Bug ID 474698: BIG-IP as IdP can send incorrect 'Issuer' element for some SLO requests under certain conditions.

Last Modified: Feb 13, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Known Affected Versions:
11.4.1, 11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4

Fixed In:
12.0.0, 11.6.0 HF5, 11.5.3 HF2

Opened: Aug 06, 2014
Severity: 3-Major
Related AskF5 Article:
K17323

Symptoms

When client initiates Single Logout (SLO) on the BIG-IP system as IdP which is associated with multiple SP connectors, IdP will send SLO request message to each SP to which user has connected within this session. If user has connected to multiple SP (bound to different IdP) within the same session, the SLO messages f is sent with 'Issuer'element referencing the name of the last IdP service user has accessed.

Impact

Impact is based on recipient of the message. Recipient (SP) may reject the SLO request, or process it successfully based on implementation.

Conditions

This issue occurs when: 1.BIG-IP is configured as IdP. 2.BIG-IP has more then one IdP configuration object. 3.IdP objects are assigned as resources to the same Access Policy. 4.Each IdP configuration is bound to at least one SP-connector. 5.Client initiated SLO on IdP.

Workaround

Disable SLO on BIG-IP.

Fix Information

None

Behavior Change