Redirect loop with shibboleth SP & apache

Tue May 12 02:52:54 EDT 2015

Hi Peter,

Thank you for your help, it led us in the right direction. The unneeded
application override was, as you said, masking the real errors, and once we
removed it we got to deal with "understandable" errors in our application.

So, again, thanks a lot!

2015-05-11 11:49 GMT+02:00 Peter Schober <peter.schober at univie.ac.at>:

> * Enrique Pérez Arnaud <eperez at emergya.com> [2015-05-11 11:30]:
> > > What gave you the impression you'd have to set the SP's entityID to
> > > "https://ipnett-pre.emergya.es:5000/Shibboleth.sso" specifically?
> > > See
> https://wiki.shibboleth.net/confluence/display/CONCEPT/EntityNaming
> >
> >
> > We changed it to https://ipnett-pre.emergya.es/Shibboleth.sso
>
> I'd also drop the URI part that identifies the content handler for
> mod_shib. It's a name, it doesn't need to resolve to anything, and
> certainly not to a URL that returns HTTP 500 status (Internal Server
> Error).
>
> > > So I'd start by commenting out the application override in your
> > > shibboleth2.xml and commenting out the applicationId parameter in your
> > > httpd conf. Then try again, and this time also check your Shib logs
> > > (including native.log).
> >
> > If we do that, when, after logging in to the IdP, the browser is
> > redirected to our app (that requires shibboleth authn), we get a 404
> > response with body:
> >
> > {"error": {"message": "Could not find Identity Provider:
> > https://ipnett-idp.emergya.es/idp/shibboleth", "code": 404, "title":
> "Not
> > Found"}}
>
> 1. Doing "that" (i.e., not using an application override with a
> nonsensical duplicate entityID) is the normal way of running the
> software. Everyone does it that way. If you're experiencing issued
> with "that", the workaround is not to apply bogus config changes that
> mask any actual underlying errors.
>
> 2. I don't know what that JSON is or where it comes from, but it's not
> coming from the Shibboleth SP.
> Note that the Shib SP does know your IDP, as it sends a SAML authn
> request to the IDP when asked to (e.g. by accessing
> /Shibboleth.sso/Login) which it couldn't if it "Could not find [the]
> Identity Provider".
>
> > I have all logs set to DEBUG, but after the 404 all I can see in the
> > logs is:
>
> The Shib SP does not issue an HTTP 404 when it's confronted with an
> unkown entityID.
>
> >         <!--MetadataProvider type="XML" file="idp_1-metadata.xml"/-->
> >
> >         <ApplicationOverride id="idp_1" entityID="
> https://ipnett-pre.emergya.es/Shibboleth.sso">
> >         </ApplicationOverride>
> >
> >     </ApplicationDefaults>
>
> Note that the ApplicationOverride is still in your config.
> -peter
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>

-- 
Enrique Pérez Arnaud
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20150512/37b7ebc7/attachment.html>