SAML Authentication on F5 Big-IP (Part 5)

It is time to have a conclusion on this subject.

F5 support team finally lost interest, they didn't reply my question any more, because I was only a trial user I think. I had to put this issue aside for weeks.

Once I thought I had insightful understanding on SAML, especially the XML signature, I decided to review this issue again by myself.

When my eyes rested on the attribute WantAssertionsSigned in F5 BigIP metadata,

I immediately realized I got the answer! IDP sent a SAML response which signed the signature on the whole response, however F5 BigIP appliance specified to expect the signature on assertion part of the response.

After modifying the response (calculate the signature to assertion part), it worked!

I blushed with embarrassment at that time, as SAML authentication on F5 BigIP did work (at least it accepted signature on assertion, not sure it accepts the signature on response). However F5 error message "Digest of SignedInfo mismatch" puzzled everyone.

If we look at the response again, now it is very obvious that the signature was on Response (instead of Assertion, just compare the value of Reference URI with the _IDs)!

Silly me! but could F5 error message become more intuitive?