Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP APM
Known Affected Versions:
13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3
Fixed In:
14.0.0, 13.1.0.4, 12.1.5.1
Opened: Sep 27, 2017 Severity: 3-Major
When BIG-IP is used as SAML IdP, and signing is configured, BIG-IP will sign the message by configured signing key, and include last certificate from the configured signing certificate chain in the SAML protocol message. Expected behavior is to include first certificate from the configured signing certificate chain. The same applies to SAML SP generating SLO request/response messages.
Impact is based on the SAML implementation on the receiving end of message sent by BIG-IP. Some implementation may drop signed SAML message if last certificate from the bundle is included in the message. Other implementations will accept such signed messages. Note that signing operation itself is performed correctly by BIG-IP using configured signing certificate, and digital signature will contain correct value.
All of the following: - BIG-IP is used as SAML IdP or SAML as SP with SLO configured. - BIG-IP generates signed SAML response containing assertion or SLO request/response - Configured on BIG-IP signing certificate is a security chain and not a single certificate
Instead of using signing certificate chain, change BIG-IP SAML IdP/SP configured signing certificate to refer to a standalone signing certificate (single X509 object) by extracting first certificate from the chain.
After the fix, BIG-IP will include first certificate found within configured signing certificate (chain).