Last Modified: Jul 12, 2023
Affected Product(s):
BIG-IP APM
Opened: Jul 08, 2019 Severity: 4-Minor
When SAML assertion request is received by BIG-IP that does not act as SAML IDP, the request should be forwarded to the backend resource. However, BIG-IP returns an error with error code 8000.
SAML SP cannot receive SAML assertions from BIG-IP.
This condition occurs when BIG-IP is a non-SAML BIG-IP. It is either a layered BIG-IP or BIG-IP acts as a VPN tunnel. The actual backend server is configured to be BIG-IP SAML IDP. Hence, the non-SAML BIG-IP need to act as passthrough, and forward the SAML request to the backend server. However, it returns an error with error code 8000.
The following iRule need to be deployed on non-SAML BIG-IP to forward SAML request to backend server (which is another BIG-IP configured to be SAML IDP) when HTTP_REQUEST { if { [HTTP::uri] starts_with "/saml/" } { set orig_uri [HTTP::uri] HTTP::uri "/workaround_id_803225$orig_uri" } } when HTTP_REQUEST_RELEASE { if { [info exists orig_uri] } { HTTP::uri $orig_uri } }
None