Login Stuck in Endless Redirect Loop - PhP - SimpleSAMLPhP

Hello!

I’ve spent the past week installing and configuring SimpleSAMLPhP in my application to set up Okta as the IdP and my app/SimpleSAMLPhP as the SP. I believe I’ve gotten my configuration right, but I’ve ended up in a spot that I’ve seen a few other people on these forums ends up in: an infinite redirect loop. The other situations don’t quite match up perfectly with what I’m experiencing, and I haven’t been able to use the answers there to resolve my issues.

Resources I used in my configuration:
SimpleSAMLPhP docs
Okta SimpleSamlPHP Example

I’m working in a local environment and I’ve been able to successfully test my configuration using the SimpleSAMLPhP interface. This app is built using the Yii framework

Okta config:
SSO Url: https://localhost/simplesaml/module.php/saml/sp/saml2-acs.php/okta-local
(box checked for both recipient and destination URL being the same)
DestinationURL: https://localhost/simplesaml/module.php/saml/sp/saml2-acs.php/okta-local
DefaultRelayState: https://localhost/catchokta?saml_sso=okta-local

When I start the IdP-initiated flow, after the IdP (okta) authentication has occurred, a new tab is opened and I am directed to my application:

In my DevTools Network Tab, i watch the following occur once you use the link to your “app” from your Okta home page

GET to a myorg. okta .com/home/STUFF - 302

GET to a myorg. okta .com/app/STUFF - 302

GET to a myorg. okta .com/app/STUFF/sso/saml - 200

START OF LOOP

POST to localhost /simplesaml/module.php/saml/sp/saml2-acs.php/okta-local - 303
this post contain s a SAMLResponse as part of the Form Data

GET to localhost /catchokta?saml_sso=okta-local - 302

GET to myorg. okta .com/app/STUFF/sso/saml?SAMLRequest=CHARACTERS - 200 OK

START OF NEXT LOOP

POST to localhost /simplesaml/module.php/saml/sp/saml2-acs.php/okta-local - 303
this post contain s a SAMLResponse as part of the Form Data -

At my endpoint /catchokta, I have the following logic (pulled from the login flow of the Okta/PhP example):
$as = new SimpleSAML_Auth_Simple($sp);
$as->requireAuth();
$user = array(
‘sp’ => $sp,
‘authed’ => $as->isAuthenticated(),
‘idp’ => $as->getAuthData(‘saml:sp:IdP’),
‘nameId’ => $as->getAuthData(‘saml:sp:NameID’)[‘Value’],
‘attributes’ => $as->getAttributes(),
);

the call ->requireAuth is what’s triggering the redirect loop and the $user= line never gets hit.

Has anyone run into this issue before? Any help or tips would be greatly appreciated.

In case anyone runs into this issue later, I haven’t figured it out - I’m still working through it, BUT, I’ve gotten some findings. I’m more and more confident the Okta config is correct, but it’s a mismanagement of session between my application and my SAML library, SimpleSAMLPhP

https://simplesamlphp.org/docs/stable/simplesamlphp-nostate

Hi @alexRS, I am trying to do a similar setup on my localhost by making a virtual host, and my calls are stuck as an infinite loop and getting the exact issue you had mentioned. It would be really helpful if you will share how did you resolve this problem?
Thank you.

Any luck on resolving this issue?

I have the same issue. I’ve implement many SPs before via SimpleSAMLPhp.
Everything works using correctly test via samltest.id

Not sure where I am going wrong with OKTA

Hi found this and was able to get it to work:

The key is in setting the “Default RelayState”, as this is required to make simpleSamlPhp work from Okta’s side.

Please let me know if you have any questions, I can try to help or share code further.

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.