Bug ID 675085: When BIG-IP as SAML IdP is configured to create large assertions, occasionally BIG-IP will not send entire assertion as part of the HTTP response to the client

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP APM(all modules)

Known Affected Versions:
12.1.2, 12.1.3,,,,,,,, 12.1.4,, 12.1.5,,,, 12.1.6, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1

Fixed In:

Opened: Jul 21, 2017

Severity: 3-Major


When the BIG-IP as SAML IdP is configured to generate assertions larger than 32 KB, occasionally the BIG-IP system might not send the entire assertion as part of the HTTP response to the client, leaving the browser in a waiting state for the rest of the assertion to arrive.


Occasionally, APM end users will not be able to receive full SAML assertion, and therefore, authentication with SAML SP will fail.


-- The BIG-IP system is configured as SAML IdP. -- IdP is configured to include either list of (large) attributes, with assertion size exceeding 32 KB.


When applicable, reconfigure SAML attributes to reduce the size of the generated assertion, i.e., remove unnecessary attributes from the SAML configuration.

Fix Information

The BIG-IP system now supports generating assertions larger than 32 KB.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips