For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Gabriel_V_13146's avatar
Gabriel_V_13146
Icon for Cirrus rankCirrus
Mar 26, 2014

SAML IdP fails to validate the redirect signature

Hello all,   I don't know how to split it, but there are two intertwined issues.. Using F5 APM as IdP (Internal BIGIP-11.4.1-plus-hf2.14-build2) it should support POST and Redirect binding for the...
BIG-IP Access Policy Manager (APM)
deployment
security
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Mar 26, 2014

I'd like to address some of these concerns.

 

  1. I didn't believe until I saw it for myself, but you appear to be correct concerning the SigAlg and Signature parameters in the SAMLRequest HTTP-Request binding. An APM SP (perhaps incorrectly), when configured to sign authentication requests will embed the signature and signature algorithm in the encoded SAMLRequest. I would recommend opening a case to address this.

     

  2. A multi-domain access policy is not in any way related to SAML, though they have similar characteristics. As to your findings you are again correct. The redirect from the logon URI produces a GET request, and would lose any initial POST to the application URI. There are conceivably ways around this though.