Bug ID 685862: BIG-IP as SAML IdP/SP may include last x509 certificate found in the configured bundle in signed SAML Response or single logout message

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP APM(all modules)

Known Affected Versions:
13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3

Fixed In:
14.0.0, 13.1.0.4, 12.1.5.1

Opened: Sep 27, 2017

Severity: 3-Major

Symptoms

When BIG-IP is used as SAML IdP, and signing is configured, BIG-IP will sign the message by configured signing key, and include last certificate from the configured signing certificate chain in the SAML protocol message. Expected behavior is to include first certificate from the configured signing certificate chain. The same applies to SAML SP generating SLO request/response messages.

Impact

Impact is based on the SAML implementation on the receiving end of message sent by BIG-IP. Some implementation may drop signed SAML message if last certificate from the bundle is included in the message. Other implementations will accept such signed messages. Note that signing operation itself is performed correctly by BIG-IP using configured signing certificate, and digital signature will contain correct value.

Conditions

All of the following: - BIG-IP is used as SAML IdP or SAML as SP with SLO configured. - BIG-IP generates signed SAML response containing assertion or SLO request/response - Configured on BIG-IP signing certificate is a security chain and not a single certificate

Workaround

Instead of using signing certificate chain, change BIG-IP SAML IdP/SP configured signing certificate to refer to a standalone signing certificate (single X509 object) by extracting first certificate from the chain.

Fix Information

After the fix, BIG-IP will include first certificate found within configured signing certificate (chain).

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips