Shibboleth SP & Okta IdP Redirect Looping

Paul Carroll pcarroll at nfmail.net
Thu Aug 6 18:57:30 UTC 2020 

Thanks for the suggestion Meshna.

I asked the Okta admin to set the Single Sign On URL to https://myServer.myCompany.com/Shibboleth.sso/SAML2/POST and it started working as expected.

Thanks,
Paul

--- M.Koren at elsevier.com wrote:

From: "Koren, Meshna (ELS-AMS)" <M.Koren at elsevier.com>
To: Shib Users <users at shibboleth.net>
Subject: RE: Shibboleth SP & Okta IdP Redirect Looping
Date: Thu, 6 Aug 2020 09:10:51 +0000

I don't know if this is relevant to your problem, Paul, because you don't mention WAYFless URL... but we had the same problem with Okta IdPs (that by default generate an IdP initiated session link based on metadata) to our SP (which only supports SP initated session). Each attempt would go into a loop (and expire).

The solution to the problem was this:
*make sure 'the new app' in Okta uses a 'default' link
*go to 'applications'
*search for 'bookmark app'
*create a 'new bookmark app'
othe URL of this app is WAYFless URL
*both apps need to be active
*Okta users need to be assigned to both apps
*only the 'bookmark app' should be visible to them


Cheers,
Meshna


-----Original Message-----
From: users <users-bounces at shibboleth.net> On Behalf Of Cantor, Scott
Sent: Thursday, August 6, 2020 03:01
To: Shib Users <users at shibboleth.net>
Subject: Re: Shibboleth SP & Okta IdP Redirect Looping

*** External email: use caution ***



On 8/5/20, 8:27 PM, "users on behalf of Paul Carroll" <users-bounces at shibboleth.net on behalf of pcarroll at nfmail.net> wrote:

>  So I think that confirms the issue lies with the IdP.  I will log an issue with Okta.

More likely whoever set it up. Obviously people use Okta, it's not *this* broken. I'm sure it doesn't use metadata properly to check endpoints but it should be responding where it's asked to, or refuse to. It must have an "ignore request, use URL" mode and somebody fed it a bogus URL.

-- Scott


--
For Consortium Member technical support, see https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.shibboleth.net%2Fconfluence%2Fx%2FcoFAAg&data=02%7C01%7CM.Koren%40elsevier.com%7C654b39c5acf4438bc70308d839a43218%7C9274ee3f94254109a27f9fb15c10675d%7C0%7C0%7C637322724659037000&sdata=TaCInFdfpfMLTJszLFvB5WoEMwKjo6nY%2BLYNHf09h08%3D&reserved=0
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

________________________________

Elsevier B.V. Registered Office: Radarweg 29, 1043 NX Amsterdam, The Netherlands, Registration No. 33158992, Registered in The Netherlands.
-- 
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list