Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP APM
Opened: Oct 20, 2023 Severity: 3-Major
Two SAML chained configured on APM SAML SP1 <-> APM SAML IdP1 (SLO http-post binding) & APM SAML SP2 <-> AAD SAML IdP2 (SLO http-redirect binding) When SAML SP1 sends a POST SLO Req to APM SAML IdP1, it includes an emtpty RelayState as form field Then APM SAML SP2 sends a GET SLO Req to AAD SAML IdP2 adding that empty RelayState as query parameter and calculates the signature including it.
SAML SLO logout function not executing properly.
SAML configured. BIG-IP as sp and idp with SLO http redirect binding.
When CLIENT_ACCEPTED { ACCESS::restrict_irule_events disable } when HTTP_RESPONSE_RELEASE { if {[HTTP::header exists Location]}{ set h [HTTP::header Location] set hlen [string length [HTTP::header Location]] set ri [string first "RelayState=" $h] set ri2 [expr $ri - 1] if { $ri > 0 }{ set re [expr $ri + 10] set re2 [expr $ri + 11] if { $re2 == $hlen }{ set hr [string replace $h $ri2 $re] HTTP::header replace Location $hr } elseif { [string index $h $re2] == "&" }{ set hr [string replace $h $ri $re2] HTTP::header replace Location $hr } } } }
None