Bug ID 774301: Verification of SAML Requests/Responses digest fails when SAML content uses exclusive XML canonicalization and it contains InclusiveNamespaces with #default in PrefixList

Last Modified: Aug 08, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.4, 14.1.0.5, 14.1.0.6, 15.0.0, 15.0.1

Fixed In:
12.1.5

Opened: Apr 18, 2019
Severity: 3-Major

Symptoms

When the BIG-IP system is configured as SAML IdP or SAML SP processes SAML Requests/Responses, the verification of digital signature fails in certain cases: err apmd[19684]: 01490000:3: modules/Authentication/Saml/SamlSPAgent.cpp func: "verifyAssertionSignature()" line: 5321 Msg: ERROR: verifying the digest of SAML Response

Impact

Output does not match the 'Canonicalized element without Signature' calculated by APM. BIG-IP SAML IdP or SAM SP fails to process SAML Requests/Responses resulting in errors. Cannot deploy APM as SAML SP with Assertion Artifact binding.

Conditions

-- BIG-IP system is configured as SAML IdP or SAML SP. -- SAML sends the "ArtifactResponse" message with both "ArtifactResponse" and "Assertion" signed. -- This is also applicable to any SAML requests/responses that are signed: a) SAML Authentication Request b) SAML Assertion c) SAML Artifact Response e) SAML SLO Request/Response

Workaround

None.

Fix Information

Output now matches the Canonicalized element without Signature' calculated by APM, so deployment occurs without error.

Behavior Change