Last Modified: Apr 10, 2019
See more info
Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 18.104.22.168
Opened: Jul 25, 2015
When performing IdP-initiated SAML SSO, the Identity Provider (IdP) has the option to send a RelayState to a Service Provider (SP). This RelayState can be used as a URI to redirect users to after authentication is completed. When the BIG-IP system is configured as an SP, it does not use the RelayState received from an IdP as a URL to redirect to after SAML SSO is completed.
User will not be redirected to a resource passed from IdP.
The problem occurs when all of these conditions are true: BIG-IP is used as SP IdP-initiated SAML SSO is performed. IdP sends a RelayState to SP.
SP could be configured with a RelayState to specify a resource to serve to users after completion of SAML SSO.
The BIG-IP system, when configured as a SAML Service Provider (SP), will now accept RelayState from an Identity Provider (IdP) to be used as a resource to serve to users after completion of SAML SSO.