Shibboleth SP & Okta IdP Redirect Looping

Paul Carroll pcarroll at nfmail.net
Wed Aug 5 20:16:04 UTC 2020


I made a change to the httpd-ssl.conf.  I modified <Location> so that the protected resource is now /secure.  It was the root (/) but the IdP redirects to the root and I read in the Looping troubleshooting that the resource cannot be the same as the target.  Once I made that change, the looping stopped.  However, I know receive a 403.

<Location />
  AuthType shibboleth
  ShibRequestSetting requireSession 1
  require shib-session
</Location>

TO:

<Location /secure>
  AuthType shibboleth
  ShibRequestSetting requireSession 1
  require shib-session
</Location>

I am not seeing anything in any of the logs that would indicate a network issue or an IP address issue.

After I login to the IdP and redirected back to the target, there is nothing written to Shibboleth in Event Viewer.  There is nothing written to shibd.log either.  The only log that I see updated information after IdP login, is the Apache log.  It does not appear that a session is being created or the Shibboleth SP is being contacted.  I added the section of the Apache log that is produced once I login in to the IdP and redirected back to the my application.

[ssl:info] [pid 4080:tid 1232] [client myIP:53057] AH01964: Connection to child 60 established (server myserver.mycompany.com:443)
[ssl:debug] [pid 4080:tid 1232] ssl_engine_kernel.c(2351): [client myIP:53057] AH02043: SSL virtual host for servername myserver.mycompany.com found
[core:debug] [pid 4080:tid 1232] protocol.c(2313): [client myIP:53057] AH03155: select protocol from , choices=h2,http/1.1 for server myserver.mycompany.com
[ssl:debug] [pid 4080:tid 1232] ssl_engine_io.c(1368): (70014)End of file found: [client myIP:53057] AH02007: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!]
[ssl:info] [pid 4080:tid 1232] [client myIP:53057] AH01998: Connection closed to child 60 with abortive shutdown (server myserver.mycompany.com:443)
[ssl:info] [pid 4080:tid 1232] [client myIP:53061] AH01964: Connection to child 60 established (server myserver.mycompany.com:443)
[ssl:debug] [pid 4080:tid 1232] ssl_engine_kernel.c(2351): [client myIP:53061] AH02043: SSL virtual host for servername myserver.mycompany.com found
[core:debug] [pid 4080:tid 1232] protocol.c(2313): [client myIP:53061] AH03155: select protocol from , choices=h2,http/1.1 for server myserver.mycompany.com
[ssl:debug] [pid 4080:tid 1232] ssl_engine_io.c(1368): (70014)End of file found: [client myIP:53061] AH02007: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!]
[ssl:info] [pid 4080:tid 1232] [client myIP:53061] AH01998: Connection closed to child 60 with abortive shutdown (server myserver.mycompany.com:443)
[ssl:info] [pid 4080:tid 1232] [client myIP:53062] AH01964: Connection to child 60 established (server myserver.mycompany.com:443)
[ssl:debug] [pid 4080:tid 1232] ssl_engine_kernel.c(2351): [client myIP:53062] AH02043: SSL virtual host for servername myserver.mycompany.com found
[core:debug] [pid 4080:tid 1232] protocol.c(2313): [client myIP:53062] AH03155: select protocol from , choices=h2,http/1.1 for server myserver.mycompany.com
[ssl:debug] [pid 4080:tid 1232] ssl_engine_kernel.c(2231): [client myIP:53062] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
[ssl:debug] [pid 4080:tid 1232] ssl_engine_kernel.c(376): [client myIP:53062] AH02034: Initial (No.1) HTTPS request received for child 60 (server myserver.mycompany.com:443)
[mod_shib:debug] [pid 4080:tid 1232] mod_shib.cpp(369): [client myIP:53062] get_request_config created per-request structure
[mod_shib:debug] [pid 4080:tid 1232] mod_shib.cpp(1613): [client myIP:53062] shib_base_check_authz found uninitialized request object
[authz_core:debug] [pid 4080:tid 1232] mod_authz_core.c(815): [client myIP:53062] AH01626: authorization result of Require shib-session : denied (no authenticated user yet)
[authz_core:debug] [pid 4080:tid 1232] mod_authz_core.c(815): [client myIP:53062] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[mod_shib:debug] [pid 4080:tid 1232] mod_shib.cpp(783): [client myIP:53062] shib_check_user entered in pid (4080)
[ssl:debug] [pid 4080:tid 1232] ssl_engine_io.c(1102): [client myIP:53062] AH02001: Connection closed to child 60 with standard shutdown (server myserver.mycompany.com:443)
[ssl:info] [pid 4080:tid 1232] [client myIP:53064] AH01964: Connection to child 60 established (server myserver.mycompany.com:443)
[ssl:debug] [pid 4080:tid 1232] ssl_engine_kernel.c(2351): [client myIP:53064] AH02043: SSL virtual host for servername myserver.mycompany.com found
[core:debug] [pid 4080:tid 1232] protocol.c(2313): [client myIP:53064] AH03155: select protocol from , choices=h2,http/1.1 for server myserver.mycompany.com
[ssl:debug] [pid 4080:tid 1232] ssl_engine_kernel.c(2231): [client myIP:53064] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
[ssl:debug] [pid 4080:tid 1232] ssl_engine_kernel.c(376): [client myIP:53064] AH02034: Initial (No.1) HTTPS request received for child 60 (server myserver.mycompany.com:443), referer: https://mycompany.okta.com/app/mycompany_mayapp_1/identifier/sso/saml?SAMLRequest=SAMLRequestID&RelayState=RelayStateID&fromLoginToken=fromLoginTokenID
[mod_shib:debug] [pid 4080:tid 1232] mod_shib.cpp(369): [client myIP:53064] get_request_config created per-request structure, referer: https://mycompany.okta.com/app/mycompany_mayapp_1/identifier/sso/saml?SAMLRequest=SAMLRequestID&RelayState=RelayStateID&fromLoginToken=fromLoginTokenID
[authz_core:debug] [pid 4080:tid 1232] mod_authz_core.c(815): [client myIP:53064] AH01626: authorization result of Require all denied: denied, referer: https://mycompany.okta.com/app/mycompany_mayapp_1/identifier/sso/saml?SAMLRequest=SAMLRequestID&RelayState=RelayStateID&fromLoginToken=fromLoginTokenID
[authz_core:debug] [pid 4080:tid 1232] mod_authz_core.c(815): [client myIP:53064] AH01626: authorization result of <RequireAny>: denied, referer: https://mycompany.okta.com/app/mycompany_mayapp_1/identifier/sso/saml?SAMLRequest=SAMLRequestID&RelayState=RelayStateID&fromLoginToken=fromLoginTokenID
[authz_core:error] [pid 4080:tid 1232] [client myIP:53064] AH01630: client denied by server configuration: F:/Apache24/htdocs/, referer: https://mycompany.okta.com/app/mycompany_mayapp_1/identifier/sso/saml?SAMLRequest=SAMLRequestID&RelayState=RelayStateID&fromLoginToken=fromLoginTokenID

Thanks


--- cantor.2 at osu.edu wrote:

From: "Cantor, Scott" <cantor.2 at osu.edu>
To: Shib Users <users at shibboleth.net>
Subject: Re: Shibboleth SP & Okta IdP Redirect Looping
Date: Wed, 5 Aug 2020 17:20:35 +0000

On 8/5/20, 12:52 PM, "users on behalf of Paul Carroll" <users-bounces at shibboleth.net on behalf of pcarroll at nfmail.net> wrote:

>    Is there a specific cookie name that I should be looking for or does it depend on the IdP that is being used?

No, the SP cookies have nothing to do with the IdP. Loops don't depend on the IdP, they're a client/SP issue.

You have to compare traces to identify working vs. non-working payloads generally at the final resource access step, and this is assuming the native module half of the logs don't just tell you outright what it doesn't like, such as an address mismatch. The cookies might be fine and the network and SP settings are at fault.

-- Scott


-- 
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net




More information about the users mailing list