Last Modified: Dec 04, 2025
Affected Product(s):
BIG-IP APM
Known Affected Versions:
17.1.0, 17.1.0.1, 17.1.0.2, 17.1.0.3, 17.1.1, 17.1.1.1, 17.1.1.2, 17.1.1.3, 17.1.1.4, 17.1.2, 17.1.2.1, 17.1.2.2, 17.1.3, 17.5.0, 17.5.1, 17.5.1.2, 17.5.1.3
Opened: Oct 22, 2025 Severity: 2-Critical
SAML authentication fails with errors such as “Invalid signature” or “Signature verification failed”
End users are unable to log in using SSO due to authentication errors
SAML SP is configured with: is-authn-request-signed = true sso-binding = http-redirect want-detached-signature = true A RelayState parameter is included in the SAML AuthnRequest. Occurs on BIG-IP APM versions 17.1.x and above.
Remove the RelayState parameter from the SAML AuthnRequest configuration, if possible. This restores successful signature validation. Example: remove relay-state from the SP AAA SAML object configuration. Alternatively, use HTTP-POST binding instead of HTTP-Redirect. There is no configuration-based workaround if RelayState is required and Redirect binding must be used.
None