Bug ID 574435: BIG-IP as a SAML Service Provider may fail to resolve Artifact for Assertion when route domains are configured

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP APM(all modules)

Known Affected Versions:
11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3

Fixed In:
13.0.0

Opened: Feb 18, 2016

Severity: 3-Major

Symptoms

BIG-IP as a SAML Service Provider fails to resolve Artifact for Assertion when using a default route domain other than 0 in administrative partitions other than "Common".

Impact

BIG-IP can fail to resolve Artifact for an Assertion, which subsequently will fail SAML SSO.

Conditions

- SAML Service Provider objects 'apm aaa saml' and 'apm aaa saml-idp-connector' are created in an administrative partition other than 'Common' - Default route domain other than 0 is used for a partition where objects are created. - BIG-IP used as a SAML Service Provider and is configured to use Artifact binding.

Workaround

Configure SAML Service Provider to use HTTP-POST binding instead of Artifact binding.

Fix Information

BIG-IP as SAML Service Provider will use default route domain from administrative partition "Common" to resolve Artifact for Assertion.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips