Bug ID 432102: HTML reserved characters not supported as part of SAML RelayState

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Known Affected Versions:
11.3.0, 11.4.0, 11.4.1, 11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.10, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3

Fixed In:
12.0.0, 11.6.0 HF4, 11.4.1 HF9

Opened: Sep 27, 2013
Severity: 3-Major
Related Article:
K15407

Symptoms

If the RelayState parameter includes HTML and XHTML special characters, then BIG-IP as IdP or BIG-IP as SP does not process them correctly, and does not send complete RelayState value to the Peer.

Impact

SAML integration may not work properly with other products when configured RelayState parameter includes special characters.

Conditions

Using special characters

Workaround

To use reserved characters in HTML (",',&,<,>) as part of SAML RelaySate, convert them to their HTML entities (&#34;, &#39;, &#38;, &#60;, &#62;).

Fix Information

When the BIG-IP system is configured as a SAML Identity Provider (IdP) or Service Provider (SP), it now URL encodes (or decodes, as applicable) the RelayState parameter.

Behavior Change