Hello!
I’ve spent the past week installing and configuring SimpleSAMLPhP in my application to set up Okta as the IdP and my app/SimpleSAMLPhP as the SP. I believe I’ve gotten my configuration right, but I’ve ended up in a spot that I’ve seen a few other people on these forums ends up in: an infinite redirect loop. The other situations don’t quite match up perfectly with what I’m experiencing, and I haven’t been able to use the answers there to resolve my issues.
Resources I used in my configuration:
SimpleSAMLPhP docs
Okta SimpleSamlPHP Example
I’m working in a local environment and I’ve been able to successfully test my configuration using the SimpleSAMLPhP interface. This app is built using the Yii framework
Okta config:
SSO Url: https://localhost/simplesaml/module.php/saml/sp/saml2-acs.php/okta-local
(box checked for both recipient and destination URL being the same)
DestinationURL: https://localhost/simplesaml/module.php/saml/sp/saml2-acs.php/okta-local
DefaultRelayState: https://localhost/catchokta?saml_sso=okta-local
When I start the IdP-initiated flow, after the IdP (okta) authentication has occurred, a new tab is opened and I am directed to my application:
In my DevTools Network Tab, i watch the following occur once you use the link to your “app” from your Okta home page
GET to a myorg. okta .com/home/STUFF - 302
GET to a myorg. okta .com/app/STUFF - 302
GET to a myorg. okta .com/app/STUFF/sso/saml - 200
START OF LOOP
POST to localhost /simplesaml/module.php/saml/sp/saml2-acs.php/okta-local - 303
this post contain s a SAMLResponse as part of the Form Data
GET to localhost /catchokta?saml_sso=okta-local - 302
GET to myorg. okta .com/app/STUFF/sso/saml?SAMLRequest=CHARACTERS - 200 OK
START OF NEXT LOOP
POST to localhost /simplesaml/module.php/saml/sp/saml2-acs.php/okta-local - 303
this post contain s a SAMLResponse as part of the Form Data -
At my endpoint /catchokta, I have the following logic (pulled from the login flow of the Okta/PhP example):
$as = new SimpleSAML_Auth_Simple($sp);
$as->requireAuth();
$user = array(
‘sp’ => $sp,
‘authed’ => $as->isAuthenticated(),
‘idp’ => $as->getAuthData(‘saml:sp:IdP’),
‘nameId’ => $as->getAuthData(‘saml:sp:NameID’)[‘Value’],
‘attributes’ => $as->getAttributes(),
);
the call ->requireAuth is what’s triggering the redirect loop and the $user= line never gets hit.
Has anyone run into this issue before? Any help or tips would be greatly appreciated.