Bug ID 803225: When SAML request results in an error when it is received by non-SAML aware BIG-IP

Last Modified: Jan 11, 2023

Affected Product(s):
BIG-IP APM(all modules)

Opened: Jul 08, 2019

Severity: 4-Minor


When SAML assertion request is received by BIG-IP that does not act as SAML IDP, the request should be forwarded to the backend resource. However, BIG-IP returns an error with error code 8000.


SAML SP cannot receive SAML assertions from BIG-IP.


This condition occurs when BIG-IP is a non-SAML BIG-IP. It is either a layered BIG-IP or BIG-IP acts as a VPN tunnel. The actual backend server is configured to be BIG-IP SAML IDP. Hence, the non-SAML BIG-IP need to act as passthrough, and forward the SAML request to the backend server. However, it returns an error with error code 8000.


The following iRule need to be deployed on non-SAML BIG-IP to forward SAML request to backend server (which is another BIG-IP configured to be SAML IDP) when HTTP_REQUEST { if { [HTTP::uri] starts_with "/saml/" } { set orig_uri [HTTP::uri] HTTP::uri "/workaround_id_803225$orig_uri" } } when HTTP_REQUEST_RELEASE { if { [info exists orig_uri] } { HTTP::uri $orig_uri } }

Fix Information


Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips