Bug ID 675085: When BIG-IP as SAML IdP is configured to create large assertions, occasionally BIG-IP will not send entire assertion as part of the HTTP response to the client

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1

Fixed In:
13.1.0

Opened: Jul 21, 2017
Severity: 3-Major

Symptoms

When the BIG-IP as SAML IdP is configured to generate assertions larger than 32 KB, occasionally the BIG-IP system might not send the entire assertion as part of the HTTP response to the client, leaving the browser in a waiting state for the rest of the assertion to arrive.

Impact

Occasionally, APM end users will not be able to receive full SAML assertion, and therefore, authentication with SAML SP will fail.

Conditions

-- The BIG-IP system is configured as SAML IdP. -- IdP is configured to include either list of (large) attributes, with assertion size exceeding 32 KB.

Workaround

When applicable, reconfigure SAML attributes to reduce the size of the generated assertion, i.e., remove unnecessary attributes from the SAML configuration.

Fix Information

The BIG-IP system now supports generating assertions larger than 32 KB.

Behavior Change