Bug ID 803225: When SAML request results in an error when it is received by non-SAML aware BIG-IP

Last Modified: Aug 06, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Opened: Jul 08, 2019
Severity: 4-Minor

Symptoms

When SAML assertion request is received by BIG-IP that does not act as SAML IDP, the request should be forwarded to the backend resource. However, BIG-IP returns an error with error code 8000.

Impact

SAML SP cannot receive SAML assertions from BIG-IP.

Conditions

This condition occurs when BIG-IP is a non-SAML BIG-IP. It is either a layered BIG-IP or BIG-IP acts as a VPN tunnel. The actual backend server is configured to be BIG-IP SAML IDP. Hence, the non-SAML BIG-IP need to act as passthrough, and forward the SAML request to the backend server. However, it returns an error with error code 8000.

Workaround

The following iRule need to be deployed on non-SAML BIG-IP to forward SAML request to backend server (which is another BIG-IP configured to be SAML IDP) when HTTP_REQUEST { if { [HTTP::uri] starts_with "/saml/" } { set orig_uri [HTTP::uri] HTTP::uri "/workaround_id_803225$orig_uri" } } when HTTP_REQUEST_RELEASE { if { [info exists orig_uri] } { HTTP::uri $orig_uri } }

Fix Information

None

Behavior Change