Bug ID 434057: BIG-IP as service provider fails to accept SAML assertion

Last Modified: Jul 12, 2023

Affected Product(s):
BIG-IP APM(all modules)

Known Affected Versions:
11.4.0, 11.4.1

Fixed In:
11.5.0, 11.4.1 HF2, 11.4.0 HF4

Opened: Oct 15, 2013

Severity: 2-Critical

Related Article: K15091

Symptoms

BIG-IP configured as service provider (SP) fails to accept SAML assertion if SAML SLO is configured and subject NameID Format is not specified as part of SAML assertion

Impact

We fail to process the SAML Assertion.

Conditions

When BIG-IP used as SAML Service Provider and SAML Single Logout is configured if the Assertion from IdP (Identity Provider) does not include NameID Format inside SAML Assertion then this condition occurs.

Workaround

Configure SAML IdP such that it always sends NameID Format elememnt inside SAML Assertion.

Fix Information

BIG-IP as SP now accepts SAML assertions even if the NameID Format is missing from the assertion and SAML SLO is configured.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips