[prev in list] [next in list] [prev in thread] [next in thread]
List: shibboleth-users
Subject: [Shib-Users] IE 8 and lower redirect problem
From: "Schrader, John A" <john.schrader () vsc ! edu>
Date: 2011-04-27 17:39:55
Message-ID: 0EE61BD000A6C34BA07052F0C1B443BD55095589F3 () ex2007-mbx1 ! vsc ! edu
[Download RAW message or body]
I am having a very specific redirect issue pertaining to IE 8 and lower.
Environment:
Shib IDP 2.2.1 --> debian
CAS 3.4.3 --> debian
ADFSv2 --> pure STS using Shibboleth as the IdP.
Sharpoint2010 --> Claims against ADFSv2
Use case:
User logs into CAS secured webapp (auth OK)
User then goes to SharePoint2010 --> ADFSv2 --> Shibboleth
1.shibboleth redirects to CAS (already authenticated)
2. CAS redirects back to Shibboleth with service ticket and=
the process stops with:
##Internet Explorer cannot display the webpage ###
The last thing I see in idp-process.log is:
12:46:59.526 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.Authent=
icationEngine:169] - Redirecting user to profile handler at https://{host}.=
vsc.edu:443/idp/profile/SAML2/Redirect/SSO
The last response as seen with Fiddler is to /idp/Authn/RemoteUser with a l=
ocation header of https://{host}.vsc.edu:443/idp/profile/SAML2/Redirect/SSO
Now if the user refreshes (F5) the browser process continues and is redirec=
ted to ADFSv2 and then on to Sharepoint2010.
I cannot reproduce this behavior with IE9, FF, Chrome, or Safari.
The Sharepoint2010 --> ADFSv2 --> Shibboleth --> CAS and back again dance w=
orks as expected when the user accesses Sharpoint2010 via ADFSv2 first.
In every other scenario I've tested authentication works as expected.
My hunch is that this is either an ADFSv2 --> Shibboleth misconfiguration o=
r purely a browser problem.
I'm out of my own ideas.
-John
[Attachment #3 (text/html)]
<html xmlns:v="urn:schemas-microsoft-com:vml" \
xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" \
xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type \
content="text/html; charset=iso-8859-1"><meta name=Generator content="Microsoft Word \
14 (filtered medium)"><style><!-- /* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
p.H1, li.H1, div.H1
{mso-style-name:H1;
mso-style-priority:99;
margin-top:5.0pt;
margin-right:0in;
margin-bottom:5.0pt;
margin-left:0in;
page-break-after:avoid;
text-autospace:none;
font-size:24.0pt;
font-family:"Times New Roman","serif";
font-weight:bold;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div \
class=WordSection1><p class=MsoNormal>I am having a very specific redirect issue \
pertaining to IE 8 and lower.<o:p></o:p></p><p \
class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Environment:<o:p></o:p></p><p \
class=MsoNormal>Shib IDP 2.2.1 <span style='font-family:Wingdings'>à</span> \
debian<o:p></o:p></p><p class=MsoNormal>CAS 3.4.3 <span \
style='font-family:Wingdings'>à</span> debian<o:p></o:p></p><p class=MsoNormal>ADFSv2 \
<span style='font-family:Wingdings'>à</span> pure STS using Shibboleth as the \
IdP.<o:p></o:p></p><p class=MsoNormal>Sharpoint2010 <span \
style='font-family:Wingdings'>à</span> Claims against ADFSv2<o:p></o:p></p><p \
class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p \
class=MsoNormal>Use case:<o:p></o:p></p><p class=MsoNormal>User logs into CAS secured \
webapp (auth OK)<o:p></o:p></p><p class=MsoNormal>User then goes to SharePoint2010 \
<span style='font-family:Wingdings'>à</span> ADFSv2 <span \
style='font-family:Wingdings'>à</span> Shibboleth<o:p></o:p></p><p class=MsoNormal> \
1.shibboleth redirects to CAS (already authenticated)<o:p></o:p></p><p \
class=MsoNormal> 2. CAS redirects back to Shibboleth with service \
ticket and the process stops with:<o:p></o:p></p><p class=MsoNormal \
style='text-indent:.5in'>##Internet Explorer cannot display the webpage \
###<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>The last \
thing I see in idp-process.log is:<o:p></o:p></p><p \
class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>12:46:59.526 - DEBUG \
[edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:169] - \
Redirecting user to profile handler at \
https://{host}.vsc.edu:443/idp/profile/SAML2/Redirect/SSO<o:p></o:p></p><p \
class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>The last response as seen \
with Fiddler is to /idp/Authn/RemoteUser with a location header of \
https://{host}.vsc.edu:443/idp/profile/SAML2/Redirect/SSO<o:p></o:p></p><p \
class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Now if the user refreshes \
(F5) the browser process continues and is redirected to ADFSv2 and then on to \
Sharepoint2010.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p \
class=MsoNormal>I cannot reproduce this behavior with IE9, FF, Chrome, or \
Safari.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>The \
Sharepoint2010 <span style='font-family:Wingdings'>à</span> ADFSv2 <span \
style='font-family:Wingdings'>à</span> Shibboleth <span \
style='font-family:Wingdings'>à</span> CAS and back again dance works as expected \
when the user accesses Sharpoint2010 via ADFSv2 first.<o:p></o:p></p><p \
class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>In every other scenario \
I’ve tested authentication works as expected.<o:p></o:p></p><p \
class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>My hunch is that this is \
either an ADFSv2 <span style='font-family:Wingdings'>à</span> Shibboleth \
misconfiguration or purely a browser problem.<o:p></o:p></p><p \
class=MsoNormal>I’m out of my own ideas.<o:p></o:p></p><p \
class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span \
style='font-size:10.5pt;font-family:Consolas'>-John<o:p></o:p></span></p><p \
class=MsoNormal><span \
style='font-size:10.5pt;font-family:Consolas'><o:p> </o:p></span></p><p \
class=MsoNormal><o:p> </o:p></p></div></body></html>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic