Shibboleth SP & Okta IdP Redirect Looping

Paul Carroll pcarroll at nfmail.net
Wed Aug 5 16:51:22 UTC 2020 

I have gone through the FlowAndConfig section and then the Looping section.  I have taken a look at the cookies at each stage of the flow.  However, I am not exactly sure what I should be looking for in each cookie section.  I see that each cookie has the following properties set.

Path=/;Secure;HttpOnly;SameSite=None

Is there a specific cookie name that I should be looking for or does it depend on the IdP that is being used?

Thanks,
Paul

--- pcarroll at nfmail.net wrote:

From: "Paul Carroll" <pcarroll at nfmail.net>
To: "Shib Users" <users at shibboleth.net>
Cc: <users at shibboleth.net>
Subject: Re: Shibboleth SP & Okta IdP Redirect Looping
Date: Thu, 30 Jul 2020 06:53:15 -0700

OK, thanks Peter and Scott.  I looked at the page that describes debugging the looping but it was early on in the process.  I will take another look since I know more about it now.

Peter, I resubmitted my issue using text.  I thought I may have to resubmit.  Please disregard the resubmitted issue.

Thanks,
Paul

--- cantor.2 at osu.edu wrote:

From: "Cantor, Scott" <cantor.2 at osu.edu>
To: Shib Users <users at shibboleth.net>
Subject: Re: Shibboleth SP & Okta IdP Redirect Looping
Date: Thu, 30 Jul 2020 13:35:35 +0000

Assuming the shibd log records a session being created and then immediately invalidated or destroyed, the syslog/native log stream will likely log why it's rejecting the sessions immediately after establishment; IP address instability perhaps.

As for how to debug it if there's no apparent issue other than cookies going missing...

1. Learn how the SP works and uses cookies at all steps by observing working transactions and reading the documentation that describes all the steps. [1]
2. Trace to identify where the cookie(s) go missing.

-- Scott

[1] https://wiki.shibboleth.net/confluence/display/CONCEPT/FlowsAndConfig


-- 
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net


-- 
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list