Bug ID 570309: SP initiated SAML SSO with Office365 may fail if SSO request contains a query

Last Modified: Apr 10, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4

Fixed In:
12.1.0

Opened: Jan 27, 2016
Severity: 3-Major

Symptoms

BIG-IP as IdP supports both SP and IdP initiated SSO with Office365. When SP initiated SSO is used with HTTP-POST, and such SSO POST request contains a query parameter, authentication will fail.

Impact

SAML SSO will fail.

Conditions

All of these conditions must be true: - BIG-IP is used as IdP - Office 365 is used as SP - User performs SP initiated SSO - HTTP-POST binding is used for SP initiated SSO. - SSO Request contains a query part in addition to POST body, e.g.: POST /saml/idp/profile/redirectorpost/sso?username=user ...

Workaround

As a workaround, iRule stripping the query part of the SAML POST requests could be used: when HTTP_REQUEST { if { [HTTP::method] eq "POST"} { if { [HTTP::uri] contains "/saml/idp/profile/redirectorpost/sso?" } { HTTP::uri /saml/idp/profile/redirectorpost/sso } } }

Fix Information

BIG-IP now accepts SAML SSO requests from Office365 containing a query in the URL and sent via HTTP-POST binding.

Behavior Change