Bug ID 434057: BIG-IP as service provider fails to accept SAML assertion

Last Modified: Nov 22, 2021

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Known Affected Versions:
11.4.0, 11.4.1

Fixed In:
11.5.0, 11.4.1 HF2, 11.4.0 HF4

Opened: Oct 15, 2013
Severity: 2-Critical
Related Article:
K15091

Symptoms

BIG-IP configured as service provider (SP) fails to accept SAML assertion if SAML SLO is configured and subject NameID Format is not specified as part of SAML assertion

Impact

We fail to process the SAML Assertion.

Conditions

When BIG-IP used as SAML Service Provider and SAML Single Logout is configured if the Assertion from IdP (Identity Provider) does not include NameID Format inside SAML Assertion then this condition occurs.

Workaround

Configure SAML IdP such that it always sends NameID Format elememnt inside SAML Assertion.

Fix Information

BIG-IP as SP now accepts SAML assertions even if the NameID Format is missing from the assertion and SAML SLO is configured.

Behavior Change