The Shibboleth V1 software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only.

RedirectLooping

Owned by Scott Cantor
Last updated: Feb 19, 2007Version comment
2 min read

Redirect looping is a phenomenon that primarily occurs in the browser redirect back to the SP from the IdP posting the initial assertion. If session state stored in the form of a cookie is inaccessible to the server, the server has no idea that this request corresponds to a previously established session and will attempt to trigger another Shibboleth session initiation. Because all the other boxes in the flow have successfully cached login/WAYF information, the process will loop indefinitely without user intervention.

Some reasons session state may be failing to be accessed and potential fixes, in descending order of likelihood:

  • The wrong URL is being used at some point. Frequently this occurs due to not configuring Apache's ServerName (which in Apache 2.0 must also include the port), or the UseCanonicalNames directive being Off , the default in some distributions. Beyond ensuring all configuration looks right, tracking this down further is difficult. Check the URL's passed in the query string of the initial redirect from the SP to the WAYF/IdP (http://www.wayfsRus.com/WAYF?shire=blah&target=bloog). In some cases, the authentication mechanism has broken these URLs.
  • The path in the cookieProps setting of this Application for the SP has been misconfigured. This path must be / , or the browser will refuse to return it to the protocol handler, causing either looping or a redirect to homeURL .
  • Application mapping may be misconfigured in such a way that causes cookies to be improperly set or recognized.
  • Load balancing on the IdP or SP could be implemented wrong, causing some state information to be lost. Make sure that your LoadBalancedIdP setup is properly configured.

When all else fails, consult shibboleth-users@internet2.edu.