Users are getting Error: ERR_TOO_MANY_REDIRECTS for a URL via Web Isolation when SAML authentication is enabled
search cancel

Users are getting Error: ERR_TOO_MANY_REDIRECTS for a URL via Web Isolation when SAML authentication is enabled

book

Article ID: 384982

calendar_today

Updated On:

Products

Web Isolation Cloud

Issue/Introduction

Users are getting Error: ERR_TOO_MANY_REDIRECTS for a URL in the web browser when going through Web Isolation. The error is presented when SAML user authentication is enabled in the Web Isolation tenant and not observed when SAML authentication is bypassed or disabled in the Web Isolation.

In the network traces in the client-side browser developer tools the following redirect loop is observed:

Environment

  • Users' traffic is isolated in Web Isolation Cloud service
  • SAML authentication is enabled for users in the Web Isolation Cloud tenant 

Cause

The URL users are trying to access is listed in the public suffix DNS list - https://publicsuffix.org/list/public_suffix_list.dat 

According to Learn more about the Public Suffix List , browsers are restricting cookie settings to domains that are part of this list - the reason is to protect the user from being tracked across sites.

The SAML authentication depends to cookies and will result in a redirect loop if browser doesn't set one for an authenticated session:

On first accessing the URL, the user is redirected to the gateway and then back to the original domain, while also setting a cookie which is used as an indicator that the user has been authenticated. On URLs that are part of the public suffix list, the browser will block any attempt to set a cookie. When the user is redirected back to the original domain, they do not send a cookie signaling that they are authenticated, and so they are again redirected to the gateway to authenticate. This redirect loop eventually results in a browser error. 

Therefore, due to this browser behavior, this website should be bypassed from authentication is the Web Isolation policy rules.

Resolution

Bypass the website from SAML authentication is the Web Isolation policy rules.