Shibboleth SP & Okta IdP Redirect Looping
Paul Carroll
pcarroll at nfmail.net
Wed Aug 5 22:32:42 UTC 2020
I am not seeing the POST to /Shibboleth.sso/SAML2/POST after I login through the IdP. I do not see it in the logs or SAML Tracer for Firefox. The /Shibboleth.sso/SAML2/POST is found as the AssertionConsumerServiceURL that appears to be the XML that is sent to the IdP when I attempt to initially access the protected resource.
<... AssertionConsumerServiceURL="https://myserver.mycompany.com/Shibboleth.sso/SAML2/POST" Destination="https://mycompany.okta.com/app/myApp/identifier/sso/saml" .../>
Is that seem correct for the AssertionConsumerServiceURL? Should it be the Destination? If that all seems correct, then could it be an issue with the IdP configuration not redirecting to the correct URL after login?
Thanks,
Paul
--- cantor.2 at osu.edu wrote:
From: "Cantor, Scott" <cantor.2 at osu.edu>
To: Shib Users <users at shibboleth.net>
Subject: Re: Shibboleth SP & Okta IdP Redirect Looping
Date: Wed, 5 Aug 2020 20:38:51 +0000
Just in terms of tracing, the correct sequence of traced URLs would have to be:
GET protected path at SP
- IdP traffic
POST to /Shibboleth.sso/SAML2/POST
GET to original protected path
And if that were happening, loop or not, the transaction.log would be clearly showing a session created. And /Shibboleth.sso/Session should dump out that session.
-- Scott
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users
mailing list