Bug ID 428390: No messages are logged for client-initiated, form-based, SAML SSO

Last Modified: Nov 22, 2021

Affected Product(s):
BIG-IP APM(all modules)

Known Affected Versions:
11.4.0, 11.4.1

Fixed In:
11.5.0, 11.4.1 HF2, 11.4.0 HF6

Opened: Aug 20, 2013

Severity: 2-Critical

Symptoms

No messages are logged at any level for client-initiated, form-based, SAML SSO in /var/log/apm. Expected messages appear similar to the following: -- info tmm0: 014d0002:6: 4c7897c8: SSOv2 Using SAML SSO object (/Common/bigip_sp_sso) with SP Connector (/Common/bigip_sp) -- err tmm0: 014d0002:3: 4c7897c8: SSOv2 Error creating signed SAML Assertion - canonicalization failed -- err tmm0: 014d0002:3: 4c7897c8: SSOv2 Error(12) Creating Signed SAML Assertion -- err tmm0: 014d0002:3: SSOv2 plugin error(12) in sso/sso.c:427

Impact

Reset occurs. No messages are logged.

Conditions

This occurs when the BIG-IP system is configured as SAML IdP, as follows: 2. SAML SP connector is configured similar to the following: apm sso saml-sp-connector /Common/bigip_sp { assertion-consumer-uri "https://chisd94036/login_saml.aspx\?SAMLRESPONSE=1&usertype=4&reauth=&f=" entity-id https://172.31.54.61/bigip/sp } 3. SAML resource and SAML SSO object are configured, and the previously configured SAML SP connector is assigned, as follows: apm sso saml /Common/bigip_sp_sso { attributes { { name myname value "%{session.logon.last.username}" } { name Password value "%{session.sso.token.last.password}" } } entity-id https://bigip-example.com/idp idp-certificate /Common/samlsp_bigip.crt idp-signkey /Common/samlsp_key.key log-level info sp-connectors { /Common/bigip_sp } subject-value person@example.com } apm sso saml-resource /Common/bigigp_as_SP_res { customization-group /Common/bigigp_as_SP_res_saml_link_customization_1 sso-config-saml /Common/bigip_sp_sso } 4. These configured SAML resources are assigned to the Access policy using the Resource Assignment agent. 5. The Full webtop is created and assigned. 6. Login to the BIG-IP system as IdP and click on the SAML resource.

Workaround

This issue has no workaround at this time.

Fix Information

Expected messages are once again logged for resets that occur in response to client-initiated, form-based, SAML SSO in /var/log/apm.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips