Bug ID 645203: Configuration load fails after upgrade when a SAML SSO config object is put in a sync-only device group

Last Modified: Jul 12, 2023

Affected Product(s):
BIG-IP APM, Install/Upgrade(all modules)

Known Affected Versions:

Fixed In:
13.1.0, 13.0.0 HF1

Opened: Feb 15, 2017

Severity: 2-Critical

Related Article: K72361514


Configuration load fails after upgrading BIG-IP from a previous version. The system posts an error similar to the following: 01070734:3: Configuration error: Invalid Devicegroup Reference. The sso_config_saml (/Common/Auth/<object>) requires apm_log_config (/Common/sso-log-setting-Notice) to be syncd to the same devices Unexpected Error: Loading configuration process failed.


The configuration does not load.


When a SAML SSO config object or a Form-Based SSO config object is configured in a folder and that folder is in a Sync-Only device group. When upgrading with the existing configuration, the configuration load will fail.


1. Disassociate the folder from Sync-Only device group using the following commands: tmsh modify sys folder <folder name> device-group none tmsh save sys config. 2. Upgrade and verify config loads. 3. Create log-setting in each folder. root@(temp12)(cfg-sync In Sync (Sync Only))(/S1-green-P:Active)(/Common)(tmos)# cd <folder name>/ root@(temp12)(cfg-sync In Sync (Sync Only))(/S1-green-P:Active)(/Common/<folder name>)(tmos)# create apm log-setting sso-log-setting-Notice { access add { general-log { log-level { access-control notice } publisher sys-sso-access-publisher } } } Repeat this step for each log level: Alert, Critical, Debug, Emergency, Error, Informational, Notice, Warning, and use the appropriate log level accordingly. 4. Modify SSO log-settings to use log-setting created under the folder (<folder name>), according to their previous log level before upgrading. For example, root@(temp12)(cfg-sync In Sync (Sync Only))(/S1-green-P:Active)(/Common)(tmos)# modify apm sso saml <folder name>/<sso object name> apm-log-config <folder name>/sso-log-setting-Notice 5. Associate Sync-Only device group SO1 to folder, as shown in the following example: root@(temp12)(cfg-sync In Sync (Sync Only))(/S1-green-P:Active)(/Common)(tmos)# modify sys folder <folder name>/ device-group <DG name> 6. Verify config load.

Fix Information

Configuration load now completes successfully after upgrade when a SAML SSO config object is put in a sync-only device group.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips