Bug ID 632005: BIG-IP as SAML SP: Objects created by IdP connector automation may not be updated when remote metadata changes

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2

Fixed In:
13.0.0, 12.1.2 HF1

Opened: Dec 06, 2016
Severity: 2-Critical

Symptoms

When BIG-IP is used as SAML Service provider (SP), IdP connector creation can be automated using list of URIs containing IdP metadata. Symptom for this issue: When remotely published metadata changes - BIG-IP will not be able to modify previously created idp-connector object(s) to reflect the changes. When issue happens, the error similar to following is logged in /var/log/saml_automation.log : "apm aaa saml-idp-connector *NAME* import-metadata only supports create operations."

Impact

BIG-IP configuration will not contain the latest changes reflected in published IdP metadata. This may have different impact based on how metadata is changed. Impact can be from none to user authentication failure (e.g. when IdP signing certificate is changed).

Conditions

BIG-IP is used as SP. IdP connector creation is automated. Metadata published on automation URIs changes.

Workaround

When error is encountered: - Manually remove affected idp-connector configuration object - Restart samlidpd service : "bigstart restart samlidpd" As a result, SAML connector automation will re-create new idp-connector objects will current up-to-date metadata files.

Fix Information

BIG-IP is able to modify previously created idp-connector object(s) to reflect the changes when connector automation is deployed.

Behavior Change