Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP APM
Known Affected Versions:
12.0.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2
Fixed In:
12.1.0, 12.0.0 HF1
Opened: Jul 20, 2015 Severity: 3-Major
SAML Assertions generated by BIG-IP as SAML IdP may include attributes with pipe-separated values (e.g. '| a | b | c |') if multi-valued attributes are stored in session database, e.g. : <saml2:Attribute Name="name"> <saml2:AttributeValue>| a | b | c |</saml2:AttributeValue></saml2:Attribute>
Receiver of SAML assertion may not be able to parse pipe-separated values.
BIG-IP is used as IdP, and configured SAML attribute contains multiple pipe-separated values, e.g. AD group membership.
none
Pipe-separated session variables are now separated into multiple values of assertion attribute. For example, given session variable value '| a | b | c |', assertion attribute will look similar to this: <saml2:Attribute Name="name"> <saml2:AttributeValue>a</saml2:AttributeValue> <saml2:AttributeValue>b</saml2:AttributeValue> <saml2:AttributeValue>c</saml2:AttributeValue </saml2:Attribute>