Bug ID 601420: Possible SAML authentication loop with IE and multi-domain SSO.

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP APM(all modules)

Known Affected Versions:
11.6.0, 11.6.1, 12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2, 12.1.0, 12.1.1, 12.1.2, 12.1.3,

Fixed In:
13.0.0,, 11.6.2

Opened: Jun 25, 2016

Severity: 3-Major


When APM is configured with SAML authentication and multi-domain SSO, Internet Explorer may encounter authentication loop and never complete the access policy.


Using Internet Explorer, the client may not be unable to connect to its desired destination.


APM is configured with SAML authentication and multi-domain SSO.


Chrome and Firefox do not seem to be affected.

Fix Information

Use cookie for session for multi-domain if TOKEN lookup fails. Previously, the cookie was ignored for multi-domain response URI. However, with the introduction of TOKEN based session lookup, this causes a failure if the client retries the request (since the TOKEN was consumed in the request prior to the retry).

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips