Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP APM
Known Affected Versions:
11.3.0, 11.4.0
Fixed In:
11.5.0, 11.4.0 HF3, 11.3.0 HF8
Opened: Jun 18, 2013 Severity: 3-Major Related Article:
K16765
When creating SAML IdP objects using a metadata file, BIG-IP system may pick up a wrong certificate for signing.
Because we use a wrong certificate for signing, it will break the whole authentication process and the signed data cannot be verified properly.
If the matadata file contains multiple certificates and contains <md:KeyDescriptor use="signing"> to identify the signing cert, BIG-IP picks the last cert in the file instead of picking the cert with signing attribute set.
This issue has no workaround at this time.
The SAML import metadata feature picks the correct certificate when there are multiple certificates.