Bug ID 755739: SAML metadata import (SP or IdP) fails if the metadata file has both SPSSODescriptor and IdPSSODescriptor

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Known Affected Versions:
14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 14.1.4.6, 14.1.5, 14.1.5.1, 14.1.5.2

Fixed In:
15.0.0

Opened: Jan 17, 2019
Severity: 4-Minor

Symptoms

If the SAML SP or IDP metadata has both SPSSODescriptor and IdPSSODescriptor tags, the import fails with errors like this: The metadata file '/var/tmp/1547120861955.upload' being used to create SAML IdP connector 'Kismet' is an SP metadata file.

Impact

Metadata import is not successful.

Conditions

-- SP or IDP metadata file has both SPSSODescriptor and IdPSSODescriptor tags and -- Attempt to import them to create SP or IdP connector objects.

Workaround

Use the following workarounds, as appropriate: -- When importing SP metadata, remove all IDPSSODescriptor tags from the metadata file, i.e., find and remove all '<IDPSSODescriptor...>...</IDPSSODescriptor>' elements, including the opening and closing tags and everything in between. -- When importing IDP metadata, remove all SPSSODescriptor tags from the metadata file, i.e., find and remove all '<SPSSODescriptor...>...</SPSSODescriptor>' elements, including the opening and closing tags and everything in between. Note: If the metadata file is signed, the signature within the metadata file must be removed. If it is not, you may experience an MCP error when importing the newly edited metadata file: Signature verification failed. File contents changed. To remove the signature from the metadata file, find and remove the signature element, including the opening and closing tags, and everything in between, e.g.: <ds:Signature...>...</ds:Signature>

Fix Information

Metadata import is now successful when both SPSSODescriptor and IdPSSODescriptor tags are present, and the connector object is created.

Behavior Change