Search code examples
saml-2.0simplesamlphpokta

Infinite Redirect with OKTA

I have a simple php application which displays a form for user onboarding. I used SimpleSamlPhp as the SP and OKTA as the IDP. I get an infinite redirect when I access the url of the application. These are my settings in OKTA:

My application's url is:http://service.example.com/Analytics/ui/onboard.php. The same url is set for PostBack url, destination, recipient and Audience Restriction On the SP-side I have this piece of code:

require_once('/Applications/XAMPP/xamppfiles/htdocs/simplesamlphp/lib/_autoload.php'); $as = new SimpleSAML_Auth_Simple('default-sp'); $as->requireAuth();

Is there something that I am missing?

Solution

  • It's confusing, I know. What you need to do is use special SimpleSAMLphp URLs for the SAML configuration of your application.

    In particular, the URLs that you use in Okta will need to point to specific SimpleSAMLphp URLs.

    Here is a screenshot of how I have SimpleSAMLphp configured in Okta: Screenshot of the SAML settings page in Okta

    In this example, the URL for the "Single sign on URL" ends in simplesamlphp/www/module.php/saml/sp/saml2-acs.php/example and the URL for the "Audience URI (SP Entity ID)" ends in simplesamlphp/www/module.php/saml/sp/metadata.php/example. These URLs will be specific to where you installed SimpleSAMLphp on your web server.

    Note that these URLs both point to SimpleSAMLphp endpoints and that they are nearly the same URL, except that one points to saml2-acs.php and the other points to metadata.php. In both of these examples, the string "example" is what refers to the string you used to configure the SAML IdP in the config/authsources.php file, and by extension, the metadata/saml20-idp-remote.php file.

    The "Default RelayState" field is where you will want to enter in the URL for your PHP code, that is, the file you wrote that includes SimpleSAMLphp. This is where you will want to put your http://service.example.com/Analytics/ui/onboard.php URL.

    Configuring SimpleSAMLphp

    I found that adding configuration to the config/authsources.php and metadata/saml20-idp-remote.php files in SimpleSAMLphp was overly complicated, so I wrote some code to make that configuration a little bit easier. This code, and instructions for using it, are available on GitHub here: https://github.com/jpf/okta-simplesamlphp-example