Bug ID 647645: Accessing SAML Resource may cause reset connection when SSO on access profile contains v1 (NTLM, form based) configuration

Last Modified: Apr 10, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1

Fixed In:
13.1.0

Opened: Feb 24, 2017
Severity: 3-Major

Symptoms

Accessing SAML Resource causes RST when Single Sign-On (SSO) on access profile contains V1 configuration (NTLM, form based).

Impact

TCP connection to the client is reset. As a result, APM end user is not able to perform IdP-initiated SAML WebSSO.

Conditions

All of the following: - BIG-IP system is configured and used as SAML Identity Provider. - In-use access profile has both: 1) V1 SSL attached (NTLM, form based) and SAML resources assigned on access policy. - APM end user performs IdP-initiated SAML WebSSO by clicking published SAML resource on the webtop.

Workaround

None.

Fix Information

Assigning V1 SSO profile on access policy no longer causes a connection reset when APM end user performs IdP-initiated SAML WebSSO by clicking published SAML resource on the webtop.

Behavior Change