Bug ID 423527: When creating SAML IdP objects using a metadata file, BIG-IP system may pick up a wrong certificate for signing.

Last Modified: Feb 13, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Known Affected Versions:
11.3.0, 11.4.0

Fixed In:
11.5.0, 11.4.0 HF3, 11.3.0 HF8

Opened: Jun 18, 2013
Severity: 3-Major
Related AskF5 Article:
K16765

Symptoms

When creating SAML IdP objects using a metadata file, BIG-IP system may pick up a wrong certificate for signing.

Impact

Because we use a wrong certificate for signing, it will break the whole authentication process and the signed data cannot be verified properly.

Conditions

If the matadata file contains multiple certificates and contains <md:KeyDescriptor use="signing"> to identify the signing cert, BIG-IP picks the last cert in the file instead of picking the cert with signing attribute set.

Workaround

This issue has no workaround at this time.

Fix Information

The SAML import metadata feature picks the correct certificate when there are multiple certificates.

Behavior Change