Using SAML: Redirect Loop

By: Franz Noel Tanglao user 28 Oct 2016 at 1:28 p.m. CDT

5 Responses
Franz Noel Tanglao gravatar
We're trying to configure SAML 2.0 using our Service Provider (SP), and GLUU IDP. The SP communicates successfully with GLUU Server using SAML 2.0. We were able to successfully generate a `Shibboleth.sso\Metadata` and `Shibboleth.sso\DiscoFeed`. After logging in using this link: http://c-app01.contoso.com/Shibboleth.sso/Login?entityId=http://gluu-srv.contoso.com/idp/shibboleth&target=https://c-app01.contoso.com/secure/ We can view the following data: https://c-app01.contoso.com/Shibboleth.sso/Session So, we are able to login successfully in the GLUU server. However, after the successful login, the browser seems to **loop** in: https://gluu-srv.contoso.com/idp/profile/SAML2/Redirect/SSO. Also, we created a new relationship in the GLUU server, where we expect to have an auto-generated `attribute-map.xml`, `idp-metadata.xml`, `shibboleth2.xml`, and `sp-metadata.xml`, but the download fails to send these files (the relationship already setup in GLUU is able to give these files, though). Is there anything that we need to do in our application to view the secured page? Is the `target` correct? What other configurations are we missing?
CentOS72
closed

Answers

By Mohib Zico staff 28 Oct 2016 at 1:39 p.m. CDT

Copy
Mohib Zico gravatar
It happens when there are configuration differences between http and httpS within IDP and SP. >> http://gluu-srv.contoso.com/idp/profile/SAML2/Redirect/SSO If this is your Gluu Server... always install and configure Gluu Server with httpS. [This](https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPLooping) doc will help you, I believe.

By Franz Noel Tanglao user 28 Oct 2016 at 1:52 p.m. CDT

Copy
Franz Noel Tanglao gravatar
Sorry about that. I meant to say. Just a typo, but I recently changed it: https://gluu-srv.contoso.com/idp/profile/SAML2/Redirect/SSO HTTPS is configured in the GLUU server. But, do you mean the SSL? Let me check, though and verify some other settings.

By Mohib Zico staff 28 Oct 2016 at 1:58 p.m. CDT

Copy
Mohib Zico gravatar
>> But, do you mean the SSL? Yes. Also make sure if there is any misconfiguration there inside SP. The provided Shibboleth link is about NativeSPLooping. And... >> http://c-app01.contoso.com/Shibboleth.sso/Login?entityId=http://gluu-srv.contoso.com/idp/shibboleth&target=https://c-app01.contoso.com/secure/ I can see 'http' is using for your Gluu Server as well in here.

By Franz Noel Tanglao user 28 Oct 2016 at 2:21 p.m. CDT

Copy
Franz Noel Tanglao gravatar
I've edited: https://c-app01.contoso.com/Shibboleth.sso/Login?entityId=https://gluu-srv.contoso.com/idp/shibboleth&target=https://c-app01.contoso.com/secure/ Giving more information in my HTTP setting, here's how I configured Apache: <Location /Shibboleth.sso> SetHandler shib AuthType None Require all granted </Location> <Location /secure> AuthType shibboleth ShibRequestSetting applicationId c-app01-id ShibRequestSetting requireSession 1 Require shib-session Require valid-user Require shibboleth </Location> If we are going to remove `ShibRequestSetting applicationId`, the `/secure` folder works fine, but when we apply it, it keeps looping. Why does `ShibRequestSetting applicationId`, set in Shibboleth SP, makes GLUU IDP loop?

By Franz Noel Tanglao user 28 Oct 2016 at 6:03 p.m. CDT

Copy
Franz Noel Tanglao gravatar
I think I got it now after reading these documents: - https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationModel - https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationOverride - https://wiki.shibboleth.net/confluence/display/CONCEPT/FlowsAndConfig When using multiple applications, you will need to configure ApplicationOverride, and minimum setting for ApplicationOverride needs to be set. A VirtualHost needs to be configured in Apache when using ApplicationOverride. The reason why I got loops (wherein the browser seems to be hanging) is because the IDP and SP keeps on communicating back and forth trying to give me the cookies as session information. However, since my settings were not configured with ApplicationOverride, the cookies given were not always compatible... resulting in a loop. I need to remove `applicationId` in Apache configuration. My application is only configured for single application without the use of `VirtualHost`. Other than setting the `VirtualHost`, I may also configure `RequestMap` in `shibboleth2.xml` which can be set for folders within the domain.

Post an answer