Shibboleth SP & Okta IdP Redirect Looping

Paul Carroll pcarroll at
Wed Aug 5 22:32:42 UTC 2020

I am not seeing the POST to /Shibboleth.sso/SAML2/POST after I login through the IdP.  I do not see it in the logs or SAML Tracer for Firefox.  The /Shibboleth.sso/SAML2/POST is found as the AssertionConsumerServiceURL that appears to be the XML that is sent to the IdP when I attempt to initially access the protected resource.

<... AssertionConsumerServiceURL="" Destination="" .../>

Is that seem correct for the AssertionConsumerServiceURL?  Should it be the Destination?  If that all seems correct, then could it be an issue with the IdP configuration not redirecting to the correct URL after login?


--- cantor.2 at wrote:

From: "Cantor, Scott" <cantor.2 at>
To: Shib Users <users at>
Subject: Re: Shibboleth SP & Okta IdP Redirect Looping
Date: Wed, 5 Aug 2020 20:38:51 +0000

Just in terms of tracing, the correct sequence of traced URLs would have to be:

GET protected path at SP
- IdP traffic
POST to  /Shibboleth.sso/SAML2/POST
GET to original protected path

And if that were happening, loop or not, the transaction.log would be clearly showing a session created. And /Shibboleth.sso/Session should dump out that session.

-- Scott

For Consortium Member technical support, see
To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list