Bug ID 555684: BIG-IP as SAML SP uses IP address in HTTP Host header instead of a hostname in ArtifactResolve requests

Last Modified: Oct 01, 2018

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Known Affected Versions:
12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4

Fixed In:
12.1.0

Opened: Nov 02, 2015
Severity: 3-Major

Symptoms

When BIG-IP as SP resolves artifact for an assertion, SP will sent an <ArtifactResolve> request. Request will contain HTTP 'Host' header, with IP address set as a value.

Impact

Impact may differ based on IdP implementation. This does not have any effect if BIG-IP is used as IdP. Based on implementation, IdP may insist on hostname to be present in http 'Host' header instead of an IP address. If that is the case, IdP may choose to reject <ArtifactResolve> requests, or return an error, thus breaking SSO.

Conditions

This occurs when BIG-IP is used as SP. SP received artifact that needs to be exchanged for assertion. SP creates <ArtifactResolve> request to be sent to IdP.

Workaround

As a workaround, use HTTP-POST binding instead of artifact binding.

Fix Information

None

Behavior Change