Bug ID 555684: BIG-IP as SAML SP uses IP address in HTTP Host header instead of a hostname in ArtifactResolve requests

Last Modified: Oct 06, 2020

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Known Affected Versions:
12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4

Fixed In:

Opened: Nov 02, 2015
Severity: 3-Major


When BIG-IP as SP resolves artifact for an assertion, SP will sent an <ArtifactResolve> request. Request will contain HTTP 'Host' header, with IP address set as a value.


Impact may differ based on IdP implementation. This does not have any effect if BIG-IP is used as IdP. Based on implementation, IdP may insist on hostname to be present in http 'Host' header instead of an IP address. If that is the case, IdP may choose to reject <ArtifactResolve> requests, or return an error, thus breaking SSO.


This occurs when BIG-IP is used as SP. SP received artifact that needs to be exchanged for assertion. SP creates <ArtifactResolve> request to be sent to IdP.


As a workaround, use HTTP-POST binding instead of artifact binding.

Fix Information


Behavior Change