Bug ID 534555: BIG-IP APM SAML and RSA v1.5 encryption key transport algorithm

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Known Affected Versions:
12.0.0, 12.0.0 HF1, 12.0.0 HF2

Fixed In:
12.1.0, 12.0.0 HF3

Opened: Jul 21, 2015
Severity: 2-Critical


The BIG-IP APM SAML implementation by default does not support the deprecated RSA v1.5 key transport algorithm. F5 recommends against using this protocol, unless SAML interoperability is required for legacy 3rd party applications. Instead, RSA-OAEP should be used for key transport. Symptoms differ based on BIG-IP APM usage: 1. When BIG-IP is used as SP, encrypted assertions with key transport algorithm 'RSA v1.5' will be rejected. 2. When BIG-IP is used as IdP, encrypted assertions will always use RSA-OAEP as key transport algorithm.


SAML interoperability will fail with peers attempting to use RSA v1.5 key transport algorithm.


For BIG-IP as IdP: - External SP requires use of RSA 1.5 as key transport algorithm for encrypted assertion or encrypted elements within assertion. For BIG-IP as SP: - External IdP generates assertion or encrypted elements within assertion using RSA 1.5 as key transport algorithm.


For BIG-IP used as SP - configure external IdP to use RSA-OAEP as encryption key transport algorithm. There is no workaround for BIG-IP as IdP to generate encrypted assertion using RSA v1.5 as key transport algorithm.

Fix Information

Due to customer demand, starting with BIG-IP v12.1.0, the RSA v1.5 algorithm can be enabled on BIG-IP as IdP manually via console to TMSH, using this command: modify apm sso saml <saml IdP object name> key-transport-algorithm rsa-v1.5 NOTE: Be sure to save the configuration after changes are made via TMSH. Starting with BIG-IP v12.1.0, support for RSA v1.5 on BIG-IP as SP is enabled by default with no required configuration.

Behavior Change