Bug ID 618957: Certificate objects are not properly imported from external SAML SP metadata when metadata contains both signing and encryption certificates

Last Modified: Oct 06, 2020

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2

Fixed In:
13.0.0, 12.1.3

Opened: Sep 26, 2016
Severity: 3-Major


BIG-IP supports import of external SAML SP metadata to create SP-Connector objects. When such metadata file contains two certificates (one with 'signing' and one with 'encryption use) then BIG-IP will import certificate that is positioned 'second' in metadata twice.


There is no impact if in metadata signing and encryption certificates are the same. If certificates are different - SAML SSO may not function properly due to incorrect certificate imported in configuration.


Imported metadata contains two certificates with different use types: 'signing' and 'encryption'


Import certificates manually, and assign them to created from metadata SAML SP connector

Fix Information

Issue is now fixed: both certificates are imported correctly.

Behavior Change