Request Looping Between Authentication URL and Federation URL

book

Article ID: 75133

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

When I try to initiate an OpenID Connect session, I receive a Browser error that says too many redirects. The logs show the following:

[03/29/2018][20:57:49][6762][140511575152384][120cd330-a359313a-b0216797-dbd47d46-4a765a0a-f861][AuthorizationService.java]
[processAuthentication][OpenIDConnect Authorization Service Service redirecting to authentication URL: https://smfed-
dev.testqa.company.com/affwebservices/secure/secureredirect?SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY&
SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY&
SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY&
SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY&
SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY&
response_type=code&client_id=0001a8a8-397c-1a97-b5b2-9ae8ac149e7f&redirect_uri=https%3A%2F%2Ffusion-abc--ComSSO.cs50.company2.com%2Fservices%2Fauthcallback%2FFusionFull&scope=
openid&state=CAAAAWJ04zAXME8wM0IwMDAwMDAwMDA2AAAA1CqbCF8y0QgPQlhjWhMisWidNmbkNYlDrGuLMDPBwlb9Uli-
lqWhf_TQHH2kDrQCN3MJaZA5wAw6SoeKfxdLuxiOo5H1bbAfqOQtmpHwsbFxyHQkcULx__VnTI_qqxKEhbhuLh2wxD3y23q8OCdCopqJi
_nQgBnhx6w5Z1_WlarEp7y_m6pKHgczpiLa01gde7QY2ruH_Iwx-639nATeA3EW_1454vYcU1L-yR3caHNAMpPSfYN3n-H6M_ZMxepW52gDh8uu
47474-3xj_NN3BI%3D&SMPORTALURL=DmGyoM0I1YMdUMDY6RyzXFOzpYmAvIjSmH2gXtiNMinTzwEHtjzSVbB%2FnVP4kusvhRzVuDqbzQ
%2F4SOI3C26QzOtBhhJKtjn4F6fDogDugFpu3bqi74xh7z1LUbZKimYX]

Cause

The federation Authentication URL was not protected, causing a loop between Federated Web Services (FWS) and the Authentication URL.  This will occur for any federation profile that leverages an Authentication URL.  This looping will also occur if the session that a user receives upon requesting the Authentication URL is not valid for the FWS URL, such as would occur if the Authentication URL and FWS URL are in different cookie domains and no cookie provider is configured.

Environment

Release: ESPSTM99000-12.51-Single Sign On-Extended Support Plus
Component:

Resolution

Make sure the Authentication URL is a protected resource.  Make sure the sessions generated from requesting the Authentication URL are valid for the FWS URL.