NimbostratusSP-initiated SAML SSO doesn't remember landing URL in v 12.0.0
Hi!
I recently upgraded to v 12.0.0 (from 11.6.0), and when I retested my SP-initiated SAML SSO setup, I found that it is no longer working properly. Here is what I do:
- In SP initiated SSO the client lands on a URL on the SP, https://my.site.no/some/url
- The Access Policy will detect that SAML SSO is required, and will redirect the client to the configured IDP for authentication
- The IDP authenticates the client, and then directs the client to the ACL service at https://my.site.no/saml/sp/profile/post/acs (to get the SAML token verified)
- The ACL service accepts the SAML token, and redirects the client to https://my.site.no
The problem here is that in the final step the client is redirected to https://my.site.no ( and not https://my.site.no/some/url )
Normally a SAML2.0 SSO implementation would use the RelayState header to transmit the original landing URL (first from the SP to the IDP, and then back to the SP again). But it seemes BIG-IP relies on some internal mechanism, which worked in 11.6.0, but is broken in 12.0.0?
Yes, unfortunately v12.0 introduced a bug on this - BZ 590601 - and it going to be fixed in the later maintenance release of 12.x.x. You can either open a case with support and request it to be linked to that bug and potentially ask about engineering hotfix. However, there is also a workaround that you can attempt to configure to rectify the behavior.
Workaround provided below works when first client request to BIG-IP as SP is 'GET'. This workaround is not applicable when first client request is 'POST'.
SP object can be configured with relay state pointing to the landing URI: %{session.server.landinguri}
After successful authentication, end-user will be redirected to the landing URI (reflected back by IdP in the relay-state).
Please try to implement the workaround and share whether it works for you to address your needs.
