Redirect loop when SAML is enabled

book

Article ID: 168218

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

When enabling SAML authentication in the Web Security Service, you might experience a browser stuck in a redirect loop for some subdomains.

For example, test.blogspot.com

 

Cause

SAML authentication uses redirects and cookies to authenticate the user. (Anatomy of a SAML Transaction)
Cookies are used as a surrogate credential and are set at the domain level in the browser. For example, if you visit subdomain.example.com, the cookie is set against .example.com.

Setting the cookie at the domain level reduces the amount of redirects required when visiting other subdomains because the browser automatically presents the cookie for any other subdomain of example.com and therefore is not required to go through the authentication/redirect mechanism again.

However, it is not possible to set domain wide cookies on some domains that are considered Effective TLDs (for example, blogspot.com is an effective TLD):
Public Suffix List

As a cookie cannot be set for sub-domains at the domain level for effective TLDs, the browser keeps attempting to access the subdomain.blogspot.com without the cookie, and is redirected through the authentication mechanism again. This is what causes the re-direct loop.

Resolution

There are two fixes to this problem:

  1. Add the domain or subdomain into the SAML bypass list (SAML Bypass List)
  2. Symantec is investigating other possible solutions to this issue (such as not setting domain wide cookies for effective TLDs; Bug#21151)