Bug ID 677682: When BIG-IP is deployed as SAML identity provider(IdP), allow APM session variables to be used in entityID property.

Last Modified: Oct 01, 2018

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Fixed In:
14.0.0

Opened: Aug 09, 2017
Severity: 3-Major

Symptoms

The entityID property of SAML IdP object ('apm sso saml') accepts only valid URI as the value. All other values are deemed invalid. This creates a suboptimal configuration experience in certain use-cases. For instance, when the deployment contains two SAML IdP configuration objects that are essentially identical, with the only difference being the entityID value, validation prevents reusing the same object, and mandates creation of two independent configuration objects.

Impact

None. This is a usability enhancement.

Conditions

BIG-IP is used as SAML Identity Provider with two or more IdP configuration objects. The only difference between two (or more) configured IdP configuration objects is the value of entityID.

Workaround

Creating multiple IdP objects.

Fix Information

This enhancement supports configuring an APM session variable in the entityID property of SAML Identity Provider ('apm sso saml') objects, thus reducing the number of nearly duplicate IdP configuration objects. NOTE: When a session variable is used in the entityID property of a SAML Identity Provider object, the SAML metadata exported by such object must be edited manually to replace the session variables with valid FQDN names before the metadata is shared with external parties.

Behavior Change