Symptoms
BIG-IP as IdP supports both SP and IdP initiated SSO with Office365. When SP initiated SSO is used with HTTP-POST, and such SSO POST request contains a query parameter, authentication will fail.
Impact
SAML SSO will fail.
Conditions
All of these conditions must be true:
- BIG-IP is used as IdP
- Office 365 is used as SP
- User performs SP initiated SSO
- HTTP-POST binding is used for SP initiated SSO.
- SSO Request contains a query part in addition to POST body, e.g.:
POST /saml/idp/profile/redirectorpost/sso?username=user
...
Workaround
As a workaround, iRule stripping the query part of the SAML POST requests could be used:
when HTTP_REQUEST {
if { [HTTP::method] eq "POST"} {
if { [HTTP::uri] contains "/saml/idp/profile/redirectorpost/sso?" } {
HTTP::uri /saml/idp/profile/redirectorpost/sso
}
}
}
Fix Information
BIG-IP now accepts SAML SSO requests from Office365 containing a query in the URL and sent via HTTP-POST binding.
