Bug ID 683837: Web browsers may strip query parameters from the logout URL after completing SAML single logout profile.

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6

Fixed In:
14.0.0

Opened: Sep 16, 2017
Severity: 3-Major

Symptoms

When user initiates SAML single logout (SLO) on BIG-IP (either SP or IdP), BIG-IP will attempt to log out user from all external SAML providers by following SLO profile. After SLO profile is completed, user will be redirected back to original URL that started SLO procedure. Newer versions of browsers are known to strip query parameters from this final URL. This may cause redirect to a URL with no query parameter.

Impact

Final SLO redirect to original logout URL may be missing a query parameters. Behavior will differ based on the application behind BIG-IP.

Conditions

BIG-IP is used for SAML deployments as SP or IdP. Single logout profile is configured on BIG-IP. Single logout begins on BIG-IP with URL containing a query parameters.

Workaround

n/a

Fix Information

Issue is now addressed in a way that browsers will no longer strip query parameters from the final SLO redirect.

Behavior Change