Bug ID 888145: When BIG-IP is deployed as SAML SP, allow APM session variables to be used in entityID property

Last Modified: May 29, 2024

Affected Product(s):
BIG-IP APM(all modules)

Known Affected Versions:
14.1.2,,,,,,,,, 14.1.3,, 14.1.4,,,,,,, 14.1.5,,,,,, 15.0.0, 15.0.1,,,,, 15.1.0,,,,,, 15.1.1, 15.1.2,, 16.0.0,, 16.0.1,,

Fixed In:
16.1.0, 15.1.3

Opened: Mar 07, 2020

Severity: 3-Major


The entityID property of SAML Service Provider (SP) object ('apm aaa saml') accepts only a valid URI as the value if host is empty. All other values are deemed invalid. This creates a less than optimal configuration experience in certain use-cases. For instance, when the deployment contains two SAML SP configuration objects that are essentially identical, with the only difference being the entityID value, validation prevents reusing the same object, and mandates creation of two independent configuration objects.


None. This is a usability enhancement.


-- The BIG-IP system is used as a SAML SP with two or more SP configuration objects. -- The only difference between two (or more) configured SP configuration objects is the value of entityID.


Creating multiple SP objects.

Fix Information

This enhancement supports configuring an APM session variable in the entityID property of SAML SP ('apm aaa saml') objects, thus reducing the number of nearly duplicate SP configuration objects. NOTE: When a session variable is used in the entityID property of a SAML SP object, the SAML metadata exported by such object must be edited manually to replace the session variables with valid FQDN names before the metadata is shared with external parties.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips