Bug ID 474698: BIG-IP as IdP can send incorrect 'Issuer' element for some SLO requests under certain conditions.

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP APM(all modules)

Known Affected Versions:
11.5.1 HF1, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.1 HF10, 11.5.1 HF11, 11.5.2 HF1, 11.5.3 HF1, 11.4.1, 11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.1.0 HF1, 12.1.0 HF2, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2

Fixed In:
12.0.0, 11.6.0 HF5, 11.5.3 HF2

Opened: Aug 06, 2014

Severity: 3-Major

Related Article: K17323

Symptoms

When client initiates Single Logout (SLO) on the BIG-IP system as IdP which is associated with multiple SP connectors, IdP will send SLO request message to each SP to which user has connected within this session. If user has connected to multiple SP (bound to different IdP) within the same session, the SLO messages f is sent with 'Issuer'element referencing the name of the last IdP service user has accessed.

Impact

Impact is based on recipient of the message. Recipient (SP) may reject the SLO request, or process it successfully based on implementation.

Conditions

This issue occurs when: 1.BIG-IP is configured as IdP. 2.BIG-IP has more then one IdP configuration object. 3.IdP objects are assigned as resources to the same Access Policy. 4.Each IdP configuration is bound to at least one SP-connector. 5.Client initiated SLO on IdP.

Workaround

Disable SLO on BIG-IP.

Fix Information

None

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips