Bug ID 664507: When BIG-IP is used as SP with IdP-connector automation, updates to remotely published metadata may remove certificate reference from the local configuration

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP APM(all modules)

Known Affected Versions:
11.5.4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.5.10, 11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2, 12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.1.3.1, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3

Fixed In:
13.1.0, 13.0.1, 12.1.3.2

Opened: May 12, 2017

Severity: 3-Major

Symptoms

IdP-connector automation removes certificate reference when update to metadata file is detected, and metadata file contains multiple signing certificates

Impact

Certificate reference to remotely published metadata is removed from local configuration (saml-idp-connector object). As a result, assertions generated by external IdP will not be accepted until proper certificate is configured on saml-idp-connector object again.

Conditions

- BIG-IP is used as SAML SP with configured IdP-connector automation via remotely published metadata. - Remotely published SAML metadata contains multiple signing certificates. - Remotely published SAML metadata is periodically updated.

Workaround

When remote metadata is changed, manually update certificate reference on saml-idp-connector object.

Fix Information

When changes to remotely published SAML metadata are detected by IdP-connector automation, certificate is no longer removed from saml-idp-connector object.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips