Symptoms

This enhancement contains two parts: 1. BIG-IP as SAML IdP: When BIG-IP is used as SAML identity provider, processing of authentication requests from external service providers may fail if request does not contain required AssertionConsumerServiceURL or AssertionConsumerServiceIndex attributes, but instead contains unsupported 'ProtocolBinding' attribute. 2. BIG-IP as SAML SP: BIG-IP as service provider cannot be configured to send ProviderName element in authentication requests.

Impact

1. IdP will fail to process authentication request, and subsequently user authentication will fail. 2. Authentication request generated by BIG-IP as SP will not contain 'ProviderName' attribute.

Conditions

1. BIG-IP is used as SAML IdP. Received from external SP authentication requests does not contain required AssertionConsumerServiceURL/AssertionConsumerServiceIndex attributes. 2. BIG-IP is used as SAML SP. Attempt to configure 'ProviderName' attribute to be send out to external IdP's with authentication requests.

Workaround

None.

Fix Information

1. BIG-IP as IdP now supports processing of ProtocolBinding in authentication requests from external service providers. ProtocolBinding is a URI reference that identifies a SAML protocol binding to be used when returning the <Response> message. Attribute ProtocolBinding is mutually exclusive with the AssertionConsumerServiceIndex attribute and is typically accompanied by the AssertionConsumerServiceURL attribute. 2. BIG-IP as SP now supports configurable ProviderName attribute in BIG-IP's SAML 2.0 service provider configuration. ProviderName is an attribute in authentication request that may optionally specify the human-readable name of the requester for use by the presenter's user agent or the identity provider.

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips