F5 BIG-IP SAML configured with VIP and is getting a Digest of signature mismatch error returned.


 

SAML Agent: /Common/uri_check_act_saml_auth_ag failed to process signed assertion, error: Digest of signature mismatch

BIG-IP supports only exclusive canonicalization for SAML messages.  Exclusive Canonicalization ensures that signatures created over SAML messages embedded in an XML context can be verified independent of that context. 

F5 is rejecting our response due to the Canonicalization method being used in VIP.  We recommend and accept the assertion in the supported format but send a response using a different canonicalization.

 

This issue is resolved in VIP 9.8