key transport algorithm 'RSA v1.5' will be rejected. 2. When BIG-IP is used as IdP, encrypted assertions will always use RSA-OAEP as key transport algorithm.

Impact

SAML interoperability will fail with peers attempting to use RSA v1.5 key transport algorithm.

Conditions

For BIG-IP as IdP: - External SP requires use of RSA 1.5 as key transport algorithm for encrypted assertion or encrypted elements within assertion. For BIG-IP as SP: - External IdP generates assertion or encrypted elements within assertion using RSA 1.5 as key transport algorithm.

Workaround

For BIG-IP used as SP - configure external IdP to use RSA-OAEP as encryption key transport algorithm. There is no workaround for BIG-IP as IdP to generate encrypted assertion using RSA v1.5 as key transport algorithm.

Fix Information

Due to customer demand, starting with BIG-IP v12.1.0, the RSA v1.5 algorithm can be enabled on BIG-IP as IdP manually via console to TMSH, using this command: modify apm sso saml <saml IdP object name> key-transport-algorithm rsa-v1.5 NOTE: Be sure to save the configuration after changes are made via TMSH. Starting with BIG-IP v12.1.0, support for RSA v1.5 on BIG-IP as SP is enabled by default with no required configuration.

Behavior Change