Last Modified: Sep 24, 2024
Affected Product(s):
BIG-IP APM
Known Affected Versions:
15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 15.1.8.2, 15.1.9, 15.1.9.1, 15.1.10, 15.1.10.2, 15.1.10.3, 15.1.10.4, 15.1.10.5, 16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3, 16.1.3.4, 16.1.3.5
Fixed In:
17.1.0, 16.1.4
Opened: Apr 12, 2021 Severity: 3-Major
In SAML idp initiated Flow, redirects fails on accessing SAML Resource second time as multiple assertions are posted to the SP on same access session
Multiple assertions are sent to SP on same access session and fails to render the backend application second time.
1. BIG-IP SAML SP and IDP configured for IDP initiated Flow 2. Access SAML Resource first time is successful but fails second time for same access session
For Access policy contains an allow ending: when HTTP_REQUEST { if { [HTTP::uri] eq "/saml/sp/profile/post/acs" && [ACCESS::session exists -state_allow -sid [ACCESS::session sid]] } { HTTP::redirect "/" } } For access policy contains a redirect ending: when HTTP_REQUEST { if { [HTTP::uri] eq "/saml/sp/profile/post/acs" && [ACCESS::session exists -state_redirect -sid [ACCESS::session sid]] } { HTTP::redirect "/" } } If relay-state implemented, edit the iRule's redirect uri to match that configured in the relay-state.
BIG-IP as SP processes all of the assertions received on a single access session and successfully renders the backend application.