Shibboleth SP & Okta IdP Redirect Looping

Koren, Meshna (ELS-AMS) M.Koren at
Thu Aug 6 09:10:51 UTC 2020

I don't know if this is relevant to your problem, Paul, because you don't mention WAYFless URL... but we had the same problem with Okta IdPs (that by default generate an IdP initiated session link based on metadata) to our SP (which only supports SP initated session). Each attempt would go into a loop (and expire).

The solution to the problem was this:
*make sure 'the new app' in Okta uses a 'default' link
*go to 'applications'
*search for 'bookmark app'
*create a 'new bookmark app'
othe URL of this app is WAYFless URL
*both apps need to be active
*Okta users need to be assigned to both apps
*only the 'bookmark app' should be visible to them


-----Original Message-----
From: users <users-bounces at> On Behalf Of Cantor, Scott
Sent: Thursday, August 6, 2020 03:01
To: Shib Users <users at>
Subject: Re: Shibboleth SP & Okta IdP Redirect Looping

*** External email: use caution ***

On 8/5/20, 8:27 PM, "users on behalf of Paul Carroll" <users-bounces at on behalf of pcarroll at> wrote:

>  So I think that confirms the issue lies with the IdP.  I will log an issue with Okta.

More likely whoever set it up. Obviously people use Okta, it's not *this* broken. I'm sure it doesn't use metadata properly to check endpoints but it should be responding where it's asked to, or refuse to. It must have an "ignore request, use URL" mode and somebody fed it a bogus URL.

-- Scott

For Consortium Member technical support, see
To unsubscribe from this list send an email to users-unsubscribe at


Elsevier B.V. Registered Office: Radarweg 29, 1043 NX Amsterdam, The Netherlands, Registration No. 33158992, Registered in The Netherlands.

More information about the users mailing list