Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP APM
Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3
Fixed In:
12.1.0
Opened: Jan 27, 2016 Severity: 3-Major
BIG-IP as IdP supports both SP and IdP initiated SSO with Office365. When SP initiated SSO is used with HTTP-POST, and such SSO POST request contains a query parameter, authentication will fail.
SAML SSO will fail.
All of these conditions must be true: - BIG-IP is used as IdP - Office 365 is used as SP - User performs SP initiated SSO - HTTP-POST binding is used for SP initiated SSO. - SSO Request contains a query part in addition to POST body, e.g.: POST /saml/idp/profile/redirectorpost/sso?username=user ...
As a workaround, iRule stripping the query part of the SAML POST requests could be used: when HTTP_REQUEST { if { [HTTP::method] eq "POST"} { if { [HTTP::uri] contains "/saml/idp/profile/redirectorpost/sso?" } { HTTP::uri /saml/idp/profile/redirectorpost/sso } } }
BIG-IP now accepts SAML SSO requests from Office365 containing a query in the URL and sent via HTTP-POST binding.