SAML SP with Google as IDP error decrypting RSA

Question

I am trying to test out using Google as IdP with SAML authentication.&nbsp;
I keep getting failed to process signed assertion, error: RSA decrypt in the logs.&nbsp;
I created the IdP on Google then imported the metadata to external IDP Connectors.
Then I created an local SP service and gave google the ACS and EntityID.&nbsp;
I created the access profile  and setup a flow requiring my SP/IDP setup defined above.
The flow works but when the assertion comes back from Google, the APM says "failed to process signed assertion, error: RSA decrypt".&nbsp;
Google is using RSA-sha256 for the signature algorithm.  What am I missing here?&nbsp;

pjcampbell_7243 · Answer

Here is the assertion from Google:
https://accounts.google.com/o/saml2?idpid=C03xfobhghttps://accounts.google.com/o/saml2?idpid=C03xfobhgI/z2jtIh5/yW/RNLubIV49joQqIwJulFibTCWg+GGhw=YucV85zrb4fwQ97qj/Ia6xZJMNs7rLrvkc+KwwX5j4yXR6g7Vhuu3KcsYPC0iWtUazpKL8ShumtI qvK87tTVoh2iIgsUO/z/7K1wQ0pY2LLpFOywZSggaZ+PPgQLI/6f2KUJo7j20X92BLa0ZeFGLC96 FImpL4++1BF+vZxu4e54zmyJsozr2Hxv9a5CsRLIay5096vajaLQCnG+FJ4COSaaKD0EBiBBTgJP 4pSJGCcyJWp6C4N2CyYcuxoaW38rp9VfsN2R9e9PSPdVcevbHiFgCqvaAbv1LMUPllJWZ1YETWVR h6BZfDqg3i89AK3sOEpD+aRU39wJqbU2YnV0DA==ST=California,C=US,OU=Google For Work,CN=Google,L=Mountain View,O=Google Inc.MIIDdDCCAlygAwIBAgIGAVsXDbDtMA0GCSqGSIb3DQEBCwUAMHsxFDASBgNVBAoTC0dvb2dsZSBJ bmMuMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MQ8wDQYDVQQDEwZHb29nbGUxGDAWBgNVBAsTD0dv b2dsZSBGb3IgV29yazELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEwHhcNMTcwMzI4 MjIzMzQwWhcNMjIwMzI3MjIzMzQwWjB7MRQwEgYDVQQKEwtHb29nbGUgSW5jLjEWMBQGA1UEBxMN TW91bnRhaW4gVmlldzEPMA0GA1UEAxMGR29vZ2xlMRgwFgYDVQQLEw9Hb29nbGUgRm9yIFdvcmsx CzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A MIIBCgKCAQEA9TcyXZqwMBhItaQ8N8O/RDRqlX6gY9jarMWfQGGGlov6zZIJFRrs+BxmsVgtLhL4 vRbbxQuL8lmyP+ZBV0Jh9yroNnYJMJaLZh7GcpObLUm/r2aZB0jKNyM+OgdbIvhZIY1UG3wnjfjw Tdo2w4GbCp6weZ6B2/b5pRuNVEwlVxVETiCEhQCjGFCDIoQ6BqExS6LfB7dC5emQIHnYqYqFV0dB KXa+5QkGPYF3A3vg/p2v002jo4ROtmmVRt1aaLdtvoFUoB/kjfUudXHSL/iyTXq8x2gMFUGPQCKt J7R+Z8VmN1JVT1EsxPPuRWpgkCd788rMkwJWL9ex3CK6+aOi4wIDAQABMA0GCSqGSIb3DQEBCwUA A4IBAQCKPH4oQIL8rWr8Kseib/xCdjURp3R3+mvdge8+0Hgqf/Prf26IgLJVmjiHFX8tFdiclBqj VJwK5/7ny68DC77/bbHnynTksYREcPs0LyMo6p9+A2nGvlTIM6qNhdidAGJeWZMHVPHMOxF+SjDB 6ZyTlMF8veni6kFs6UiOYq/rsus6m/dq/YIXdRNCBIE8sxNPC5KYcc4aDgA66yRP+8Tx5NBhONJN ITbSG2R5OTbMN/CGGDZztOF7UbpSLQzDQcO+hl38PwSlxNR9G9KuyYOdezelTH7UcAZyxD7BBy03 BPw8YHEexpjsef1IvWSer/8SLe6f4ppp7BcWnhbYZKRApcampbell@MYGOOGLEEMAILDOMAINHEREhttps://MYACSDOMAINHERE/googlesamltestpcampbell@MYGOOGLEEMAILDOMAINHEREurn:oasis:names:tc:SAML:2.0:ac:classes:unspecified

pjcampbell_7243 · Answer

This is just a test account so I don't mind sharing the Google IDP address.&nbsp;

pjcampbell_7243 · Answer

I figured it out.  The cert automatically imported from the metadata didn't work right for some reason.  I manually imported the cert and specified it in the external Idp  connector.&nbsp;

Forum Discussion

SAML SP with Google as IDP error decrypting RSA

3 Replies

Recent Discussions

Tenant image upgrade

iRule editor partition button does not work

F5Access | MacOS Sonoma

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Enabling AVR and creating Profiles

Related Content

Decrypt, Encrypt, Decrypt, Encrypt, Encrypt....

Decrypting BIG-IP Packet Captures without iRules

Decrypting TLS with the tcpdump sslprovider

Chameleon Malware, Ransomware Decryption Tool Dec 18-24, 2023 - F5 SIRT - This Week in Security

Google Tag Manager