Bug ID 535131: RelayState passed from IdP to SP is not used as a landing URI for IdP initiated SAML SSO

Last Modified: Oct 06, 2020

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3,

Fixed In:

Opened: Jul 25, 2015
Severity: 3-Major


When performing IdP-initiated SAML SSO, the Identity Provider (IdP) has the option to send a RelayState to a Service Provider (SP). This RelayState can be used as a URI to redirect users to after authentication is completed. When the BIG-IP system is configured as an SP, it does not use the RelayState received from an IdP as a URL to redirect to after SAML SSO is completed.


User will not be redirected to a resource passed from IdP.


The problem occurs when all of these conditions are true: BIG-IP is used as SP IdP-initiated SAML SSO is performed. IdP sends a RelayState to SP.


SP could be configured with a RelayState to specify a resource to serve to users after completion of SAML SSO.

Fix Information

The BIG-IP system, when configured as a SAML Service Provider (SP), will now accept RelayState from an Identity Provider (IdP) to be used as a resource to serve to users after completion of SAML SSO.

Behavior Change