Bug ID 675143: The SAML IdP metadata automation periodic update of metadata file that has Certificate may cause 'Apply Access Policy' to show up even if no changes to the IdP connector object are made.

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP APM(all modules)

Known Affected Versions:
11.4.0, 11.4.1, 11.5.0, 11.5.1, 11.5.2, 11.5.3, 11.5.4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.5.10, 11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2, 12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 13.1.5, 13.1.5.1

Fixed In:
14.0.0

Opened: Jul 21, 2017

Severity: 3-Major

Symptoms

On creating a SAML IdP metadata automation object with a metadata file that has Certificate, an IdP connector object is created and associated with SP object after the first timer expiry. If the SP is attached to an Access Policy, 'Apply Access Policy' shows up as expected. Next, if the metadata file in the automaton object changes such that no IdP connector object fields are impacted, 'Apply Access Policy' still shows up after next timer expiry. This is confusing because it should not show up when there is no update made to the IdP connector object or its association with SP object.

Impact

'Apply Access Policy' shows up when there was no update to the IdP connector or the SP-IdP connector join, which is misleading.

Conditions

1. Create a SAML IdP connector automation object pointing to a metadata file that has Certificate, and the SP object is attached to an Access Policy. 2. Wait for the timer to expire the first time. 3. Make sure that the IdP connector object is created from the above metadata and associated to the SP object. Click on 'Apply Access Policy'. 4. Before the next timer event, change some field in the metadata that should not cause any update in the IdP connector object created above. 5. Next time the timer expires, notice that 'Apply Access Policy' still shows up, even though no IdP connector field was updated.

Workaround

None.

Fix Information

The 'Certificate' was always being updated causing 'Apply Access Policy' to show up. Now, the system verifies the checksum of the Certificate and does not update it if it is the same. This prevents 'Apply Access Policy' from showing up when there is no actual update.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips