Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP APM
Known Affected Versions:
11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.3.1, 12.1.0 HF1, 12.1.0 HF2, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2
Fixed In:
12.0.0, 11.6.3.2
Opened: Jul 25, 2015 Severity: 3-Major
When performing IdP-initiated SAML SSO, the Identity Provider (IdP) has the option to send a RelayState to a Service Provider (SP). This RelayState can be used as a URI to redirect users to after authentication is completed. When the BIG-IP system is configured as an SP, it does not use the RelayState received from an IdP as a URL to redirect to after SAML SSO is completed.
User will not be redirected to a resource passed from IdP.
The problem occurs when all of these conditions are true: BIG-IP is used as SP IdP-initiated SAML SSO is performed. IdP sends a RelayState to SP.
SP could be configured with a RelayState to specify a resource to serve to users after completion of SAML SSO.
The BIG-IP system, when configured as a SAML Service Provider (SP), will now accept RelayState from an Identity Provider (IdP) to be used as a resource to serve to users after completion of SAML SSO.