Bug ID 535131: RelayState passed from IdP to SP is not used as a landing URI for IdP initiated SAML SSO

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP APM(all modules)

Known Affected Versions:
11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.3.1, 12.1.0 HF1, 12.1.0 HF2, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2

Fixed In:
12.0.0, 11.6.3.2

Opened: Jul 25, 2015

Severity: 3-Major

Symptoms

When performing IdP-initiated SAML SSO, the Identity Provider (IdP) has the option to send a RelayState to a Service Provider (SP). This RelayState can be used as a URI to redirect users to after authentication is completed. When the BIG-IP system is configured as an SP, it does not use the RelayState received from an IdP as a URL to redirect to after SAML SSO is completed.

Impact

User will not be redirected to a resource passed from IdP.

Conditions

The problem occurs when all of these conditions are true: BIG-IP is used as SP IdP-initiated SAML SSO is performed. IdP sends a RelayState to SP.

Workaround

SP could be configured with a RelayState to specify a resource to serve to users after completion of SAML SSO.

Fix Information

The BIG-IP system, when configured as a SAML Service Provider (SP), will now accept RelayState from an Identity Provider (IdP) to be used as a resource to serve to users after completion of SAML SSO.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips