Redirect loop with shibboleth SP & apache

Peter Schober peter.schober at
Mon May 11 04:43:02 EDT 2015

* Enrique Pérez Arnaud <eperez at> [2015-05-11 09:11]:
> ==> /var/log/apache2/keystone.log <==
> 2015-05-08 14:04:23.190042 get_request_config created per-request structure
> 2015-05-08 14:04:23.190089 AH02034: Subsequent (No.54) HTTPS request
> received for child 80 (server
> 2015-05-08 14:04:23.190136 AH01626: authorization result of Require
> valid-user : denied (no authenticated user yet)
> 2015-05-08 14:04:23.190152 AH01626: authorization result of <RequireAny>:
> denied (no authenticated user yet)

That doesn't seem to match your httpd config, which shows a listener
only on port 5000 (the log above says

Looks like an ordinary httpd 2.4 authz issue (I'm still confused by
2.4's new authz model, so can't advise).

> We attach the apache and shibboleth conf.

Some more comments:

What gave you the impression you'd have to set the SP's entityID to
"" specifically?

Also, what gave you the impression you'd have to create an
ApplicationOverride, creating a second virtual SP? Often this is not
required and even if it is it requires extra SAML metadata for the
second virtual SP given to the IDP, which you possibly have
negleceted. Pay special attention of the page
including the section "Valid and Invalid Reasons for Additional

More importantly, it does not make any sense to create a second
virtualized SP and giving it the exact (weird, as per above) entityID
as the default one. The sole purpose of being able to specify an
entityID for the ApplicationOverride is for the entityID to be
different. (Iff you determined that you absolutely require the use of
an ApplicationOverride to begin with.)

So I'd start by commenting out the application override in your
shibboleth2.xml and commenting out the applicationId parameter in your
httpd conf. Then try again, and this time also check your Shib logs
(including native.log).

More information about the users mailing list