Bug ID 594388: Separate signature validation and encryption certificates used by SAML IdP

Last Modified: Nov 22, 2021

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Fixed In:
13.0.0

Opened: May 19, 2016
Severity: 4-Minor

Symptoms

In TMOS v.11.3 through v.11.6 releases there is only one certificate which can be configured for SAML SP connector ( apm sso saml-sp-connector, "sp-certificate" attribute). This certificate is used by Identity Provider both for verifying the signature of incoming ArtifactResolve request and encrypting (if encryption is enabled in IdP settings) of assertion and/or specified SAML attributes.

Impact

Limited support for external Service Providers that require different certificates for signing/decryption.

Conditions

This restriction does not allow for supporting SP configurations where separate keys/certs are used for encryption and signing.

Workaround

None

Fix Information

In version 12.0 it is now possible to configure SP connector objects with two certificates: sp-certificate < -- certificate used by IdP to validate signatures on messages received from SP. sp-encryption-certificate < -- certificate used by IdP to encrypt assertion/subject/attributes when encryption is enabled. =========== Similar symmetrical change was also implemented when BIG-IP is used as SAML SP. When BIG-IP is used as SAML SP, it is also possible to configure two certificates in AAA SAML object: sp-certificate < -- certificate used by SP to sign Authentication Requests. sp-decryption-cert < -- certificate used by SP to decrypt assertions/subject/attributes.

Behavior Change