Using SimpleSAMLphp to authenticate with Okta results in endless redirects


We are attempting to use SimpleSAMLphp to authenticate users on our portal site against our Okta SSO. We had been using SSPHP 2.x but downgraded to 1.x version we know is working for a colleague in his applications where he is essentially doing the same thing we are trying to achieve, and trying to eliminate variables like software version, etc that might be an issue.

As he has been doing, using the “autoconfig” setup from here: GitHub - jpf/okta-simplesamlphp-example: An example PHP application that uses SimpleSAMLphp, we seem to be able to get to $as->requireAuth(); and have Okta either check to see that we apparently have an active session, or if none seems to exist, send the user to the Okta login to sign in. If the user has to sign in, they are then sent to our Two-factor authentication service and then, as well as in the case of an existing Okta session, are sent back to the page where they came from, although it seems this essentially reloads the page from start, getting to requireAuth() and now this time never going to an Okta login form because OKTA, seemingly detects an active session, so now we are stuck in an endless loop of load page → requireAuth() → Okta does its thing → redirect back but never moving on past that. We never get to the step we are told in the SSPHP docs where we can access the user attributes and do as we need from there. It seems as though SSPHP doesn’t “remember” that it just came from authentication and not to go send the user out to get authenticated again, or check for an active session but to read the information from the session that should be there already.

I have seen discussion around a “Default RelayState” and it seems this is related to where we would like the user sent back to after authentication, which we are assuming is where the user came from (example, the index.php of our application was accessed and required authentication before the user was allowed to proceed, so after authentication we would want the user to pick up where they started back at index.php, essentially after requireAuth() runs). Would this Default RelayState be a specific url of a page within our app/site? Would it be something specific to SimpleSAMLphp (a module perhaps)?

We aren’t sure how to move past the requireAuth() function without it kicking off a new request for authentication to Okta but detecting that an Okta login is already active for the user and to simply return and continue to access the attributes. I have seen posts elsewhere online about the PHP session and SSPHP session being out of sync or not using the same ID, could that be what is preventing SSPHP from detecting an already active login session and instead sending out for a brand new login every page load?

First thing first: you should be able to see that Okta returns you back to your app ACS URL, which is a special URL to process SAML assertion minted by Okta. That URL should validate it and establish a session.

It looks to me like you misconfigured Okta to send you back to a non-ACS URL, and that causes this infinite loop