Bug ID 618957: Certificate objects are not properly imported from external SAML SP metadata when metadata contains both signing and encryption certificates

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP APM(all modules)

Known Affected Versions:
12.1.0, 12.1.1, 12.1.2

Fixed In:
13.0.0, 12.1.3

Opened: Sep 26, 2016

Severity: 3-Major

Symptoms

BIG-IP supports import of external SAML SP metadata to create SP-Connector objects. When such metadata file contains two certificates (one with 'signing' and one with 'encryption use) then BIG-IP will import certificate that is positioned 'second' in metadata twice.

Impact

There is no impact if in metadata signing and encryption certificates are the same. If certificates are different - SAML SSO may not function properly due to incorrect certificate imported in configuration.

Conditions

Imported metadata contains two certificates with different use types: 'signing' and 'encryption'

Workaround

Import certificates manually, and assign them to created from metadata SAML SP connector

Fix Information

Issue is now fixed: both certificates are imported correctly.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips