Redirect looping is a phenomenon that primarily occurs in the browser redirect back to the SP from the IdP posting the initial assertion. If session state stored in the form of a cookie is inaccessible to the server, the server has no idea that this request corresponds to a previously established session and will attempt to trigger another Shibboleth session initiation. Because all the other boxes in the flow have successfully cached login/WAYF information, the process will loop indefinitely without user intervention.
Some reasons session state may be failing to be accessed and potential fixes, in descending order of likelihood:
- The wrong URL is being used at some point. Frequently this occurs due to not configuring Apache's
ServerName(which in Apache 2.0 must also include the port), or the
Off, the default in some distributions. Beyond ensuring all configuration looks right, tracking this down further is difficult. Check the URL's passed in the query string of the initial redirect from the SP to the WAYF/IdP (
http://www.wayfsRus.com/WAYF?shire=blah&target=bloog). In some cases, the authentication mechanism has broken these URLs.
- The path in the
cookiePropssetting of this
Applicationfor the SP has been misconfigured. This path must be
/, or the browser will refuse to return it to the protocol handler, causing either looping or a redirect to
- Load balancing on the IdP or SP could be implemented wrong, causing some state information to be lost. Make sure that your LoadBalancedIdP setup is properly configured.
When all else fails, consult email@example.com.