Bug ID 522670: SAML Detached Signature Support

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP APM(all modules)

Known Affected Versions:
12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2

Fixed In:
12.1.0

Opened: May 12, 2015

Severity: 3-Major

Symptoms

Starting with v12, a BIG-IP system, configured as an Identity Provider (IdP) or as a Service Provider (SP) supports Detached Signature for SAML Authentication Requests when using the SAML Redirect Binding. Prior to v12, only Enveloped signatures are supported. For BIG-IP as IdP, which consumes AuthN requests, the support is automatic. Signatures that come in Detached format will be processed normally without any configuration required. For BIG-IP as SP, which produces AuthN requests, the support must be explicitly configured in the associated IdP connector object using tmsh. It is not possible to configure it in the GUI.

Impact

Because the configuration for Detached Signature is not available in the GUI, administrators can be confused about how to set this up.

Conditions

This affects configurations in which BIG-IP is configured as the SP and external IdPs, such as Ping Identity and others, require Detached Signature instead of Enveloped Signature.

Workaround

After creating the IdP connector object with signature enabled, go to tmsh: 1. Issue the command: modify apm aa saml-idp-connector <idp connector object name> want-detached-signature true 2. Then issue this command: save sys config After this, when BIG-IP as SP creates an AuthN request for the associated IdP, it will use the Detached Signature mechanism instead of Enveloped Signature.

Fix Information

It is now possible to use the BIG-IP GUI to switch between Detached Signature and Enveloped Signature for BIG-IP as SP SAML Authentication Requests.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips