Request Looping Between Authentication URL and Federation URL

Article Id: 75133
Status: Published
Updated On: 05-04-2018 17:12
Products:
CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On CA Single Sign-On
Issue/Introduction:

When I try to initiate an OpenID Connect session, I receive a Browser error that says too many redirects. The logs show the following:

[03/29/2018][20:57:49][6762][140511575152384][120cd330-a359313a-b0216797-dbd47d46-4a765a0a-f861][AuthorizationService.java]
[processAuthentication][OpenIDConnect Authorization Service Service redirecting to authentication URL: https://smfed-
dev.testqa.company.com/affwebservices/secure/secureredirect?SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY&
SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY&
SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY&
SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY&
SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY&
response_type=code&client_id=0001a8a8-397c-1a97-b5b2-9ae8ac149e7f&redirect_uri=https%3A%2F%2Ffusion-abc--ComSSO.cs50.company2.com%2Fservices%2Fauthcallback%2FFusionFull&scope=
openid&state=CAAAAWJ04zAXME8wM0IwMDAwMDAwMDA2AAAA1CqbCF8y0QgPQlhjWhMisWidNmbkNYlDrGuLMDPBwlb9Uli-
lqWhf_TQHH2kDrQCN3MJaZA5wAw6SoeKfxdLuxiOo5H1bbAfqOQtmpHwsbFxyHQkcULx__VnTI_qqxKEhbhuLh2wxD3y23q8OCdCopqJi
_nQgBnhx6w5Z1_WlarEp7y_m6pKHgczpiLa01gde7QY2ruH_Iwx-639nATeA3EW_1454vYcU1L-yR3caHNAMpPSfYN3n-H6M_ZMxepW52gDh8uu
47474-3xj_NN3BI%3D&SMPORTALURL=DmGyoM0I1YMdUMDY6RyzXFOzpYmAvIjSmH2gXtiNMinTzwEHtjzSVbB%2FnVP4kusvhRzVuDqbzQ
%2F4SOI3C26QzOtBhhJKtjn4F6fDogDugFpu3bqi74xh7z1LUbZKimYX]

Cause:

The federation Authentication URL was not protected, causing a loop between Federated Web Services (FWS) and the Authentication URL.  This will occur for any federation profile that leverages an Authentication URL.  This looping will also occur if the session that a user receives upon requesting the Authentication URL is not valid for the FWS URL, such as would occur if the Authentication URL and FWS URL are in different cookie domains and no cookie provider is configured.

Environment:

Release: ESPSTM99000-12.51-Single Sign On-Extended Support Plus
Component:

Resolution:

Make sure the Authentication URL is a protected resource.  Make sure the sessions generated from requesting the Authentication URL are valid for the FWS URL.