...
Problems with redirect generation most frequently occur in accessing the ! SP's protocol handlers (e.g. https://gotham.supervillain.edu/Shibboleth.sso/SAML/POST) and in the final redirect back to the requested resource. Broken redirects most frequently manifest as 404 errors or RedirectLooping (or sometimes simply attempts to access a server over the wrong port). Rather than trying to address each of these in detail, it's more useful to discuss how these redirects are created and what must be properly configured.
...
- UseCanonicalName must be enabled. This forces Apache to return the hostname accessed in the full and proper form rather than a possible variation entered by the user. Failure to do so can result in inaccurate redirects and even exposure of resources if all possible variants are not accounted for in the RequestMap (depending a lot on how session requirements are expressed).
- The external DNS hostname of the web server must be properly stated in a
ServerNamedirective either in the main configuration or the proper virtual host. This could be the hostname of a web proxy that is handling the actual requests from users. - External port numbers are pulled from the
VirtualHostdefinition in Apache 2.0 and thePortcommand in Apache 1.3. This is the port users must access, and not necessarily the port the virtual host is actually listening on. - The correct URL scheme (
httporhttps=) is set based on whether SSL is active on the incoming request. If this isn't accurate, you cannot rely on the web server to properly generate redirects and it must be supplemented by Shibboleth configuration. This will not correct redirects from elsewhere in the environment. You can use the=ShibURLScheme httpsApache command to override the value determined from the request if all external access is handled with SSL through an offloaded device.
...