Shibboleth SP & Okta IdP Redirect Looping
cantor.2 at osu.edu
Wed Aug 5 20:31:39 UTC 2020
On 8/5/20, 4:16 PM, "users on behalf of Paul Carroll" <users-bounces at shibboleth.net on behalf of pcarroll at nfmail.net> wrote:
> I made a change to the httpd-ssl.conf. I modified <Location> so that the protected resource is now /secure. It was the
> root (/) but the IdP redirects to the root and I read in the Looping troubleshooting that the resource cannot be the same
> as the target. Once I made that change, the looping stopped. However, I know receive a 403.
You can protect whatever you want to protect, and resource and target are the same thing.
The system should detect requests to /Shibboleth.sso because it matches the "handlerURL" for the system, and handle those specially to prevent looping in the protect-all case, which is the only thing that might be relevant when protecting the whole site.
I'd be looking at /Shibboleth.sso/Session at this point. You should be able to access it, and it should say there's no session, and after the round trip it should say there is one. It won't, but I'd be curious what it does do. I'm kind of expecting a 404 at this point.
> There is nothing written to shibd.log either.
The looping I think was related to protecting the site while at the same time the system fundamentally being broken with regard to handlers running to handle the SAML POST and other functions. That's not in any way a normal thing for a vanilla install out of the box.
I'd guess something in the Apache config is stomping on the module handling /Shibboleth.sso virtual paths.
More information about the users