Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP APM
Known Affected Versions:
12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2
Fixed In:
12.1.0
Opened: May 12, 2015 Severity: 3-Major
Starting with v12, a BIG-IP system, configured as an Identity Provider (IdP) or as a Service Provider (SP) supports Detached Signature for SAML Authentication Requests when using the SAML Redirect Binding. Prior to v12, only Enveloped signatures are supported. For BIG-IP as IdP, which consumes AuthN requests, the support is automatic. Signatures that come in Detached format will be processed normally without any configuration required. For BIG-IP as SP, which produces AuthN requests, the support must be explicitly configured in the associated IdP connector object using tmsh. It is not possible to configure it in the GUI.
Because the configuration for Detached Signature is not available in the GUI, administrators can be confused about how to set this up.
This affects configurations in which BIG-IP is configured as the SP and external IdPs, such as Ping Identity and others, require Detached Signature instead of Enveloped Signature.
After creating the IdP connector object with signature enabled, go to tmsh: 1. Issue the command: modify apm aa saml-idp-connector <idp connector object name> want-detached-signature true 2. Then issue this command: save sys config After this, when BIG-IP as SP creates an AuthN request for the associated IdP, it will use the Detached Signature mechanism instead of Enveloped Signature.
It is now possible to use the BIG-IP GUI to switch between Detached Signature and Enveloped Signature for BIG-IP as SP SAML Authentication Requests.