Refer to the sections below for information on some limitations when using SAML.

Certificate Signature Verification

Since LoadMaster firmware version 7.2.40, the signature verification in the case of having a SAML IDP Token Signing certificate, which was signed by your Root Certificate, will not (should not) work.

In previous versions, you could set your SAML IDP Token Signing Certificate on your IDP Provider. The Root certificate configured in your SSO Domain was then used to verify the signature and trust was established.

Since 7.2.40, the certificate in the response must match the certificate assigned in the SAML SSO domain. This means that your certificate can not be created by a Third Party Provider, such as Go Daddy, and it should be a trusted Root Cert.

Persistent Cookies

The persistent cookie feature works with SAML. However, it is susceptible to browser behavior and may be effective to use with Internet Explorer only. Also, depending on testing performed and multiple cookies being in use, the cookie that can be used varies.