Bug ID 535131: RelayState passed from IdP to SP is not used as a landing URI for IdP initiated SAML SSO

Last Modified: Oct 17, 2018

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1

Fixed In:
12.0.0, 11.6.3.2

Opened: Jul 25, 2015
Severity: 3-Major

Symptoms

When performing IdP-initiated SAML SSO, the Identity Provider (IdP) has the option to send a RelayState to a Service Provider (SP). This RelayState can be used as a URI to redirect users to after authentication is completed. When the BIG-IP system is configured as an SP, it does not use the RelayState received from an IdP as a URL to redirect to after SAML SSO is completed.

Impact

User will not be redirected to a resource passed from IdP.

Conditions

The problem occurs when all of these conditions are true: BIG-IP is used as SP IdP-initiated SAML SSO is performed. IdP sends a RelayState to SP.

Workaround

SP could be configured with a RelayState to specify a resource to serve to users after completion of SAML SSO.

Fix Information

The BIG-IP system, when configured as a SAML Service Provider (SP), will now accept RelayState from an Identity Provider (IdP) to be used as a resource to serve to users after completion of SAML SSO.

Behavior Change