Last Modified: Feb 13, 2019
See more info
Known Affected Versions:
11.4.1, 11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4
12.0.0, 11.6.0 HF5, 11.5.3 HF2
Opened: Aug 06, 2014
Related AskF5 Article: K17323
When client initiates Single Logout (SLO) on the BIG-IP system as IdP which is associated with multiple SP connectors, IdP will send SLO request message to each SP to which user has connected within this session. If user has connected to multiple SP (bound to different IdP) within the same session, the SLO messages f is sent with 'Issuer'element referencing the name of the last IdP service user has accessed.
Impact is based on recipient of the message. Recipient (SP) may reject the SLO request, or process it successfully based on implementation.
This issue occurs when: 1.BIG-IP is configured as IdP. 2.BIG-IP has more then one IdP configuration object. 3.IdP objects are assigned as resources to the same Access Policy. 4.Each IdP configuration is bound to at least one SP-connector. 5.Client initiated SLO on IdP.
Disable SLO on BIG-IP.