Redirect loop with shibboleth SP & apache

Peter Schober peter.schober at
Mon May 11 05:49:44 EDT 2015

* Enrique Pérez Arnaud <eperez at> [2015-05-11 11:30]:
> > What gave you the impression you'd have to set the SP's entityID to
> > "" specifically?
> > See
> We changed it to

I'd also drop the URI part that identifies the content handler for
mod_shib. It's a name, it doesn't need to resolve to anything, and
certainly not to a URL that returns HTTP 500 status (Internal Server

> > So I'd start by commenting out the application override in your
> > shibboleth2.xml and commenting out the applicationId parameter in your
> > httpd conf. Then try again, and this time also check your Shib logs
> > (including native.log).
> If we do that, when, after logging in to the IdP, the browser is
> redirected to our app (that requires shibboleth authn), we get a 404
> response with body:
> {"error": {"message": "Could not find Identity Provider:
>", "code": 404, "title": "Not
> Found"}}

1. Doing "that" (i.e., not using an application override with a
nonsensical duplicate entityID) is the normal way of running the
software. Everyone does it that way. If you're experiencing issued
with "that", the workaround is not to apply bogus config changes that
mask any actual underlying errors.

2. I don't know what that JSON is or where it comes from, but it's not
coming from the Shibboleth SP.
Note that the Shib SP does know your IDP, as it sends a SAML authn
request to the IDP when asked to (e.g. by accessing
/Shibboleth.sso/Login) which it couldn't if it "Could not find [the]
Identity Provider".

> I have all logs set to DEBUG, but after the 404 all I can see in the
> logs is:

The Shib SP does not issue an HTTP 404 when it's confronted with an
unkown entityID.

>         <!--MetadataProvider type="XML" file="idp_1-metadata.xml"/-->
>         <ApplicationOverride id="idp_1" entityID="">
>         </ApplicationOverride>
>     </ApplicationDefaults>

Note that the ApplicationOverride is still in your config.

More information about the users mailing list