Redirect loop with shibboleth SP & apache

Peter Schober peter.schober at univie.ac.at
Mon May 11 05:49:44 EDT 2015 

* Enrique Pérez Arnaud <eperez at emergya.com> [2015-05-11 11:30]:
> > What gave you the impression you'd have to set the SP's entityID to
> > "https://ipnett-pre.emergya.es:5000/Shibboleth.sso" specifically?
> > See https://wiki.shibboleth.net/confluence/display/CONCEPT/EntityNaming
> 
> 
> We changed it to https://ipnett-pre.emergya.es/Shibboleth.sso

I'd also drop the URI part that identifies the content handler for
mod_shib. It's a name, it doesn't need to resolve to anything, and
certainly not to a URL that returns HTTP 500 status (Internal Server
Error).

> > So I'd start by commenting out the application override in your
> > shibboleth2.xml and commenting out the applicationId parameter in your
> > httpd conf. Then try again, and this time also check your Shib logs
> > (including native.log).
> 
> If we do that, when, after logging in to the IdP, the browser is
> redirected to our app (that requires shibboleth authn), we get a 404
> response with body:
> 
> {"error": {"message": "Could not find Identity Provider:
> https://ipnett-idp.emergya.es/idp/shibboleth", "code": 404, "title": "Not
> Found"}}

1. Doing "that" (i.e., not using an application override with a
nonsensical duplicate entityID) is the normal way of running the
software. Everyone does it that way. If you're experiencing issued
with "that", the workaround is not to apply bogus config changes that
mask any actual underlying errors.

2. I don't know what that JSON is or where it comes from, but it's not
coming from the Shibboleth SP.
Note that the Shib SP does know your IDP, as it sends a SAML authn
request to the IDP when asked to (e.g. by accessing
/Shibboleth.sso/Login) which it couldn't if it "Could not find [the]
Identity Provider".

> I have all logs set to DEBUG, but after the 404 all I can see in the
> logs is:

The Shib SP does not issue an HTTP 404 when it's confronted with an
unkown entityID.

>         <!--MetadataProvider type="XML" file="idp_1-metadata.xml"/-->
>         
>         <ApplicationOverride id="idp_1" entityID="https://ipnett-pre.emergya.es/Shibboleth.sso">
>         </ApplicationOverride>
> 
>     </ApplicationDefaults>

Note that the ApplicationOverride is still in your config.
-peter

More information about the users mailing list