Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP APM
Known Affected Versions:
12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1
Fixed In:
14.0.0, 13.1.0.4
Opened: Jan 16, 2018 Severity: 3-Major
Using a SAML SP-initiated use case (APM is IdP) and having a large Access Policy with 200 or more SAML resources assigned to users. Each time a new SAML resource is added to that Access Policy, the entire SSO service becomes unusable. No new sessions can be established. The system generates internal metadata that consists of the names of all the SAML resources along with its SSO name. This has a limit of size 4 KB. When this limit is reached, the system logs errors similar to the following: -- err tmm3[15840]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_TOOBIG. File: ../modules/hudfilter/access/access.c, Function: access_create_saml_meta_data, Line: 21001 -- err tmm3[15840]: 014d1014:3: /Common/SAML_SSO_access:Common:7a34161c:SAML SSO: Error(16) Unable to find SAML SSO/SP Connector object matching SAML Authn Request.
The system logs an error on running the Access Policy, the whole SSO service becomes unusable. No new sessions can be established.
A SAML SSO Access policy has a large number of SAML Resources assigned to it (such that the combined length of their names is greater-than-or-equal-to 4 KB).
Delete any unused SAML resources from SAML SSO access policy so that the combined length of the names of all SAML resources assigned to Access policy is less than 4 KB.
The system now allocate memory dynamically for the internally stored metadata, so it can handle large lists of assigned SAML resource objects.