Bug ID 461189: Generated assertion contains HEX-encoded attributes

Last Modified: Apr 10, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Known Affected Versions:
11.4.0, 11.4.1, 11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5

Fixed In:
12.0.0, 11.6.0 HF6, 11.4.1 HF9

Opened: May 08, 2014
Severity: 3-Major
Related AskF5 Article:
K16563

Symptoms

When a BIG-IP system serving as SAML identity provider (IdP), generates an assertion, the message might contain HEX-encoded values.

Impact

SAML SSO might fail if Service Provider is not be able to process HEX-encoded attributes.

Conditions

This occurs when user authenticates against LDAP/AD/RADIUS, and retrieved from AAA server attributes contain non-ASCII values. These non-ASCII values are then used by BIG-IP as Identity Provider in generated Assertion.

Workaround

There is no workaround for IdentityProvider. On Service Provider side, assertion attribute values that begin with '0x' could be treated as HEX encoded. Such values can be HEX decoded after SP processed assertion.

Fix Information

BIG-IP as Identity Provider now base64-encodes non-UTF8 attributes, as expected.

Behavior Change