PIV login issues
cantor.2 at osu.edu
Thu Jun 3 15:15:09 UTC 2021
On 6/3/21, 11:05 AM, "users on behalf of Matthews, Lee (NIH/NIDDK) [E] via users" <users-bounces at shibboleth.net on behalf of users at shibboleth.net> wrote:
> The site gets stuck at https://sitename.fqdn.xxx/Shibboleth.sso/SAML2/POST
It's probably stuck running some hung application URL that it sent you to after that and your browser is lying. And the PIV card isn't relevant, the IdP itself doesn't matter. You're at the SP at that point. Just trace it and if there's a final 302 to something, then you know what's hung.
> I see these entries in the shibd.log:
Those could be probes or attacks or anything, I couldn't say. I doubt they're related, I don't know how they would be. A failed redirect like that throws an error back to the browser.
> This not not happen all the time. I am guessing I have to add something with the redirectlimit, but I am not
> quite sure of the correct syntax.
The host it redirects to after a login will exactly match the host used in the SAML response endpoint delivery step which is why the redirect enforcement is generally "exact". That's just inherent because of the cookies, it won't even work if you start mixing hosts mid-login and it will often just start looping.
Adding anything else is relevant for deployments that allow logout requests to use return/target values living on other servers.
More information about the users