Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP APM
Known Affected Versions:
12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2
Fixed In:
12.1.0
Opened: Nov 02, 2015 Severity: 3-Major
When BIG-IP as SP resolves artifact for an assertion, SP will sent an <ArtifactResolve> request. Request will contain HTTP 'Host' header, with IP address set as a value.
Impact may differ based on IdP implementation. This does not have any effect if BIG-IP is used as IdP. Based on implementation, IdP may insist on hostname to be present in http 'Host' header instead of an IP address. If that is the case, IdP may choose to reject <ArtifactResolve> requests, or return an error, thus breaking SSO.
This occurs when BIG-IP is used as SP. SP received artifact that needs to be exchanged for assertion. SP creates <ArtifactResolve> request to be sent to IdP.
As a workaround, use HTTP-POST binding instead of artifact binding.
None