Bug ID 601420: Possible SAML authentication loop with IE and multi-domain SSO.

Last Modified: Oct 06, 2020

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3,

Fixed In:
13.0.0,, 11.6.2

Opened: Jun 25, 2016
Severity: 3-Major


When APM is configured with SAML authentication and multi-domain SSO, Internet Explorer may encounter authentication loop and never complete the access policy.


Using Internet Explorer, the client may not be unable to connect to its desired destination.


APM is configured with SAML authentication and multi-domain SSO.


Chrome and Firefox do not seem to be affected.

Fix Information

Use cookie for session for multi-domain if TOKEN lookup fails. Previously, the cookie was ignored for multi-domain response URI. However, with the introduction of TOKEN based session lookup, this causes a failure if the client retries the request (since the TOKEN was consumed in the request prior to the retry).

Behavior Change