ckan login redirect loop

[sevenpvn]

Hi we are running ckan 2.7.2 and trying to use ckanext-saml2 .0.3.0. we are running into an issue with saml2 enabled, clicking on login creates a redirect loop. I don't see anything in the logs that would attribute to this behavior. Any help in troubleshooting this issue would be greatly appreciated.

thanks

[mattcen]

Hi there,

In the sp_config file, ensure that you've set loglevel to debug (it's set to error by default), then take a look at the log at the filename you've specified there after you've created a redirect loop (you may need to restart CKAN to remove any cached auth results and get useful error messages).

That will hopefully give you a better idea of what the problem is. When I had this redirect loop problem recently, I think ckanext-saml2 was throwing an InvalidNameIDPolicy error because it was using "urn:oasis:names:tc:SAML:2.0:nameid-format:transient", where the other end (ADFS) wasn't configured to use a transient nameIdFormat; once that was fixed at the other end, auth started to work.

Good luck, and let us know how you go!

[sevenpvn]

Hi thanks for the reply, I tried your suggest enabled debug, i see it create the log file in /tmp but its empty. it seems like its not being invoked. see this in the apache log [ckanext.saml2] REMOTE_USER = "" [ckanext.saml2] Ignoring REMOTE_USER

do i need to tweak any auth settings?

[sevenpvn]

getting bit closer. i found this issue #96 and it was able to help me out. the docs say to copy who.ini to /etc/ckan but i guess in my case it should be add in /etc/ckan/default also regarding sid_store and identity_cache it should be /tmp/sid_store /tmp/identity_cache since /tmp/default doesn't exisit or get created.

[ulince]

@sevenpvn Were you able to resolve the issue? I'm seeing the same behaviour with the redirect loop.

[sevenpvn]

@ulince not yet. the first issue was adding the who.ini changes in /etc/ckan/default/who.ini. was able to get closer. still troubleshooting the other issues.

[mattcen]

Hi, and sorry for the delay. Are you still trying to debug this? If so, perhaps you could share the debug logs (eliding any secret information) so we can take a look? I'm still finding my way around this code myself, so may not be much help, but I can give it a shot.