SAML configuration with F5 APM as an IdP: SSOv2 Authn Request requires signature verification

Question

HI all,&nbsp;
I guess I have to ask my first question here in DevCentral.&nbsp;
I try to configure SSO with SAML IdP where Cornerstone system should be connected while using AD authentication on our side (later maybe SLO etc.).
This means, I want to use direct SP initiated connections to be done.&nbsp;
Process:
Cornerstone link will be opened, redirecting to our IDP F5 APM, then authenticating the user and then the SAML assertion should be sent back to Cornerstone.
The last step does not work.&nbsp;
In the tmm logs, I can see the following output and currently do not know how to proceed.
Any ideas? (I will post more details, I have no clue what is interesting for solving this)&nbsp;
Sep 30 14:14:39 KMLLB01 debug tmm1[15919]: 014d0002:7: 7c109e1f: SSOv2 SAML configuration: SAML_RES=&amp;SAML_RES_LIST=&amp;SAML_SSO=/Common/IDP_Internal_AD
Sep 30 14:14:39 KMLLB01 debug tmm1[15919]: 014d0002:7: 7c109e1f: SSOv2 POST, Authn Request body size: 2100
Sep 30 14:14:39 KMLLB01 debug tmm1[15919]: 014d0002:7: 7c109e1f: SSOv2 Authn Request size: 2076
Sep 30 14:14:39 KMLLB01 debug tmm1[15919]: 014d0002:7: 7c109e1f: SSOv2 Base64 decoded Authn Request size: 1537
Sep 30 14:14:39 KMLLB01 debug tmm1[15919]: 014d0002:7: 7c109e1f: SSOv2 REQ_ID: (37) _b7ab300f-cec1-4eff-a611-294c17308719
Sep 30 14:14:39 KMLLB01 debug tmm1[15919]: 014d0002:7: 7c109e1f: SSOv2 SAML_VERSION: (3) 2.0
Sep 30 14:14:39 KMLLB01 debug tmm1[15919]: 014d0002:7: 7c109e1f: SSOv2 ISSUE_INSTANT: (28) 2014-09-30T12:14:39.0622224Z
Sep 30 14:14:39 KMLLB01 debug tmm1[15919]: 014d0002:7: 7c109e1f: SSOv2 SAML_ACS_BINDING: (46) urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
Sep 30 14:14:39 KMLLB01 debug tmm1[15919]: 014d0002:7: 7c109e1f: SSOv2 ACS_URL: (59) https://x.csod.com/samldefault.aspx
Sep 30 14:14:39 KMLLB01 debug tmm1[15919]: 014d0002:7: 7c109e1f: SSOv2 ISSUER: (42) https://x.csod.com
Sep 30 14:14:39 KMLLB01 debug tmm1[15919]: 014d0002:7: 7c109e1f: SSOv2 XPATH_DIGEST_VALUE: (28) eXLbYIGJq3Qch1AGxr7u30B02js=
Sep 30 14:14:39 KMLLB01 debug tmm1[15919]: 014d0002:7: 7c109e1f: SSOv2 XPATH_SIGNATURE_VALUE: (172) abla60q5q+CR2ufsesKvxUffvFMVkL7Y6s5GvS2Jj3N7GpIPntw59w29YrV0lp4+2AnFofKqtMziRrn27uOf0cEvXQbdkV3vIjzD70aOoNscvVC6zoU+2ALlBJpi2KgMiP6yGBSkrVSI66GomGGQ5ZJ3nmDKp90g8pQgcKWB/BE=
Sep 30 14:14:39 KMLLB01 debug tmm1[15919]: 014d0002:7: 7c109e1f: SSOv2 NAME_ID_FORMAT: (53) urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
Sep 30 14:14:39 KMLLB01 debug tmm1[15919]: 014d0002:7: 7c109e1f: SSOv2 Using SSO config: /Common/IDP_Internal_AD with SP Connector: /Common/CornerStone_Pilot from ACCESS profile
Sep 30 14:14:39 KMLLB01 debug tmm1[15919]: 014d0002:7: 7c109e1f: SSOv2 Authn Request requires signature verification
Sep 30 14:14:39 KMLLB01 err tmm1[15919]: 014d0002:3: 7c109e1f: SSOv2 Error verifying SAML message signature - signature size (128 bytes) does not match SP certificate key size (256 bytes)
Sep 30 14:14:39 KMLLB01 err tmm1[15919]: 014d0002:3: 7c109e1f: SSOv2 Error(12) Signature verification failed for SAML Authentication Request&nbsp;
Thanks for any help!&nbsp;
Best regards,
Felix&nbsp;

kunjan · Answer

Sep 30 14:14:39 KMLLB01 debug tmm1[15919]: 014d0002:7: 7c109e1f: SSOv2 Authn Request requires signature verification

Sep 30 14:14:39 KMLLB01 err tmm1[15919]: 014d0002:3: 7c109e1f: SSOv2 Error verifying SAML message signature - signature size (128 bytes) does not match SP certificate key size (256 bytes)

You may want to check  if you are using the SSL cert obtained from SP on the external SP connector(Security settings) attached to IdP .

felix_marwede · Answer

Hi kunjan,&nbsp;
you are right.
I included the wrong SP cert... I was confused about that since I did not activate encrypting the asertion (only then the SP key is changeable or able to activate), but it seemed to be necessary to activate the checkbox, include the SP certificate and then uncheck then box for encryption again...&nbsp;
Thanks for that hint!&nbsp;
Here the succesful logs:&nbsp;

Oct  1 20:57:05 KMLLB01 debug tmm[15919]: 014d0002:7: 7e7c2659: SSOv2 SAML configuration: SAML_RES=&amp;SAML_RES_LIST=&amp;SAML_SSO=/Common/IDP_Internal_AD
Oct  1 20:57:05 KMLLB01 debug tmm[15919]: 014d0002:7: 7e7c2659: SSOv2 POST, Authn Request body size: 2100
Oct  1 20:57:05 KMLLB01 debug tmm[15919]: 014d0002:7: 7e7c2659: SSOv2 Authn Request size: 2076
Oct  1 20:57:05 KMLLB01 debug tmm[15919]: 014d0002:7: 7e7c2659: SSOv2 Base64 decoded Authn Request size: 1537
Oct  1 20:57:05 KMLLB01 debug tmm[15919]: 014d0002:7: 7e7c2659: SSOv2 REQ_ID: (37) _b0d46ec7-d511-464b-8e26-b497fdcc11a2
Oct  1 20:57:05 KMLLB01 debug tmm[15919]: 014d0002:7: 7e7c2659: SSOv2 SAML_VERSION: (3) 2.0
Oct  1 20:57:05 KMLLB01 debug tmm[15919]: 014d0002:7: 7e7c2659: SSOv2 ISSUE_INSTANT: (28) 2014-10-01T18:56:55.0422565Z
Oct  1 20:57:05 KMLLB01 debug tmm[15919]: 014d0002:7: 7e7c2659: SSOv2 SAML_ACS_BINDING: (46) urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
Oct  1 20:57:05 KMLLB01 debug tmm[15919]: 014d0002:7: 7e7c2659: SSOv2 ACS_URL: (59) https://x.csod.com/samldefault.aspx
Oct  1 20:57:05 KMLLB01 debug tmm[15919]: 014d0002:7: 7e7c2659: SSOv2 ISSUER: (42) https://x.csod.com
Oct  1 20:57:05 KMLLB01 debug tmm[15919]: 014d0002:7: 7e7c2659: SSOv2 XPATH_DIGEST_VALUE: (28) 7erxeW3U99ef44HGFpfYBX5bttg=
Oct  1 20:57:05 KMLLB01 debug tmm[15919]: 014d0002:7: 7e7c2659: SSOv2 XPATH_SIGNATURE_VALUE: (172) mCIWMEYZ5RDzXhBY5qGmOWqNeGdGlAo+kCIFjcWGDnRWFj/XZ82L0k7IcGZMn6mSPMM19rKRRTIA3uUHDxL3pnNp9RYiC2Spij8VmPDPCOOoEecM8Cu5TdMt1D6Rsug8743J2hH2cGzqzFicoqAFWRLk6EYFj9E/5bLuimQUj24=
Oct  1 20:57:05 KMLLB01 debug tmm[15919]: 014d0002:7: 7e7c2659: SSOv2 NAME_ID_FORMAT: (53) urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
Oct  1 20:57:05 KMLLB01 debug tmm[15919]: 014d0002:7: 7e7c2659: SSOv2 Using SSO config: /Common/IDP_Internal_AD with SP Connector: /Common/CornerStone_Pilot from ACCESS profile
Oct  1 20:57:05 KMLLB01 debug tmm[15919]: 014d0002:7: 7e7c2659: SSOv2 Authn Request requires signature verification
Oct  1 20:57:05 KMLLB01 info tmm[15919]: 014d0002:6: 7e7c2659: SSOv2 Successfully verified SAML message signature
Oct  1 20:57:05 KMLLB01 info tmm[15919]: 014d0002:6: 7e7c2659: SSOv2 Using SAML SSO object (/Common/IDP_Internal_AD) with SP Connector (/Common/CornerStone_Pilot)
Oct  1 20:57:05 KMLLB01 debug tmm[15919]: 014d0002:7: 7e7c2659: SSOv2 Authn Request Validation Status Message: urn:oasis:names:tc:SAML:2.0:status:Success
Oct  1 20:57:05 KMLLB01 debug tmm[15919]: 014d0002:7: 7e7c2659: SSOv2 Size of the Buffer needed for Assertion: 1747
Oct  1 20:57:05 KMLLB01 debug tmm[15919]: 014d0002:7: 7e7c2659: SSOv2 Assertion TimeStamp - Valid until: 2014-10-01T19:07:05Z
Oct  1 20:57:05 KMLLB01 debug tmm[15919]: 014d0002:7: 7e7c2659: SSOv2 Canonicalized SignedInfo size: 826
Oct  1 20:57:05 KMLLB01 debug tmm[15919]: 014d0002:7: 7e7c2659: SSOv2 Signing SAML message with 2048-bit RSA key: /Common/wildcard.konicaminolta.eu.key
Oct  1 20:57:05 KMLLB01 debug tmm[15919]: 014d0002:7: 7e7c2659: SSOv2 Size of Signature element: 3310
Oct  1 20:57:05 KMLLB01 debug tmm[15919]: 014d0002:7: 7e7c2659: SSOv2 Signed SAML message size: 5056
Oct  1 20:57:05 KMLLB01 debug tmm[15919]: 014d0002:7: 7e7c2659: SSOv2 Size of SAML response: 5056
Oct  1 20:57:05 KMLLB01 debug tmm[15919]: 014d0002:7: 7e7c2659: SSOv2 Relay State from SP:
Oct  1 20:57:05 KMLLB01 notice tmm[15919]: 014d0002:5: 7e7c2659: SSOv2 Sent SAML Response (size: 7375)&nbsp;

walt_seidel_151 · Answer

Felix,
    I am new to F5 and SAML but I am trying to setup SAML 2.0 connection into cornerstone.  Do you have any directions or help setting up APM?
Walt

kunjan · Answer

You may refer to the Soln article&nbsp;
https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-11-5-0/30.html&nbsp;

jason_130176 · Answer

Felix Did you have any details on the config to use with Cornerstone, I am trying to set up SAML now and they won't provide the SP Cert, did you have any details?&nbsp;

Forum Discussion

SAML configuration with F5 APM as an IdP: SSOv2 Authn Request requires signature verification

6 Replies

Recent Discussions

(How) can I get two client certificates in one APM session?

Open Redirection Mitigation

BIG-IP DNS iRule issue with static variable

how can I find the software version is 32 bit or 64 bit from LTM 15.1.10.4

Using okta as SSO to login F5 GUI

Related Content

Configure NGINX microgateway for MTLS termination and client certificate hash verification

Support of WAF Signature Staging in F5 Distributed Cloud (XC)

BoT Defense Profile, Signature Enforcement

Mitigating JSON-based SQL injection with BIG-IP ASM / Advanced WAF Attack Signatures

Wildcard Parameter signature attack