Last Modified: Apr 10, 2019
See more info
Known Affected Versions:
11.5.0, 11.4.0 HF3, 11.3.0 HF8
Opened: Jun 18, 2013
Related AskF5 Article: K16765
When creating SAML IdP objects using a metadata file, BIG-IP system may pick up a wrong certificate for signing.
Because we use a wrong certificate for signing, it will break the whole authentication process and the signed data cannot be verified properly.
If the matadata file contains multiple certificates and contains <md:KeyDescriptor use="signing"> to identify the signing cert, BIG-IP picks the last cert in the file instead of picking the cert with signing attribute set.
This issue has no workaround at this time.
The SAML import metadata feature picks the correct certificate when there are multiple certificates.