Bug ID 473377: BIG-IP as IdP may rejects AuthnRequest with specific NameID format

Last Modified: Apr 28, 2025

Affected Product(s):
BIG-IP APM(all modules)

Known Affected Versions:
11.3.0, 11.4.0, 11.4.1, 11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3

Fixed In:
12.0.0, 11.6.0 HF4, 11.5.1 HF6, 11.4.1 HF6

Opened: Jul 29, 2014

Severity: 4-Minor

Symptoms

BIG-IP as IdP rejects authentication request stating InvalidNameID Policy when received Authentication request contains NameID format "urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified"

Impact

SAML Authentication request is rejected.

Conditions

BIG-IP is configured as an IdP. Received authentication request contains NameID format "urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified" (Note SAML2.0).

Workaround

Reconfigure SAML SP to create AuthnRequest with either 1. The following NameID format urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified 2. Empty NameID format

Fix Information

Fixed to accept NameID format urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips