...
BIG-IP as IdP supports both SP and IdP initiated SSO with Office365. When SP initiated SSO is used with HTTP-POST, and such SSO POST request contains a query parameter, authentication will fail.
SAML SSO will fail.
All of these conditions must be true: - BIG-IP is used as IdP - Office 365 is used as SP - User performs SP initiated SSO - HTTP-POST binding is used for SP initiated SSO. - SSO Request contains a query part in addition to POST body, e.g.: POST /saml/idp/profile/redirectorpost/sso?username=user ...
As a workaround, iRule stripping the query part of the SAML POST requests could be used: when HTTP_REQUEST { if { [HTTP::method] eq "POST"} { if { [HTTP::uri] contains "/saml/idp/profile/redirectorpost/sso?" } { HTTP::uri /saml/idp/profile/redirectorpost/sso } } }
BIG-IP now accepts SAML SSO requests from Office365 containing a query in the URL and sent via HTTP-POST binding.
Click on a version to see all relevant bugs
F5 Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.