Redirect loop between the idp and sp when accessing a private file with Drupal
1,493 views
Skip to first unread message
portal....@gmail.com
Jun 11, 2018, 11:20:37 AM6/11/18
to SimpleSAMLphp
Hi,
Someone might be able to provide assistance with this issue.
We are using simplesamlphp, Drupal 7 and the Drupal simplesamlphp authentication module. Our website is hosted externally and we are using a 3rd party identity provider. The simplesamlphp library was configured by our hosting provider and our 3rd party identity provider. This is all up and running correctly.
(I attached a screenshot SAML trace of when this works)
I am not really sure where the problem actually resides with this, could it be the simplesamlphp library or within the Drupal simplesamlphp authentic module that is causing the loop to occur?
Any help greatly appreciated.
Thanks in advance.
Ed.
Someone might be able to provide assistance with this issue.
We are using simplesamlphp, Drupal 7 and the Drupal simplesamlphp authentication module. Our website is hosted externally and we are using a 3rd party identity provider. The simplesamlphp library was configured by our hosting provider and our 3rd party identity provider. This is all up and running correctly.
The issue we have is when
authenticating by directly accessing a private file on our website, a
redirect loop occurs between the IDP and SP after the user
authenticates. (Our IDP then blacklists the IP address of the user as it
appears it is a DOS attack)
For example, https://www.ourdomain.com/system/files/iss/doc/lego-city-pdf-document.pdf
is an example of the type of file being directly accessed. We would have numerous private files (docs, pdf, xls) similar to this on our website which require
authentication before accessing them.
I attached a screenshot of the SAML trace of an example where the redirect loop occurs. (I have removed the domain)
Strangely,
if I change the filename extension from pdf to pdfx or make up a file
extension name, the user is able to authenticate correctly and no
redirect loop occurs between the IDP and SP eg.
https://www.ourdomain.com/system/files/iss/doc/lego-city-pdf-document.pdfx
(I attached a screenshot SAML trace of when this works)
I am not really sure where the problem actually resides with this, could it be the simplesamlphp library or within the Drupal simplesamlphp authentic module that is causing the loop to occur?
Any help greatly appreciated.
Thanks in advance.
Ed.
PS.
I have come across other posts relating to redirect loops and varnish
cache which our hosting provider uses, but our hosting provider has added
a NO_CACHE cookie in the configuration to bypass the varnish cache. I
can see this cookie being set.
Peter Schober
Jun 11, 2018, 11:49:01 AM6/11/18
to SimpleSAMLphp
* portal....@gmail.com <portal....@gmail.com> [2018-06-11 17:20]:
Headers closely. Esp. look for Set-Cookie Response Headers that don't
have their content returned in subsequent Cookie Request Headers to
the same resource.
The IDP session likely has nothing to do with this, since you seem to
be having established an SSO session with the IDP successfully
(otherwise you wouldn't be looping but would have to authenticate each
time at the IDP), so it's the SP you're worried about.
I have no idea how Drupal handles the case of protecting static files.
But that's often a special case needing special handling.
-peter
> The issue we have is when authenticating by directly accessing a private
> file on our website, a redirect loop occurs between the IDP and SP after
> the user authenticates.
To debug this you'd need to look at the HTTP Request and Response
> file on our website, a redirect loop occurs between the IDP and SP after
> the user authenticates.
Headers closely. Esp. look for Set-Cookie Response Headers that don't
have their content returned in subsequent Cookie Request Headers to
the same resource.
The IDP session likely has nothing to do with this, since you seem to
be having established an SSO session with the IDP successfully
(otherwise you wouldn't be looping but would have to authenticate each
time at the IDP), so it's the SP you're worried about.
I have no idea how Drupal handles the case of protecting static files.
But that's often a special case needing special handling.
-peter
Portal Developer
Jun 14, 2018, 7:13:50 AM6/14/18
to SimpleSAMLphp
Ok, thanks Peter. I will have a look at that.
Ed.
jaydee...@gmail.com
Jul 31, 2018, 7:28:15 PM7/31/18
to SimpleSAMLphp
Hi Ed,
Have you got the solution for this issue. I have same issue.
You can see my setup from below link:
Thanks
Jaydeep
Peter Schober
Aug 1, 2018, 5:30:14 AM8/1/18
to SimpleSAMLphp
* jaydee...@gmail.com <jaydee...@gmail.com> [2018-08-01 01:28]:
SimpleSAMLphp available and configured (see below for details).
And the IDP must have metadata (or at least ACS URLs) for each SP.
You can make all protected resources one SAML SP, with one entityID
and using the same key pair.
That makes sense if they're all actually on the same "physical"
system, in which case the SP metadata the IDP has needs to have
protocol endpoints (AssertionConsumerService elements) for each vhost.
(Note that you cannot have multiple SingleLogoutService elements with
the same Binding, so SAML Logout cannot work in such a set up.)
Or you can make each protected resource into a separate logical SP,
giving each a separate entityID (and possibly it's own key pair; some
prominent but broken SAML implementaions cannot deal with the same key
being used across several different entityIDs).
You can use one install of SimpleSAMLphp to handle either of those
cases.
It may be easier to have a separate installation for the IDP, in the
beginning, but YMMV.
-peter
> Have you got the solution for this issue. I have same issue.
> You can see my setup from below link:
> https://stackoverflow.com/questions/51588230/simplesamlphp-infinite-redirection
You will also find the answer there: Each vhost must have
> You can see my setup from below link:
> https://stackoverflow.com/questions/51588230/simplesamlphp-infinite-redirection
SimpleSAMLphp available and configured (see below for details).
And the IDP must have metadata (or at least ACS URLs) for each SP.
You can make all protected resources one SAML SP, with one entityID
and using the same key pair.
That makes sense if they're all actually on the same "physical"
system, in which case the SP metadata the IDP has needs to have
protocol endpoints (AssertionConsumerService elements) for each vhost.
(Note that you cannot have multiple SingleLogoutService elements with
the same Binding, so SAML Logout cannot work in such a set up.)
Or you can make each protected resource into a separate logical SP,
giving each a separate entityID (and possibly it's own key pair; some
prominent but broken SAML implementaions cannot deal with the same key
being used across several different entityIDs).
You can use one install of SimpleSAMLphp to handle either of those
cases.
It may be easier to have a separate installation for the IDP, in the
beginning, but YMMV.
-peter
Reply all
Reply to author
Forward
0 new messages