Bug ID 676463: Having two SAML IdP metadata automation objects that point to the same metadata and different SP results in 'join fail' of the IdP connector with SP object.

Last Modified: Jan 29, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Known Affected Versions:
13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4

Fixed In:
14.0.0

Opened: Aug 01, 2017
Severity: 3-Major

Symptoms

If two SAML IdP metadata automation objects are created both pointing to the same metadata file but different SP, the first object whose timer goes off creates the IdP connector. The association with SAML SP is also successful. However, the second object whose timer goes off later, reports the following errors related to IdP connector-SP association: -- association result result { result_code 16908342 result_message "01020036:3: The requested AAA SAML server SAML IDP connector. -- (/Common/Testing_code /Common/meta1_over_http_original_TWO_cert_bfb602549f9cee02e2bdb90947c884ca) was not found." }.

Impact

The IdP connector-SP association is not successful for the automation object whose timer expires later.

Conditions

1. Create 2 SAML IdP metadata automation objects that both point to the same metadata file and different SP. 2. Wait for one automation object's timer to expire. 3. Verify that the IdP connector object is created and that the IdP connector-SP join is successful. 4. When the next automation object's timer expires, note that the IdP connector-SP association fails.

Workaround

Manually bind the IdP connector to the SP object related to the second IdP metadata automation.

Fix Information

Now, when two or more IdP metadata automation objects point to the same metadata (and hence, share the same IdP connector objects), the IdP connector-SP association for each one of them is successful.

Behavior Change