Last Modified: Jul 12, 2023
Affected Product(s):
BIG-IP APM
Fixed In:
13.0.0
Opened: May 19, 2016 Severity: 4-Minor
In TMOS v.11.3 through v.11.6 releases there is only one certificate which can be configured for SAML SP connector ( apm sso saml-sp-connector, "sp-certificate" attribute). This certificate is used by Identity Provider both for verifying the signature of incoming ArtifactResolve request and encrypting (if encryption is enabled in IdP settings) of assertion and/or specified SAML attributes.
Limited support for external Service Providers that require different certificates for signing/decryption.
This restriction does not allow for supporting SP configurations where separate keys/certs are used for encryption and signing.
None
In version 12.0 it is now possible to configure SP connector objects with two certificates: sp-certificate < -- certificate used by IdP to validate signatures on messages received from SP. sp-encryption-certificate < -- certificate used by IdP to encrypt assertion/subject/attributes when encryption is enabled. =========== Similar symmetrical change was also implemented when BIG-IP is used as SAML SP. When BIG-IP is used as SAML SP, it is also possible to configure two certificates in AAA SAML object: sp-certificate < -- certificate used by SP to sign Authentication Requests. sp-decryption-cert < -- certificate used by SP to decrypt assertions/subject/attributes.