Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP APM
Known Affected Versions:
12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1
Fixed In:
13.1.0
Opened: May 20, 2016 Severity: 3-Major
Cannot include <AttributeConsumingService> in the Service Provider (SP) metadata to configure a BIG-IP system as an SP.
Cannot configure a BIG-IP system as an SP.
Configuring SAML federation as SP requires configuration of at least one <AttributeConsumingService>. This/these attribute/s along with the corresponding unique AttributeConsumingServiceIndex/s must be reported in the exported SP metadata.
AttributeConsumingService is typically used together with AttributeConsumingServiceIndex in either of the following ways. 1. At configuration time, Service Providers export metadata and specify 'AttributeConsumingService' to describe the service and provide a list of requested attributes to be used by the service. 2. At run-time, Service Provider generates an authentication request to IdP and specifies 'AttributeConsumingServiceIndex', which is a reference to a particular AttributeConsumingService previously shared using metadata. This index is used by IdP to identify which AttributeConsumingService should be used to generate assertion with relevant attributes. For #1, the workaround is to manually edit the exported-by-SP metadata to include the AttributeConsumingService element. Note: In this case, exported metadata cannot be digitally signed. There is no workaround for #2, so even if metadata is edited, BIG-IP as SP will not include AttributeConsumingServiceIndex in authentication requests.
Support for configuring Attribute Consuming Service(s) for SAML SP was added. On exporting SP metadata, the configured Attribute Consuming Service(s) along with corresponding unique Attribute Consuming Service Index(es) are part of the metadata. The metadata can be shared with an IdP, and the SP can generate an authentication request with an Attribute Consuming Service Index (reference to a particular Attribute Consuming Service). If the IdP supports Attribute Consuming Service, the index in the request is used by IdP to identify which AttributeConsumingService should be used to generate assertion with relevant attributes.