Bug ID 824885: When BIG-IP is deployed as SAML SP, it cannot decrypt assertion it receives from IdP if it is signed using AES-GCM algorithm

Last Modified: Jan 20, 2023

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Known Affected Versions:
13.1.0,,,,,,,,, 13.1.1,,,,, 13.1.3,,,,,,, 13.1.4,, 13.1.5,, 14.0.0,,,,,, 14.0.1,, 14.1.0,,,,,, 14.1.2,,,,,,,,, 14.1.3,, 14.1.4,,,,,,, 14.1.5,,,, 15.0.0, 15.0.1,,,,, 15.1.0,,,,,, 15.1.1, 15.1.2,, 15.1.3,, 15.1.4,, 15.1.5,, 15.1.6,, 15.1.7, 15.1.8,, 16.0.0,, 16.0.1,,

Fixed In:

Opened: Sep 11, 2019
Severity: 4-Minor


BIG-IP as SAML Service Provider (SP) fails to decrypt an assertion and report an error when the assertion is encrypted using AES-GCM: err apmd[13452]: 01490202:3: session: SAML Agent: ag failed to process encrypted assertion, error: Unsupported encryption algorithm.


BIG-IP as SAML SP fails to verify assertion, so the access policy execution may fail if BIG-IP as SAML SP is configured for client end user authentication.


This occurs when BIG-IP SP receives an encrypted assertion from an IdP which is encrypted using AES-GCM.



Fix Information

BIG-IP as SAML Service Provider can now successfully decrypt assertion that is encrypted using AES GCM protocol family: AES 128 GCM, AES 192 GCM, and AES 256 GCM

Behavior Change