Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP APM
Fixed In:
13.0.0, 12.1.2 HF1
Opened: Dec 06, 2016 Severity: 2-Critical
When BIG-IP is used as SAML Service provider (SP), IdP connector creation can be automated using list of URIs containing IdP metadata. Symptom for this issue: When remotely published metadata changes - BIG-IP will not be able to modify previously created idp-connector object(s) to reflect the changes. When issue happens, the error similar to following is logged in /var/log/saml_automation.log : "apm aaa saml-idp-connector *NAME* import-metadata only supports create operations."
BIG-IP configuration will not contain the latest changes reflected in published IdP metadata. This may have different impact based on how metadata is changed. Impact can be from none to user authentication failure (e.g. when IdP signing certificate is changed).
BIG-IP is used as SP. IdP connector creation is automated. Metadata published on automation URIs changes.
When error is encountered: - Manually remove affected idp-connector configuration object - Restart samlidpd service : "bigstart restart samlidpd" As a result, SAML connector automation will re-create new idp-connector objects will current up-to-date metadata files.
BIG-IP is able to modify previously created idp-connector object(s) to reflect the changes when connector automation is deployed.