Shibboleth SP & Okta IdP Redirect Looping

Cantor, Scott cantor.2 at
Wed Aug 5 20:31:39 UTC 2020

On 8/5/20, 4:16 PM, "users on behalf of Paul Carroll" <users-bounces at on behalf of pcarroll at> wrote:

>    I made a change to the httpd-ssl.conf.  I modified <Location> so that the protected resource is now /secure.  It was the
> root (/) but the IdP redirects to the root and I read in the Looping troubleshooting that the resource cannot be the same
> as the target.  Once I made that change, the looping stopped.  However, I know receive a 403.

You can protect whatever you want to protect, and resource and target are the same thing.

The system should detect requests to /Shibboleth.sso because it matches the "handlerURL" for the system, and handle those specially to prevent looping in the protect-all case, which is the only thing that might be relevant when protecting the whole site.

I'd be looking at /Shibboleth.sso/Session at this point. You should be able to access it, and it should say there's no session, and after the round trip it should say there is one. It won't, but I'd be curious what it does do. I'm kind of expecting a 404 at this point.

> There is nothing written to shibd.log either.

The looping I think was related to protecting the site while at the same time the system fundamentally being broken with regard to handlers running to handle the SAML POST and other functions. That's not in any way a normal thing for a vanilla install out of the box.

I'd guess something in the Apache config is stomping on the module handling /Shibboleth.sso virtual paths.

-- Scott

More information about the users mailing list