I have searched only for many hours trying to find an answer but cannot. I have an up to date version of Shibboleth working in my RedHat el6.x86_64 proxy server. (SELinux is in permissive mode.) I have a Service Provider setup.
It works well with a particular default IdP. However, when I add the Embedded Discovery Service so that users can select one of two IdP's then there is a problem I cannot get passed:
The user types the resource and gets redirected to the discovery page. They select the IdP they want. They log into that IdP without a problem. After submitting their authentication to the IdP, the user gets redirected to the correct resource but THEN ALWAYS GETS IMMEDIATELY redirected back to the discovery page. In the Apache logs I see that the authentication credentials from the IdP were good.
I've looked extremely closely at the Apache configuration and do not have the redirect in there. All I have is this below for my resource as well as the default /etc/httpd/conf.d/shibboleth-ds.conf and /etc/httpd/conf.d/shib.conf files.
Order allow,deny Allow from all AuthType Shibboleth require valid-user ShibUseHeaders On Require shibboleth
In my shibboleth2.xml file I definitely did exactly as the Shibboleth Embedded Discovery Service instructions say. Every tag is in place. I also tried different parameters within the shibboleth-ds/idpselect_config.js but that didn't help. Can someone please give me some guidance? Thank you.
The checkIP and consistentIP settings needed to be adjusted.