Last Modified: Apr 10, 2019
See more info
Known Affected Versions:
12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4
Opened: Nov 02, 2015
When BIG-IP as SP resolves artifact for an assertion, SP will sent an <ArtifactResolve> request. Request will contain HTTP 'Host' header, with IP address set as a value.
Impact may differ based on IdP implementation. This does not have any effect if BIG-IP is used as IdP. Based on implementation, IdP may insist on hostname to be present in http 'Host' header instead of an IP address. If that is the case, IdP may choose to reject <ArtifactResolve> requests, or return an error, thus breaking SSO.
This occurs when BIG-IP is used as SP. SP received artifact that needs to be exchanged for assertion. SP creates <ArtifactResolve> request to be sent to IdP.
As a workaround, use HTTP-POST binding instead of artifact binding.