Bug ID 683837: Web browsers may strip query parameters from the logout URL after completing SAML single logout profile.

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP APM(all modules)

Known Affected Versions:
12.1.2, 12.1.3,,,,,,,, 12.1.4,, 12.1.5,,,, 12.1.6

Fixed In:

Opened: Sep 16, 2017

Severity: 3-Major


When user initiates SAML single logout (SLO) on BIG-IP (either SP or IdP), BIG-IP will attempt to log out user from all external SAML providers by following SLO profile. After SLO profile is completed, user will be redirected back to original URL that started SLO procedure. Newer versions of browsers are known to strip query parameters from this final URL. This may cause redirect to a URL with no query parameter.


Final SLO redirect to original logout URL may be missing a query parameters. Behavior will differ based on the application behind BIG-IP.


BIG-IP is used for SAML deployments as SP or IdP. Single logout profile is configured on BIG-IP. Single logout begins on BIG-IP with URL containing a query parameters.



Fix Information

Issue is now addressed in a way that browsers will no longer strip query parameters from the final SLO redirect.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips