Bug ID 1010961: Redirect fails when accessing SAML Resource more than once in SAML IDP initiated Flow

Last Modified: Jan 20, 2023

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Known Affected Versions:
15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3

Opened: Apr 12, 2021
Severity: 3-Major

Symptoms

In SAML idp initiated Flow, redirects fails on accessing SAML Resource second time as multiple assertions are posted to the SP on same access session

Impact

Multiple assertions are sent to SP on same access session and fails to render the backend application second time.

Conditions

1. BIG-IP SAML SP and IDP configured for IDP initiated Flow 2. Access SAML Resource first time is successful but fails second time for same access session

Workaround

For Access policy contains an allow ending: when HTTP_REQUEST { if { [HTTP::uri] eq "/saml/sp/profile/post/acs" && [ACCESS::session exists -state_allow -sid [ACCESS::session sid]] } { HTTP::redirect "/" } } For access policy contains a redirect ending: when HTTP_REQUEST { if { [HTTP::uri] eq "/saml/sp/profile/post/acs" && [ACCESS::session exists -state_redirect -sid [ACCESS::session sid]] } { HTTP::redirect "/" } } If relay-state implemented, edit the iRule's redirect uri to match that configured in the relay-state.

Fix Information

None

Behavior Change