CASE 01 SAML 2.0 — Redirect Loop After Login SAML 2.0 protocol: SAML 2.0 symptom: Redirect loop after login 1. Issue Summary A SAML redirect loop typically occurs when the Service Provider (SP) cannot validate the assertion returned by the Identity Provider (IdP), causing it to re-initiate the authentication request indefinitely. The most likely root cause is a misconfigured Assertion Consumer Service (ACS) URL or a clock skew between IdP and SP exceeding the allowed tolerance. 2. Most Likely Causes ACS URL mismatch — The ACS URL in the IdP config doesn't exactly match the SP's registered endpoint. Clock skew — Time difference between IdP and SP servers exceeds the SAML NotBefore/NotOnOrAfter tolerance. Missing session cookie — Browser is blocking the SP session cookie, preventing post-SSO state persistence. Binding mismatch — IdP is using HTTP-POST binding while SP expects HTTP-Redirect, or vice versa. 3. Step-by-Step Diagnostic 1 Capture the SAML assertion in transit Browser: SAML Tracer extension or Chrome DevTools → Network tab Look for SAMLResponse value — decode Base64 and inspect XML 2 Verify ACS URL in IdP matches SP metadata IdP admin console → Application settings → ACS URL field Must match exactly — including trailing slash and protocol (https) 3 Check server time synchronization Both IdP and SP servers — run: ntpstat or timedatectl Difference must be under 5 minutes — SAML default tolerance 4 Inspect browser cookie behavior Chrome DevTools → Application → Cookies Verify SP session cookie is being set and not blocked by SameSite policy 5 Review IdP application logs for assertion errors Okta System Log / Azure AD Sign-in Logs / ADFS Event Viewer Filter by user + timestamp — look for SAML validation failure codes 4. Solution Checklist Correct ACS URL in IdP to exactly match SP metadata endpoint [CRITICAL] Sync NTP on both IdP and SP servers — verify with ntpstat Update SP session cookie to SameSite=None; Secure for cross-origin SSO Align SAML binding configuration — HTTP-POST on both sides Re-export and re-import SP metadata in IdP after any URL change 5. Prevention 🔒 Use dynamic SP metadata exchange instead of manual URL entry to prevent ACS mismatches. 🕐 Configure NTP monitoring alerts on IdP and SP — alert if clock drift exceeds 2 minutes. 📋 Document and version-control all SAML configuration settings — review on every SP or IdP update. 6. Useful Commands / Tools SAML Tracer (Firefox/Chrome extension) Captures and decodes SAML requests/responses in real time — essential first step timedatectl status Checks NTP sync status on Linux IdP/SP servers base64 -d saml_response.txt | xmllint --format - Decodes and formats raw SAML assertion for manual inspection