PIV login issues

Jason Pyeron jpyeron at pdinc.us
Thu Jun 3 23:33:07 UTC 2021 

> -----Original Message-----
> From: Cantor, Scott
> Sent: Thursday, June 3, 2021 11:15 AM
> Subject: Re: PIV login issues
>
> On 6/3/21, 11:05 AM, "users on behalf of Matthews, Lee (NIH/NIDDK) [E] via users" <users-
> bounces at shibboleth.net on behalf of users at shibboleth.net> wrote:
>
> >    The site gets stuck at https://sitename.fqdn.xxx/Shibboleth.sso/SAML2/POST
>
> It's probably stuck running some hung application URL that it sent you to after that and your browser
> is lying. And the PIV card isn't relevant, the IdP itself doesn't matter. You're at the SP at that
> point. Just trace it and if there's a final 302 to something, then you know what's hung.

You can have the user enable the development tools in modern browsers, then save all as HAR. This will allow you to debug it more 
easily after the fact.

I concur that this is not related to PIV, CAC, or any TLS mutual authentication issues.

>
> >    I see these entries in the shibd.log:
>
> Those could be probes or attacks or anything, I couldn't say. I doubt they're related, I don't know
> how they would be. A failed redirect like that throws an error back to the browser.
>
> >    This not not happen all the time. I am guessing I have to add something with the redirectlimit,
> but I am not
> > quite sure of the correct syntax.
>
> The host it redirects to after a login will exactly match the host used in the SAML response endpoint
> delivery step which is why the redirect enforcement is generally "exact". That's just inherent because
> of the cookies, it won't even work if you start mixing hosts mid-login and it will often just start
> looping.
>
> Adding anything else is relevant for deployments that allow logout requests to use return/target
> values living on other servers.
>

--
Jason Pyeron  | Architect
PD Inc        |
10 w 24th St  | Certified 8(a)
Baltimore, MD | Certified HUBZone

.mil: jason.j.pyeron.ctr at mail.mil
.com: jpyeron at pdinc.us
tel : 202-741-9397



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5690 bytes
Desc: not available
URL: <http://shibboleth.net/pipermail/users/attachments/20210603/8613d76a/attachment.p7s>

More information about the users mailing list