Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP APM
Known Affected Versions:
11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0
Fixed In:
13.0.0, 12.1.0 HF1, 11.6.5.2
Opened: May 02, 2016 Severity: 3-Major
After end-user successfully performs SP initiated SAML SSO with a original request URI other then "/", SP will redirect user back to '/' as landing URI.
User is not redirected to original request URI.
BIG-IP is used as SAML SP and no relay state is configured on either SP or IdP
Workaround provided below works when first client request to BIG-IP as SP is 'GET'. This workaround is not applicable when first client request is 'POST'. SP object can be configured with relay state pointing to the landing URI: %{session.server.landinguri} After successful authentication, end-user will be redirected to the landing URI (reflected back by IdP in the relay-state).
SAML SSO requests will now be redirected to the original request URI.