Shibboleth SP & Okta IdP Redirect Looping

Koren, Meshna (ELS-AMS) M.Koren at elsevier.com
Thu Aug 6 09:10:51 UTC 2020 

I don't know if this is relevant to your problem, Paul, because you don't mention WAYFless URL... but we had the same problem with Okta IdPs (that by default generate an IdP initiated session link based on metadata) to our SP (which only supports SP initated session). Each attempt would go into a loop (and expire).

The solution to the problem was this:
*make sure 'the new app' in Okta uses a 'default' link
*go to 'applications'
*search for 'bookmark app'
*create a 'new bookmark app'
othe URL of this app is WAYFless URL
*both apps need to be active
*Okta users need to be assigned to both apps
*only the 'bookmark app' should be visible to them


Cheers,
Meshna


-----Original Message-----
From: users <users-bounces at shibboleth.net> On Behalf Of Cantor, Scott
Sent: Thursday, August 6, 2020 03:01
To: Shib Users <users at shibboleth.net>
Subject: Re: Shibboleth SP & Okta IdP Redirect Looping

*** External email: use caution ***



On 8/5/20, 8:27 PM, "users on behalf of Paul Carroll" <users-bounces at shibboleth.net on behalf of pcarroll at nfmail.net> wrote:

>  So I think that confirms the issue lies with the IdP.  I will log an issue with Okta.

More likely whoever set it up. Obviously people use Okta, it's not *this* broken. I'm sure it doesn't use metadata properly to check endpoints but it should be responding where it's asked to, or refuse to. It must have an "ignore request, use URL" mode and somebody fed it a bogus URL.

-- Scott


--
For Consortium Member technical support, see https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.shibboleth.net%2Fconfluence%2Fx%2FcoFAAg&data=02%7C01%7CM.Koren%40elsevier.com%7C654b39c5acf4438bc70308d839a43218%7C9274ee3f94254109a27f9fb15c10675d%7C0%7C0%7C637322724659037000&sdata=TaCInFdfpfMLTJszLFvB5WoEMwKjo6nY%2BLYNHf09h08%3D&reserved=0
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

________________________________

Elsevier B.V. Registered Office: Radarweg 29, 1043 NX Amsterdam, The Netherlands, Registration No. 33158992, Registered in The Netherlands.

More information about the users mailing list