Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Clear all filters
Answers

SAML configuration with F5 APM as an IdP: SSOv2 Authn Request requires signature verification

HI all,

I guess I have to ask my first question here in DevCentral.

I try to configure SSO with SAML IdP where Cornerstone system should be connected while using AD authentication on our side (later maybe SLO etc.). This means, I want to use direct SP initiated connections to be done.

Process: Cornerstone link will be opened, redirecting to our IDP F5 APM, then authenticating the user and then the SAML assertion should be sent back to Cornerstone. The last step does not work.

In the tmm logs, I can see the following output and currently do not know how to proceed. Any ideas? (I will post more details, I have no clue what is interesting for solving this)

Sep 30 14:14:39 KMLLB01 debug tmm1[15919]: 014d0002:7: 7c109e1f: SSOv2 SAML configuration: SAML_RES=&SAML_RES_LIST=&SAML_SSO=/Common/IDP_Internal_AD Sep 30 14:14:39 KMLLB01 debug tmm1[15919]: 014d0002:7: 7c109e1f: SSOv2 POST, Authn Request body size: 2100 Sep 30 14:14:39 KMLLB01 debug tmm1[15919]: 014d0002:7: 7c109e1f: SSOv2 Authn Request size: 2076 Sep 30 14:14:39 KMLLB01 debug tmm1[15919]: 014d0002:7: 7c109e1f: SSOv2 Base64 decoded Authn Request size: 1537 Sep 30 14:14:39 KMLLB01 debug tmm1[15919]: 014d0002:7: 7c109e1f: SSOv2 REQ_ID: (37) _b7ab300f-cec1-4eff-a611-294c17308719 Sep 30 14:14:39 KMLLB01 debug tmm1[15919]: 014d0002:7: 7c109e1f: SSOv2 SAML_VERSION: (3) 2.0 Sep 30 14:14:39 KMLLB01 debug tmm1[15919]: 014d0002:7: 7c109e1f: SSOv2 ISSUE_INSTANT: (28) 2014-09-30T12:14:39.0622224Z Sep 30 14:14:39 KMLLB01 debug tmm1[15919]: 014d0002:7: 7c109e1f: SSOv2 SAML_ACS_BINDING: (46) urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST Sep 30 14:14:39 KMLLB01 debug tmm1[15919]: 014d0002:7: 7c109e1f: SSOv2 ACS_URL: (59) https://x.csod.com/samldefault.aspx Sep 30 14:14:39 KMLLB01 debug tmm1[15919]: 014d0002:7: 7c109e1f: SSOv2 ISSUER: (42) https://x.csod.com Sep 30 14:14:39 KMLLB01 debug tmm1[15919]: 014d0002:7: 7c109e1f: SSOv2 XPATH_DIGEST_VALUE: (28) eXLbYIGJq3Qch1AGxr7u30B02js= Sep 30 14:14:39 KMLLB01 debug tmm1[15919]: 014d0002:7: 7c109e1f: SSOv2 XPATH_SIGNATURE_VALUE: (172) abla60q5q+CR2ufsesKvxUffvFMVkL7Y6s5GvS2Jj3N7GpIPntw59w29YrV0lp4+2AnFofKqtMziRrn27uOf0cEvXQbdkV3vIjzD70aOoNscvVC6zoU+2ALlBJpi2KgMiP6yGBSkrVSI66GomGGQ5ZJ3nmDKp90g8pQgcKWB/BE= Sep 30 14:14:39 KMLLB01 debug tmm1[15919]: 014d0002:7: 7c109e1f: SSOv2 NAME_ID_FORMAT: (53) urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified Sep 30 14:14:39 KMLLB01 debug tmm1[15919]: 014d0002:7: 7c109e1f: SSOv2 Using SSO config: /Common/IDP_Internal_AD with SP Connector: /Common/CornerStone_Pilot from ACCESS profile Sep 30 14:14:39 KMLLB01 debug tmm1[15919]: 014d0002:7: 7c109e1f: SSOv2 Authn Request requires signature verification Sep 30 14:14:39 KMLLB01 err tmm1[15919]: 014d0002:3: 7c109e1f: SSOv2 Error verifying SAML message signature - signature size (128 bytes) does not match SP certificate key size (256 bytes) Sep 30 14:14:39 KMLLB01 err tmm1[15919]: 014d0002:3: 7c109e1f: SSOv2 Error(12) Signature verification failed for SAML Authentication Request

Thanks for any help!

Best regards, Felix

0
Rate this Question
Comments on this Question
Comment made 14-Jun-2017 by Jason 84

Felix Did you have any details on the config to use with Cornerstone, I am trying to set up SAML now and they won't provide the SP Cert, did you have any details?

0

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Sep 30 14:14:39 KMLLB01 debug tmm1[15919]: 014d0002:7: 7c109e1f: SSOv2 Authn Request requires signature verification

Sep 30 14:14:39 KMLLB01 err tmm1[15919]: 014d0002:3: 7c109e1f: SSOv2 Error verifying SAML message signature - signature size (128 bytes) does not match SP certificate key size (256 bytes)

You may want to check if you are using the SSL cert obtained from SP on the external SP connector(Security settings) attached to IdP .

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi kunjan,

you are right. I included the wrong SP cert... I was confused about that since I did not activate encrypting the asertion (only then the SP key is changeable or able to activate), but it seemed to be necessary to activate the checkbox, include the SP certificate and then uncheck then box for encryption again...

Thanks for that hint!

Here the succesful logs:


Oct 1 20:57:05 KMLLB01 debug tmm[15919]: 014d0002:7: 7e7c2659: SSOv2 SAML configuration: SAML_RES=&SAML_RES_LIST=&SAML_SSO=/Common/IDP_Internal_AD Oct 1 20:57:05 KMLLB01 debug tmm[15919]: 014d0002:7: 7e7c2659: SSOv2 POST, Authn Request body size: 2100 Oct 1 20:57:05 KMLLB01 debug tmm[15919]: 014d0002:7: 7e7c2659: SSOv2 Authn Request size: 2076 Oct 1 20:57:05 KMLLB01 debug tmm[15919]: 014d0002:7: 7e7c2659: SSOv2 Base64 decoded Authn Request size: 1537 Oct 1 20:57:05 KMLLB01 debug tmm[15919]: 014d0002:7: 7e7c2659: SSOv2 REQ_ID: (37) _b0d46ec7-d511-464b-8e26-b497fdcc11a2 Oct 1 20:57:05 KMLLB01 debug tmm[15919]: 014d0002:7: 7e7c2659: SSOv2 SAML_VERSION: (3) 2.0 Oct 1 20:57:05 KMLLB01 debug tmm[15919]: 014d0002:7: 7e7c2659: SSOv2 ISSUE_INSTANT: (28) 2014-10-01T18:56:55.0422565Z Oct 1 20:57:05 KMLLB01 debug tmm[15919]: 014d0002:7: 7e7c2659: SSOv2 SAML_ACS_BINDING: (46) urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST Oct 1 20:57:05 KMLLB01 debug tmm[15919]: 014d0002:7: 7e7c2659: SSOv2 ACS_URL: (59) https://x.csod.com/samldefault.aspx Oct 1 20:57:05 KMLLB01 debug tmm[15919]: 014d0002:7: 7e7c2659: SSOv2 ISSUER: (42) https://x.csod.com Oct 1 20:57:05 KMLLB01 debug tmm[15919]: 014d0002:7: 7e7c2659: SSOv2 XPATH_DIGEST_VALUE: (28) 7erxeW3U99ef44HGFpfYBX5bttg= Oct 1 20:57:05 KMLLB01 debug tmm[15919]: 014d0002:7: 7e7c2659: SSOv2 XPATH_SIGNATURE_VALUE: (172) mCIWMEYZ5RDzXhBY5qGmOWqNeGdGlAo+kCIFjcWGDnRWFj/XZ82L0k7IcGZMn6mSPMM19rKRRTIA3uUHDxL3pnNp9RYiC2Spij8VmPDPCOOoEecM8Cu5TdMt1D6Rsug8743J2hH2cGzqzFicoqAFWRLk6EYFj9E/5bLuimQUj24= Oct 1 20:57:05 KMLLB01 debug tmm[15919]: 014d0002:7: 7e7c2659: SSOv2 NAME_ID_FORMAT: (53) urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified Oct 1 20:57:05 KMLLB01 debug tmm[15919]: 014d0002:7: 7e7c2659: SSOv2 Using SSO config: /Common/IDP_Internal_AD with SP Connector: /Common/CornerStone_Pilot from ACCESS profile Oct 1 20:57:05 KMLLB01 debug tmm[15919]: 014d0002:7: 7e7c2659: SSOv2 Authn Request requires signature verification Oct 1 20:57:05 KMLLB01 info tmm[15919]: 014d0002:6: 7e7c2659: SSOv2 Successfully verified SAML message signature Oct 1 20:57:05 KMLLB01 info tmm[15919]: 014d0002:6: 7e7c2659: SSOv2 Using SAML SSO object (/Common/IDP_Internal_AD) with SP Connector (/Common/CornerStone_Pilot) Oct 1 20:57:05 KMLLB01 debug tmm[15919]: 014d0002:7: 7e7c2659: SSOv2 Authn Request Validation Status Message: urn:oasis:names:tc:SAML:2.0:status:Success Oct 1 20:57:05 KMLLB01 debug tmm[15919]: 014d0002:7: 7e7c2659: SSOv2 Size of the Buffer needed for Assertion: 1747 Oct 1 20:57:05 KMLLB01 debug tmm[15919]: 014d0002:7: 7e7c2659: SSOv2 Assertion TimeStamp - Valid until: 2014-10-01T19:07:05Z Oct 1 20:57:05 KMLLB01 debug tmm[15919]: 014d0002:7: 7e7c2659: SSOv2 Canonicalized SignedInfo size: 826 Oct 1 20:57:05 KMLLB01 debug tmm[15919]: 014d0002:7: 7e7c2659: SSOv2 Signing SAML message with 2048-bit RSA key: /Common/wildcard.konicaminolta.eu.key Oct 1 20:57:05 KMLLB01 debug tmm[15919]: 014d0002:7: 7e7c2659: SSOv2 Size of Signature element: 3310 Oct 1 20:57:05 KMLLB01 debug tmm[15919]: 014d0002:7: 7e7c2659: SSOv2 Signed SAML message size: 5056 Oct 1 20:57:05 KMLLB01 debug tmm[15919]: 014d0002:7: 7e7c2659: SSOv2 Size of SAML response: 5056 Oct 1 20:57:05 KMLLB01 debug tmm[15919]: 014d0002:7: 7e7c2659: SSOv2 Relay State from SP: Oct 1 20:57:05 KMLLB01 notice tmm[15919]: 014d0002:5: 7e7c2659: SSOv2 Sent SAML Response (size: 7375)

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Felix, I am new to F5 and SAML but I am trying to setup SAML 2.0 connection into cornerstone. Do you have any directions or help setting up APM?

Walt
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Felix,

Is there any chance to share the medatada and the APM Policy?

Thank you in advanced.

0