Bug ID 440468: SAML: APD crashes on Assertion without SessionIndex in AuthnStatement when SLO is configured

Last Modified: Mar 02, 2023

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Known Affected Versions:
11.4.0, 11.4.1, 11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4

Fixed In:
11.5.1 HF5, 11.4.1 HF6, 11.4.0 HF8

Opened: Dec 11, 2013
Severity: 3-Major
Related Article:


When the BIG-IP system is configured as a SAML Service Provider (SP), APD can crash if the IdP connector object that is used specifies a single logout URL. A crash occurs only when the SP receives a SAML assertion that does not include a SessionIndex attribute in the AuthnStatement element.


APD crashes, SAML authentication fails.


1. IdP sends Assertion without SessionIndex element in AuthnStatement. 2. IdP connector on BIG-IP has single-logout-url specified (not empty).


To work around the problem: 1. Reconfigure IdP to send Assertion with SessionIndex attribute in AuthnStatement element, or 2. Clear single-logout-url in IdP connector object on the BIG-IP system.

Fix Information


Behavior Change