Too many redirects in simplesamlphp

Question

When add a new app to access saml, I am facing this issue.

SSOService.php:1 GET https://saml.testing.net/www/saml2/idp/SSOService.php?spentityid=newapp&cookieTime=1459920375

net::ERR_TOO_MANY_REDIRECTS

in my local I don't facing any issue, but when I copy the codes to staging servers, then it shows ERR_TOO_MANY_REDIRECTS errors, keep redirecting, and not able to display the saml login page. The Staging servers with Load balancers, would this caused the error?

Thanks.

Update:

$config = array(
'baseurlpath'       => 'https://saml.testing.net/',
'certdir'       => '/etc/test/sslcerts/',
'tempdir'       => '/tmp',
'datadir'       => 'data/',
'auth.adminpassword'        => '1234567',
'admin.protectindexpage'    => TRUE,
'admin.protectmetadata'     => TRUE,
'secretsalt'        => 'xxxxxxxxx',
'timezone'      => NULL,

// logging related options
'loggingdir'        => '/var/log/simplesamlphp/',
'logging.level'     => LOG_WARNING,
'logging.logfile'   => 'simplesaml_' .date("Ymd") . '.log',
'debug'         => true,
'showerrors'        => true,
'logging.handler'   => 'file',
'logging.facility'  => LOG_USER,
'logging.processname'   => 'simplesaml',
'debug.validatexml' => FALSE,
'enable.saml20-idp' => TRUE,
'enable.shib13-idp' => FALSE,
'enable.adfs-idp'   => FALSE,
'enable.wsfed-sp'   => FALSE,
    'enable.authmemcookie'  => TRUE,
'session.duration'      => 2*(60*60),
'session.requestcache'      => 4*(60*60),
'session.cookie.lifetime'   => 0,
'session.cookie.path'       => '/',
'session.phpsession.cookiename' => 'SimpleSAMLSessionID',
'session.cookie.name'       => 'SimpleSAMLSessionID',
'session.cookie.domain'     => NULL,
'session.cookie.secure'     => FALSE,
'session.cookie.lifetime'   => 0,
'session.datastore.timeout' => 4*(60*60),
'session.state.timeout'     => (60*60),
'session.phpsession.savepath'   => NULL,
'session.phpsession.httponly'   => FALSE,
'session.disable_fallback'  => FALSE,
'session.authtoken.cookiename'  => 'SimpleSAMLAuthToken',
'session.rememberme.enable' => FALSE,
'session.rememberme.checked'    => FALSE,
'session.rememberme.lifetime'   => 1209600, // 14 days
'enable.http_post'      => FALSE,
'language.available'        => array('en'),
'language.default'      => 'en',
'attributes.extradictionary'    => NULL,
'theme.use'         => 'oldtheme:abcdef',
'attributes.extradictionary'    => NULL,
'default-wsfed-idp'     => 'urn:federation:pingfederate:localhost',
'idpdisco.enableremember'   => TRUE,
'idpdisco.rememberchecked'  => TRUE,
'idpdisco.validate'     => TRUE,
'idpdisco.extDiscoveryStorage'  => NULL,
'idpdisco.layout'       => 'dropdown',
'shib13.signresponse'       => TRUE,
'authproc.idp'      => array(
    10 => "frogauth:LogHandler",
    30 => 'core:LanguageAdaptor',
    45 => array('class' => 'core:StatisticsWithAttribute', 'attributename' => 'realm', 'type' => 'saml20-idp-SSO'),
    50 => 'core:AttributeLimit',
    99 => 'core:LanguageAdaptor',
    100 => "newauth:ToLogin",
    101 => "newauth:VerifyLogin",
    99 => 'core:LanguageAdaptor',
),

'authproc.sp'       => array(
    99 => 'core:LanguageAdaptor',
),
'metadata.sources' => array(
    array('type' => 'flatfile'),
),

'store.type'    => 'memcache',
'memcache_store.servers' => array(
            array(
                    array('hostname' => '10.11.11.11'),
            ),
),
'memcache_store.expires' =>  36 * (60*60),
'metadata.sign.enable'      => FALSE,
'metadata.sign.privatekey'  => NULL,
'metadata.sign.privatekey_pass' => NULL,
'metadata.sign.certificate' => NULL,
'proxy'         => null,
'xframe_options'=> array( 'enable' => TRUE, 'trusted_sites' => array()),
'session.duration'      => 2*(60*60),
'theme.use'     => "newtheme:multitheme",
);

saml20-sp-remote.php

$metadata['newapp'] = array(
    'AssertionConsumerService'      => 'https://www.newapp.com/mobile/saml',
    'SingleLogoutService'           => 'https://www.newapp.com/mobile/logout',
    'Theme'         => 'mobile',
);

check for header function and use exit(); after each header function. It may be the reason. — Niklesh Raut, Apr 06 '16 at 05:54
It would be easier to help if you could include the configs you have on the staging servers. The redirect URL that is set etc. Otherwise, best guess is that one of the redirect is set incorrectly, resulting in a infinite loop. — Boon, Apr 06 '16 at 05:58

score 8 · Answer 1 · answered Mar 05 '21 at 09:51

8

In my case the SameSite=None cookie attribute was the culprit. SameSite=None cookies must be used along with the secure attribute!

Solution:

'session.cookie.secure' => true // config.php

If your service is running behind a reverse proxy and is not running over https you additionally need to define the URL schema:

'baseurlpath' => 'https://my.url.com/<path_to_simple_saml>' // indicating the https schema (config.php)

answered Mar 05 '21 at 09:51

Pythtotic

415
6
10

This was working for me after setting up to use https. I've found most SAML IdP and/or middleware do not work (or work well enough) if you don't use https. And really if you're using SAML, it only makes sense to use https. – Harlin Apr 21 '21 at 13:53

score 2 · Answer 2 · answered May 24 '17 at 23:13

2

I've just run into a similar redirect issue. SimpleSAMLPHP would load fine but when trying to login as an admin it would go into an infinite loop loading the loginuserpass.php and as_login.php pages (redirected initially from /module.php/core/login-admin.php?ReturnTo=XXX).

After a lot of debugging I found that the problem was actually Varnish caching which was stopping the session state from being loaded. This happened no matter what session storage was selected (phpsession, memcache or sql).

Disabling varnish caching on the SimpleSAMLPHP paths fixed the issue for me.

Hope this helps anyone else with this issue.

answered May 24 '17 at 23:13

jarrodirwin

41
3

1

I was getting the same error. In my case, I was using an invalid path for my sqlite database to store session information. i.e. the 'store.sql.dsn' config. – John Brandenburg Jun 13 '18 at 19:43
1

how did you disable the varnish cache ? – Quantico Sep 20 '18 at 15:19
1

Simply altered the varnish .vcl file to exclude SimpleSAMLPHP paths – jarrodirwin Sep 24 '18 at 21:53

score 1 · Answer 3 · edited Dec 09 '16 at 11:05

If it helps at all, whenever this occurs in our setup it is because something has gone wrong with the cookies.

The user is not being seen as logged in at the service because the cookies aren't set correctly. Therefore they are redirected to the idp at which point they are shown as logged in and redirected back to the service; and repeat.

Basically your service thinks they aren't logged in, saml thinks they are; and they both keep passing the buck!

score 1 · Answer 4 · answered Jul 02 '20 at 21:06

And here is still another possible solution to try (worked for me after searching for hours, and after correcting the 'session.phpsession.savepath'): Go into the Firefox developer tools (or the browser of your choice) and in the "web storage" remove all cookies.

score 0 · Answer 5 · edited Apr 06 '16 at 10:15

0

Close the connection when the page content ends.

edited Apr 06 '16 at 10:15

Michał Perłakowski

88,409
26
156
177

answered Apr 06 '16 at 06:01

Sandra Lawson

11
4

score 0 · Answer 6 · answered Jul 29 '22 at 10:23

0

In my case the culprit was a git/merge error in the session.phpsession.savepath ... fixing it solved the redirect issue

'session.phpsession.savepath' => "/path/to"

answered Jul 29 '22 at 10:23

Stefan Michev

4,795
3
35
30

Too many redirects in simplesamlphp

6 Answers6