Bug ID 701639: Session variables in Requested Authentication Context Class in SP do not get resolved when Authentication Request is generated by BIG-IP as SP.

Last Modified: May 14, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Known Affected Versions:
13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3

Fixed In:
14.0.0, 13.1.0.4

Opened: Jan 12, 2018
Severity: 3-Major

Symptoms

Session variables in Requested Authentication Context Class in SP do not get resolved when Authentication Request is generated by the BIG-IP system as SP. They are sent as is. This is a behavior change from v12.1.2/v12.1.3/v13.0.0, where, the value gets substituted in the SP's AuthnRequest sent to IDP.

Impact

The generated Authentication Request does not have the session variable resolved. The string is sent as is. The Authentication Request fails and the session cannot be established.

Conditions

On configuring Requested Authentication Context Class in SP to define a session variable similar to the following: %{session.client.type}

Workaround

None.

Fix Information

The system now resolves the session variable in the configured Authentication Context Class for SP while generating the Authentication Request.

Behavior Change