Redirect loop with shibboleth SP & apache

Enrique Pérez Arnaud eperez at emergya.com
Mon May 11 03:11:07 EDT 2015 

Hi,

We are experiencing a (in our opinion) weird redirect loop, and would
appreciate any pointer. We have searched the lists and the documentation,
and have found nothing so far.

Our shibboleth SP receives the authn assertion from the idp, decodes and
decrypts it, extracts the attributes, creates a session, and sets a cookie
with the shibboleth session id. Then it  redirects to our app, which is
protected by shibboleth:

    <Location /v3/auth/OS-FEDERATION/websso/saml2>
        SSLRequireSSL
        ShibRequestSetting requireSession 1
        ShibRequestSetting applicationId idp_1
        AuthType shibboleth
        ShibExportAssertion Off
        Require valid-user
        #Require shib-attr domain emergya.com
    </Location>

But the process never reaches the application code, apache/mod_shib are not
able to recover the session, these are in the apache logs:

==> /var/log/apache2/keystone.log <==
2015-05-08 14:04:23.190042 get_request_config created per-request structure
2015-05-08 14:04:23.190089 AH02034: Subsequent (No.54) HTTPS request
received for child 80 (server ipnett-pre.emergya.es:443)
2015-05-08 14:04:23.190136 AH01626: authorization result of Require
valid-user : denied (no authenticated user yet)
2015-05-08 14:04:23.190152 AH01626: authorization result of <RequireAny>:
denied (no authenticated user yet)
2015-05-08 14:04:23.190161 shib_check_user entered in pid (25882)

Both firefox and chrome, and also httpfox and live http headers, say that
they are sending the cookie to our application endpoint. So, the GET
request to our app endpoint seems to be correct, but apache/mod_shib fail
to use it to recover the session, deny authorization, and send the browser
back to the IdP.

We are using shibboleth 2.5.2 and Apache/2.4.7 on ubuntu 14.04.

We attach the apache and shibboleth conf. And you can see a loop in the
shibd.log in [1] . Please ask for any other relevant information if you
have a few minutes to give us a hand.

Thanks for any help

1.- http://pastebin.com/cVXTfJZU

-- 
Enrique Pérez Arnaud
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20150511/18841509/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: keystone.conf
Type: application/octet-stream
Size: 1262 bytes
Desc: not available
URL: <http://shibboleth.net/pipermail/users/attachments/20150511/18841509/attachment-0001.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: shibboleth2.xml
Type: text/xml
Size: 7129 bytes
Desc: not available
URL: <http://shibboleth.net/pipermail/users/attachments/20150511/18841509/attachment-0001.xml>

More information about the users mailing list