Too many redirects
310 views
Skip to first unread message
Sushil Kambampati
Sep 21, 2020, 9:51:36 AM9/21/20
to SimpleSAMLphp
I've installed SimpleSAMLphp 1.19 and 1.18 following the instructions and nothing out of the way, and while I finally got the page to load, trying to log in as Administrator generates a too-many-redirects page.
Here's my apache config file:
<VirtualHost *>
ServerName sso.wwnorton.net
DocumentRoot /var/simplesamlphp/www
SetEnv SIMPLESAMLPHP_CONFIG_DIR /var/simplesamlphp/config
Alias /simplesaml /var/simplesamlphp/www
<Directory /var/simplesamlphp/www>
Require all granted
</Directory>
</VirtualHost>
The only items I changed in the config.php are the secretsalt and auth.adminpassword.
Any ideas would be much appreciated.
Peter Schober
Sep 21, 2020, 10:17:13 AM9/21/20
to SimpleSAMLphp
* Sushil Kambampati <skamb...@wwnorton.com> [2020-09-21 15:51]:
as 'Cookie' HTTP Request headers sent to respectively from your web
browser. The host name for those Cookies is probably wrong somewhere.
> https://sso.net/simplesaml/module.php/...
Those probably are obfuscated to some degree but note that "sso.net"
(in the URL above) and "sso.wwnorton.net" in your config) are not the
same.
Also pay attention to the 'baseurlpath' parameter in config/config.php
> DocumentRoot /var/simplesamlphp/www
> SetEnv SIMPLESAMLPHP_CONFIG_DIR /var/simplesamlphp/config
> Alias /simplesaml /var/simplesamlphp/www
Note that setting SIMPLESAMLPHP_CONFIG_DIR to the 'config' directory
from the SSP distribution is both a noop (that's where it would be
found if you didn't set SIMPLESAMLPHP_CONFIG_DIR at all) and more
importantly you'll miss out on having your config dir *outside* of the
software distribution, which would ease SSP updates by keeping your
config separate from the unpacked (and later: updated) distribution.
Also note that you don't need/want to set an Alias of /simplesaml
(i.e., making SSP available at /simplesaml) when your vhost's
DocumentRoot already points to the same directory (i.e., making SSP
available at your web server root /). Use one or the other, depending
on where you want to make SSP available and what else you're hosting
on that vhost. If in doubt, only use the Alias and keep the
DocumentRoot for your application or whatever.
-peter
> I've installed SimpleSAMLphp 1.19 and 1.18 following the instructions and
> nothing out of the way, and while I finally got the page to load, trying to
> log in as Administrator generates a too-many-redirects page.
Look at any 'Set-Cookie' and 'Location' HTTP Reponse headers as well
> nothing out of the way, and while I finally got the page to load, trying to
> log in as Administrator generates a too-many-redirects page.
as 'Cookie' HTTP Request headers sent to respectively from your web
browser. The host name for those Cookies is probably wrong somewhere.
> https://sso.net/simplesaml/module.php/...
Those probably are obfuscated to some degree but note that "sso.net"
(in the URL above) and "sso.wwnorton.net" in your config) are not the
same.
Also pay attention to the 'baseurlpath' parameter in config/config.php
> DocumentRoot /var/simplesamlphp/www
> SetEnv SIMPLESAMLPHP_CONFIG_DIR /var/simplesamlphp/config
> Alias /simplesaml /var/simplesamlphp/www
from the SSP distribution is both a noop (that's where it would be
found if you didn't set SIMPLESAMLPHP_CONFIG_DIR at all) and more
importantly you'll miss out on having your config dir *outside* of the
software distribution, which would ease SSP updates by keeping your
config separate from the unpacked (and later: updated) distribution.
Also note that you don't need/want to set an Alias of /simplesaml
(i.e., making SSP available at /simplesaml) when your vhost's
DocumentRoot already points to the same directory (i.e., making SSP
available at your web server root /). Use one or the other, depending
on where you want to make SSP available and what else you're hosting
on that vhost. If in doubt, only use the Alias and keep the
DocumentRoot for your application or whatever.
-peter
Sushil Kambampati
Sep 21, 2020, 12:16:15 PM9/21/20
to SimpleSAMLphp
Thanks for the response! The domain discrepancy was my poor attempt at obfuscation. In reality the domain names match in the Apache config file and the simpleSAML config.php file. The cookie domain in the browser shows the same value.
I did not change baseurlpath in config.php but setting it to the full URL of my host + /simplesaml did not resolve the issue either. Would someone who has a working instance be willing to share their config files (replace your domain with example.com and any sensitive paths with foo/bar)?
Sushil Kambampati
Sep 21, 2020, 12:50:53 PM9/21/20
to SimpleSAMLphp
I've solved it. Initially I was trying to use nginx, but that too was giving me the same redirect problem. I then switched to Apache and did not change the user/group in the php-fpm configuration.
So while I got this to work with Apache, I did not with nginx.
Peter Schober
Sep 21, 2020, 1:31:34 PM9/21/20
to SimpleSAMLphp
* Sushil Kambampati <skamb...@wwnorton.com> [2020-09-21 18:51]:
contributed what they consider working versions of the config.
At some point someone proficient with nginx should probably go through
those and trim them down to one minimal set of actually required
config entries/changes for nginx.
-peter
> So while I got this to work with Apache, I did not with nginx.
Check the list archives -- over the years several people have
contributed what they consider working versions of the config.
At some point someone proficient with nginx should probably go through
those and trim them down to one minimal set of actually required
config entries/changes for nginx.
-peter
Joseph Balsamo
Feb 22, 2021, 5:25:05 PM2/22/21
to SimpleSAMLphp
I am having a similar issue, however, it only happens when I use a Chrome based browser and I am using Apache2 as a server. On Safari and Firefox it works fine with no redirect issue. On Chrome, Brave, and Edge (Chrome based) it gives me the redirect error. This happens whether I use the SimpleSAML configuration page login or logging in to my SSO source, The configuration and the login test continue to work fine on Firefox and Safari.
Also, I found another post that suggested editing the cookies domain to fix this and that didn't work and it is still acting the same.
Thanks and please let me know if you have any ideas what I can do,
~Joe.
Tim van Dijen
Feb 23, 2021, 4:00:17 AM2/23/21
to SimpleSAMLphp
Hi Joseph,
I suspect this is a 'sameSite' cookie issue, since Edge and Chrome share the same engine and the others are known to be more lenient in processing.
What happens if you add this to you Apache configuration?
# Set cookies Secure & SameSite=None
Header always edit Set-Cookie "^((?!;\s?[Ss]ecure).)+$" "$0; Secure"
Header always edit Set-Cookie "^((?!;\s?[Ss]ame?[Ss]ite).)+$" "$0; SameSite=None"
Header always edit Set-Cookie "^((?!;\s?[Ss]ecure).)+$" "$0; Secure"
Header always edit Set-Cookie "^((?!;\s?[Ss]ame?[Ss]ite).)+$" "$0; SameSite=None"
Make sure to clear your cookies before testing again.
- Tim
Op maandag 22 februari 2021 om 23:25:05 UTC+1 schreef Joseph Balsamo:
Benson Lee
Feb 28, 2021, 7:05:15 PM2/28/21
to SimpleSAMLphp
Hello Tim,
I am also having this same problem on Edge / Chrome but not in Firefox. I added the recommended lines in apache2.conf (I'm on Ubuntu), and it seems it did not do the trick, even after clearing cookies manually, or even running from within an incognito session. In Firefox, I did not have to do anything and it simply works.
This is how it looks when analyzed.
Any clue what else I can check?
Benson
Benson Lee
Feb 28, 2021, 7:28:21 PM2/28/21
to SimpleSAMLphp
I think I found the config. I made the two changes below and it did the trick for me. I also removed the adjustment earlier from the apache2.conf so I can only test one change at a time.
Reply all
Reply to author
Forward
0 new messages