Last Modified: Nov 07, 2022
Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 12.1.4, 126.96.36.199, 12.1.5, 188.8.131.52, 184.108.40.206, 220.127.116.11, 12.1.6
Opened: Sep 16, 2017 Severity: 3-Major
When user initiates SAML single logout (SLO) on BIG-IP (either SP or IdP), BIG-IP will attempt to log out user from all external SAML providers by following SLO profile. After SLO profile is completed, user will be redirected back to original URL that started SLO procedure. Newer versions of browsers are known to strip query parameters from this final URL. This may cause redirect to a URL with no query parameter.
Final SLO redirect to original logout URL may be missing a query parameters. Behavior will differ based on the application behind BIG-IP.
BIG-IP is used for SAML deployments as SP or IdP. Single logout profile is configured on BIG-IP. Single logout begins on BIG-IP with URL containing a query parameters.
Issue is now addressed in a way that browsers will no longer strip query parameters from the final SLO redirect.