BugZero | F5 BugID 570309 - SP initiated SAML SSO with Office365 may fail if S...

F5 - Defect ID: 570309

SP initiated SAML SSO with Office365 may fail if SSO request contains a query

F5 - Defect ID: 570309

SP initiated SAML SSO with Office365 may fail if SSO request contains a query

Last updated on July 13th, 2024

BugZero Risk Score
7.1 High

Overall: 7.1

Severity: 7.3

Community: 4.1

Lifecycle: 7.1

What is the BugZero Risk Score?

F5 Integration

Learn more about where this data comes from

F5 Integration

Learn more

Bug Scrub Advisor

Streamline upgrades with automated vendor bug scrubs

Bug Scrub Advisor

Learn more

BugZero Enterprise

Wish you caught this bug sooner? Get proactive today.

BugZero Enterprise

Learn more

Bug Details

Priority: 3-Major
Status: Verified
Impact Category: Access Policy Manager

Description

Symptoms

BIG-IP as IdP supports both SP and IdP initiated SSO with Office365. When SP initiated SSO is used with HTTP-POST, and such SSO POST request contains a query parameter, authentication will fail.

Impact

SAML SSO will fail.

Conditions

All of these conditions must be true: - BIG-IP is used as IdP - Office 365 is used as SP - User performs SP initiated SSO - HTTP-POST binding is used for SP initiated SSO. - SSO Request contains a query part in addition to POST body, e.g.: POST /saml/idp/profile/redirectorpost/sso?username=user ...

Workaround

As a workaround, iRule stripping the query part of the SAML POST requests could be used: when HTTP_REQUEST { if { [HTTP::method] eq "POST"} { if { [HTTP::uri] contains "/saml/idp/profile/redirectorpost/sso?" } { HTTP::uri /saml/idp/profile/redirectorpost/sso } } }

Fix Information

BIG-IP now accepts SAML SSO requests from Office365 containing a query in the URL and sent via HTTP-POST binding.

Change history

2025-03-22 Added: 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3

Links

Original Vendor Announcement

Relevant Products

Click on a version to see all relevant bugs

Affected versions:11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3

Fixed versions: No known fixed versions

Relevant Products

Click on a version to see all relevant bugs

Fixed versions: No known fixed versions

Top F5 Defects by Risk Score

No bugs this month

F5 Integration

Learn more about where this data comes from

F5 Integration

Learn more

Bug Scrub Advisor

Streamline upgrades with automated vendor bug scrubs

Bug Scrub Advisor

Learn more

BugZero Enterprise

Wish you caught this bug sooner? Get proactive today.

BugZero Enterprise

Learn more

Ready to prevent the next vendor outage?

Get a demo

OPERATIONAL DEFECT DATABASE

F5 - Defect ID: 570309

SP initiated SAML SSO with Office365 may fail if SSO request contains a query

F5 - Defect ID: 570309

SP initiated SAML SSO with Office365 may fail if SSO request contains a query

Last updated on July 13th, 2024

BugZero Risk Score7.1 High

Bug Details

Symptoms

Impact

Conditions

Workaround

Fix Information

Links

Top F5 Defects by Risk Score

Ready to prevent the next vendor outage?

BugZero Risk Score
7.1 High