Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP APM
Known Affected Versions:
12.1.3, 12.1.3.1, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1
Fixed In:
13.1.0, 12.1.3.2
Opened: Jun 06, 2017 Severity: 3-Major
Certain SAML implementations support configuration of multiple signing certificates to be used for signing SAML messages. In these deployments different signing certificates could be used when certificate rotation takes place. Until now BIG-IP as SP only supported single signing certificate from external IdPs. When certificate rotation happens on external IdP, BIG-IP signing verification certificates have to be updated.
When external IdP starts using new signing certificate previously advertised in metadata, authentication on BIG-IP as SAML SP will fail until administrator adjusts configuration to specify new signature validation certificate on appropriate SAML IdP connector object.
External IdP advertises multiple signing certificates in SAML metadata.
Signing certificates on BIG-IP as SAML SP can be reconfigured manually.
BIG-IP as SP now supports multiple signing certificates advertised by external identity providers.