Bug ID 590601: BIG-IP as SAML SP does not redirect users to original request URI after authentication is completed

Last Modified: Mar 21, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0

Fixed In:
13.0.0, 12.1.0 HF1

Opened: May 02, 2016
Severity: 3-Major

Symptoms

After end-user successfully performs SP initiated SAML SSO with a original request URI other then "/", SP will redirect user back to '/' as landing URI.

Impact

User is not redirected to original request URI.

Conditions

BIG-IP is used as SAML SP and no relay state is configured on either SP or IdP

Workaround

Workaround provided below works when first client request to BIG-IP as SP is 'GET'. This workaround is not applicable when first client request is 'POST'. SP object can be configured with relay state pointing to the landing URI: %{session.server.landinguri} After successful authentication, end-user will be redirected to the landing URI (reflected back by IdP in the relay-state).

Fix Information

SAML SSO requests will now be redirected to the original request URI.

Behavior Change