Bug ID 570309: SP initiated SAML SSO with Office365 may fail if SSO request contains a query

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP APM(all modules)

Known Affected Versions:
11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3

Fixed In:
12.1.0

Opened: Jan 27, 2016

Severity: 3-Major

Symptoms

BIG-IP as IdP supports both SP and IdP initiated SSO with Office365. When SP initiated SSO is used with HTTP-POST, and such SSO POST request contains a query parameter, authentication will fail.

Impact

SAML SSO will fail.

Conditions

All of these conditions must be true: - BIG-IP is used as IdP - Office 365 is used as SP - User performs SP initiated SSO - HTTP-POST binding is used for SP initiated SSO. - SSO Request contains a query part in addition to POST body, e.g.: POST /saml/idp/profile/redirectorpost/sso?username=user ...

Workaround

As a workaround, iRule stripping the query part of the SAML POST requests could be used: when HTTP_REQUEST { if { [HTTP::method] eq "POST"} { if { [HTTP::uri] contains "/saml/idp/profile/redirectorpost/sso?" } { HTTP::uri /saml/idp/profile/redirectorpost/sso } } }

Fix Information

BIG-IP now accepts SAML SSO requests from Office365 containing a query in the URL and sent via HTTP-POST binding.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips