Bug ID 474698: BIG-IP as IdP can send incorrect 'Issuer' element for some SLO requests under certain conditions.

Last Modified: Jul 13, 2024

Affected Product(s):
BIG-IP APM(all modules)

Known Affected Versions:
11.4.1, 11.5.1, 11.5.1 HF1, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.1 HF10, 11.5.1 HF11, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4

Fixed In:
12.0.0, 11.6.0 HF5, 11.5.3 HF2

Opened: Aug 06, 2014

Severity: 3-Major

Related Article: K17323


When client initiates Single Logout (SLO) on the BIG-IP system as IdP which is associated with multiple SP connectors, IdP will send SLO request message to each SP to which user has connected within this session. If user has connected to multiple SP (bound to different IdP) within the same session, the SLO messages f is sent with 'Issuer'element referencing the name of the last IdP service user has accessed.


Impact is based on recipient of the message. Recipient (SP) may reject the SLO request, or process it successfully based on implementation.


This issue occurs when: 1.BIG-IP is configured as IdP. 2.BIG-IP has more then one IdP configuration object. 3.IdP objects are assigned as resources to the same Access Policy. 4.Each IdP configuration is bound to at least one SP-connector. 5.Client initiated SLO on IdP.


Disable SLO on BIG-IP.

Fix Information


Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips