Shibboleth SP & Okta IdP Redirect Looping

[Cantor, Scott]

On 8/5/20, 7:56 PM, "users on behalf of Paul Carroll" <users-bounces at shibboleth.net on behalf of pcarroll at nfmail.net> wrote:

>    A 302 response is produced but it redirects back to the IdP.  No redirect to Shibboleth.sso/SAML/POST occurs.

The ACS URL in the SAML request was correct. You need to get a trace of the SAML response the IdP generates and the form it produces in the browser. Turn Javascript off to prevent the autosubmit. Check the action in the form via view source. See where it points to.

>    I always receive a "A valid session was not found." when I browse to Shibboleth.sso/Session.

I was expecting the SP was broken so I didn't think the handlers worked and thought your problem was the SP. Now I'm thinking the issue is the IdP after all, if your description is accurate. The SP seems to be perfectly fine.

The looping seems to have been a fallout of the IdP mis-directing the response to the site root, which was protected, triggering a request back to the IdP and so on. Now that it's not protected, you get sent to the root, and whatever happens there is whatever happens I guess.

The IdP needs to produce a form sending the browser to /Shibboleth.sso/SAML2/POST when the transfer back occurs.

If that's not what it did, something's pretty wrong with it and that's your problem.

-- Scott