One month ago, we opened a case to F5 about SAML Authentication, haven't got the prober answer yet. Disappointing... While still waiting for their answer, I wish here I can reach someone who really understand the issue. Many thanks, This is the question we asked F5 support team, We are testing SAML authentication (Big-IP as SP) on VE (BIGIP-11.3.0.2806.0-scsi.ova). The authentication failed, we saw the log in Access Policy -> Reports SAML Agent: /Common/bletchley_act_saml_auth_ag failed to process signed assertion, error: Digest of SignedInfo mismatch. We are bemused by this error message, as we use openSAML java library to generate the saml response (sign the XML). Our IDP works very well with Google and Juniper etc. We double checked the response (you can see it in the attachment, samlres02.txt) Decode it into saml02.xml with (https://rnd.feide.no/simplesaml/module.php/saml2debug/debug.php) This XML file (with enveloped signature) passed the test under Firefox XML Digital Signature Tool. We also checked it with Java XML Digital Signature API(Validate.java), it also passed. If it is not a known issue on VE BIGIP-11.3.0.2806.0, can you please ask your technical team to have a look?

Mike, SAML support is brand new in 11.3, so doubtful that most (including myself) have tested every possible third-party integration. The error would seem to indicate that the SP didn't like the signature, so two things: 1. Can you attach the samlres02.txt document you referred to, and 2. What signature algorithm did you use?

Thanks Kevin, I tried to upload a zip file, unfortunately this site does not allow zip and xml file, even java source code. Here is the txt file. You can decode it to get XML content, and in xml, you can see the algorithms DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsigsha1" SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsigrsa-sha1"

Hi, Kevin, I uploaded the zip file(which includes Validate.Java) to my Google Drive, you can download it from https://docs.google.com/file/d/0B-RceMGOJfLUNldRODN2aV80Rnc/edit?usp=sharing

Hi, Kevin, Are you a F5 insider, or can you easily approach F5 insiders? If yes, please ask them to take a look of my analysis at http://nano-art.blogspot.co.uk/2013/05/saml-authentication-on-f5-big-ip-part-3.html I believe Apache Santuario is doing right, F5 is doing wrong on XML canonicalization. Many thanks.

Hi Mike, Can you post your case number or email me (aaron at f5 dot com). No promises, but I'll try to make sure Support properly considers the issue. Thanks, Aaron

F5 SAML Authentication

19 Replies

Kevin_Stewart
Employee
May 17, 2013
Mike,

SAML support is brand new in 11.3, so doubtful that most (including myself) have tested every possible third-party integration. The error would seem to indicate that the SP didn't like the signature, so two things:

1. Can you attach the samlres02.txt document you referred to, and

2. What signature algorithm did you use?
Mike_125354
Nimbostratus
May 17, 2013
Thanks Kevin,

I tried to upload a zip file, unfortunately this site does not allow zip and xml file, even java source code.

Here is the txt file.

You can decode it to get XML content, and in xml, you can see the algorithms

DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsigsha1"

SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsigrsa-sha1"
Mike_125354
Nimbostratus
May 17, 2013
Hi, Kevin,

I uploaded the zip file(which includes Validate.Java) to my Google Drive, you can download it from

https://docs.google.com/file/d/0B-RceMGOJfLUNldRODN2aV80Rnc/edit?usp=sharing
Mike_125354
Nimbostratus
May 29, 2013
Hi, Kevin,

Are you a F5 insider, or can you easily approach F5 insiders? If yes, please ask them to take a look of my analysis at

http://nano-art.blogspot.co.uk/2013/05/saml-authentication-on-f5-big-ip-part-3.html

I believe Apache Santuario is doing right, F5 is doing wrong on XML canonicalization.

Many thanks.
hooleylist
Cirrostratus
May 31, 2013
Hi Mike,

Can you post your case number or email me (aaron at f5 dot com). No promises, but I'll try to make sure Support properly considers the issue.

Thanks, Aaron
jussihar_118259
Nimbostratus
May 07, 2014
Hello

Any updates on this?

Jussi
- Brad_146558
  Nimbostratus
  May 07, 2014
  Are you experiencing a similar issue?
- jussihar_118259
  Nimbostratus
  May 07, 2014
  Yes. IDP is external and I dont have access to it, the IDP admin says all is good there according to logs. F5 apm logs says: modules/Authentication/Saml/SamlSPAgent.cpp func: "verifyAssertionDigest()" line: 3625 Msg: Assertion Content without Signature modules/Authentication/Saml/SamlSPAgent.cpp func: "verifyAssertionSignature()" line: 4037 Msg: ERROR: verifying the digest of SAML R esponse failed to process signed assertion, error: Digest of SignedInfo mismatch
- boneyard
  MVP
  May 12, 2014
  using version 11.3? i really would try a new version, like aaron mentioned 11.3 for this first with saml support and many issues have been solved since.
jussihar
Nimbostratus
May 07, 2014
Hello

Any updates on this?

Jussi
- Brad_146558
  Nimbostratus
  May 07, 2014
  Are you experiencing a similar issue?
- jussihar
  Nimbostratus
  May 07, 2014
  Yes. IDP is external and I dont have access to it, the IDP admin says all is good there according to logs. F5 apm logs says: modules/Authentication/Saml/SamlSPAgent.cpp func: "verifyAssertionDigest()" line: 3625 Msg: Assertion Content without Signature modules/Authentication/Saml/SamlSPAgent.cpp func: "verifyAssertionSignature()" line: 4037 Msg: ERROR: verifying the digest of SAML R esponse failed to process signed assertion, error: Digest of SignedInfo mismatch
- boneyard
  MVP
  May 12, 2014
  using version 11.3? i really would try a new version, like aaron mentioned 11.3 for this first with saml support and many issues have been solved since.
Mike_62005
Nimbostratus
May 12, 2014
I had a battle with F5 support team. If you are interested in it, you can read my blog

http://nano-art.blogspot.co.uk/2013/05/saml-authentication-on-f5-big-ip-part-1.html

(1-4)

After a deep digging, I myself finally figured out the root cause, IDP returned a SAML response which the signature was on response part, but F5 expected a response which signature is on assertion part (WantAssertionsSigned="true").

F5 error message "Digest of SignedInfo mismatch" was not very helpful in my case. Once I had a insight on SAML (actually the hardest part is XML signature), I told myself what joke it was, as we can easily tell the signature is on response part or assertion part from Reference URI in SAML response content.
- Filip_Verlaeckt
  Historic F5 Account
  Jul 25, 2014
  So what exactly did you change to the configuration to make this work then?
- Julio_Navarro
  Cirrostratus
  Mar 23, 2015
  Hello Mike! How you were able to fix this? Thank you J
- boneyard
  MVP
  Apr 05, 2015
  from what I read from the blog the issue is with what part of the SAML response is signed. the full response or just the assertion. what is signed in your case Navarro?