Last Modified: Nov 22, 2021
Affected Product(s):
BIG-IP APM
Known Affected Versions:
11.4.0, 11.4.1
Fixed In:
11.5.0, 11.4.1 HF2, 11.4.0 HF6
Opened: Aug 20, 2013 Severity: 2-Critical
No messages are logged at any level for client-initiated, form-based, SAML SSO in /var/log/apm. Expected messages appear similar to the following: -- info tmm0: 014d0002:6: 4c7897c8: SSOv2 Using SAML SSO object (/Common/bigip_sp_sso) with SP Connector (/Common/bigip_sp) -- err tmm0: 014d0002:3: 4c7897c8: SSOv2 Error creating signed SAML Assertion - canonicalization failed -- err tmm0: 014d0002:3: 4c7897c8: SSOv2 Error(12) Creating Signed SAML Assertion -- err tmm0: 014d0002:3: SSOv2 plugin error(12) in sso/sso.c:427
Reset occurs. No messages are logged.
This occurs when the BIG-IP system is configured as SAML IdP, as follows: 2. SAML SP connector is configured similar to the following: apm sso saml-sp-connector /Common/bigip_sp { assertion-consumer-uri "https://chisd94036/login_saml.aspx\?SAMLRESPONSE=1&usertype=4&reauth=&f=" entity-id https://172.31.54.61/bigip/sp } 3. SAML resource and SAML SSO object are configured, and the previously configured SAML SP connector is assigned, as follows: apm sso saml /Common/bigip_sp_sso { attributes { { name myname value "%{session.logon.last.username}" } { name Password value "%{session.sso.token.last.password}" } } entity-id https://bigip-example.com/idp idp-certificate /Common/samlsp_bigip.crt idp-signkey /Common/samlsp_key.key log-level info sp-connectors { /Common/bigip_sp } subject-value person@example.com } apm sso saml-resource /Common/bigigp_as_SP_res { customization-group /Common/bigigp_as_SP_res_saml_link_customization_1 sso-config-saml /Common/bigip_sp_sso } 4. These configured SAML resources are assigned to the Access policy using the Resource Assignment agent. 5. The Full webtop is created and assigned. 6. Login to the BIG-IP system as IdP and click on the SAML resource.
This issue has no workaround at this time.
Expected messages are once again logged for resets that occur in response to client-initiated, form-based, SAML SSO in /var/log/apm.