Bug ID 1010961: Redirect fails when accessing SAML Resource more than once in SAML IDP initiated Flow

Last Modified: Apr 17, 2024

Affected Product(s):
BIG-IP APM(all modules)

Known Affected Versions:, 15.1.3,, 15.1.4,, 15.1.5,, 15.1.6,, 15.1.7, 15.1.8,,, 15.1.9,, 15.1.10,,,, 16.1.0, 16.1.1, 16.1.2,,, 16.1.3,,,,,

Fixed In:
17.1.0, 16.1.4

Opened: Apr 12, 2021

Severity: 3-Major


In SAML idp initiated Flow, redirects fails on accessing SAML Resource second time as multiple assertions are posted to the SP on same access session


Multiple assertions are sent to SP on same access session and fails to render the backend application second time.


1. BIG-IP SAML SP and IDP configured for IDP initiated Flow 2. Access SAML Resource first time is successful but fails second time for same access session


For Access policy contains an allow ending: when HTTP_REQUEST { if { [HTTP::uri] eq "/saml/sp/profile/post/acs" && [ACCESS::session exists -state_allow -sid [ACCESS::session sid]] } { HTTP::redirect "/" } } For access policy contains a redirect ending: when HTTP_REQUEST { if { [HTTP::uri] eq "/saml/sp/profile/post/acs" && [ACCESS::session exists -state_redirect -sid [ACCESS::session sid]] } { HTTP::redirect "/" } } If relay-state implemented, edit the iRule's redirect uri to match that configured in the relay-state.

Fix Information

BIG-IP as SP processes all of the assertions received on a single access session and successfully renders the backend application.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips