search cancel

Redirect loop when SAML is enabled


Article ID: 168218


Updated On:


Web Security Service - WSS


When enabling SAML authentication in the Web Security Service, you might experience a browser stuck in a redirect loop for some subdomains.

For example,



SAML authentication uses redirects and cookies to authenticate the user. (Anatomy of a SAML Transaction)
Cookies are used as a surrogate credential and are set at the domain level in the browser. For example, if you visit, the cookie is set against

Setting the cookie at the domain level reduces the amount of redirects required when visiting other subdomains because the browser automatically presents the cookie for any other subdomain of and therefore is not required to go through the authentication/redirect mechanism again.

However, it is not possible to set domain wide cookies on some domains that are considered Effective TLDs (for example, is an effective TLD):
Public Suffix List

As a cookie cannot be set for sub-domains at the domain level for effective TLDs, the browser keeps attempting to access the without the cookie, and is redirected through the authentication mechanism again. This is what causes the re-direct loop.


There are two fixes to this problem:

  1. Add the domain or subdomain into the SAML bypass list (SAML Bypass List)
  2. Symantec is investigating other possible solutions to this issue (such as not setting domain wide cookies for effective TLDs; Bug#21151)