Request Looping Between Authentication URL and Federation URL
book
Article ID: 75133
calendar_today
Updated On:
Products
CA Single Sign On Secure Proxy Server (SiteMinder)AXIOMATICS POLICY SERVERCA Single Sign On SOA Security Manager (SiteMinder)CA Single Sign-On
Issue/Introduction
When I try to initiate an OpenID Connect session, I receive a Browser error that says too many redirects. The logs show the following:
[03/29/2018][20:57:49][6762][140511575152384][120cd330-a359313a-b0216797-dbd47d46-4a765a0a-f861][AuthorizationService.java] [processAuthentication][OpenIDConnect Authorization Service Service redirecting to authentication URL: https://smfed- dev.testqa.company.com/affwebservices/secure/secureredirect?SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY& SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY& SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY& SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY& SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY& response_type=code&client_id=0001a8a8-397c-1a97-b5b2-9ae8ac149e7f&redirect_uri=https%3A%2F%2Ffusion-abc--ComSSO.cs50.company2.com%2Fservices%2Fauthcallback%2FFusionFull&scope= openid&state=CAAAAWJ04zAXME8wM0IwMDAwMDAwMDA2AAAA1CqbCF8y0QgPQlhjWhMisWidNmbkNYlDrGuLMDPBwlb9Uli- lqWhf_TQHH2kDrQCN3MJaZA5wAw6SoeKfxdLuxiOo5H1bbAfqOQtmpHwsbFxyHQkcULx__VnTI_qqxKEhbhuLh2wxD3y23q8OCdCopqJi _nQgBnhx6w5Z1_WlarEp7y_m6pKHgczpiLa01gde7QY2ruH_Iwx-639nATeA3EW_1454vYcU1L-yR3caHNAMpPSfYN3n-H6M_ZMxepW52gDh8uu 47474-3xj_NN3BI%3D&SMPORTALURL=DmGyoM0I1YMdUMDY6RyzXFOzpYmAvIjSmH2gXtiNMinTzwEHtjzSVbB%2FnVP4kusvhRzVuDqbzQ %2F4SOI3C26QzOtBhhJKtjn4F6fDogDugFpu3bqi74xh7z1LUbZKimYX]
Cause
The federation Authentication URL was not protected, causing a loop between Federated Web Services (FWS) and the Authentication URL. This will occur for any federation profile that leverages an Authentication URL. This looping will also occur if the session that a user receives upon requesting the Authentication URL is not valid for the FWS URL, such as would occur if the Authentication URL and FWS URL are in different cookie domains and no cookie provider is configured.
Environment
Release: ESPSTM99000-12.51-Single Sign On-Extended Support Plus Component:
Resolution
Make sure the Authentication URL is a protected resource. Make sure the sessions generated from requesting the Authentication URL are valid for the FWS URL.