Symantec Access Management

Hello Experts,

For some applications, we are getting infinite redirect after entering the credentials.

We can see, its redirecting to cookie provider and smsession is getting generated.

smsession is later appended with application's domain as well, However its keep redirecting to the target page but never reaches, finally browser throws the error message : "

"application" redirected you too many times.

"

I can see in the smaccess.log that user is getting authenticated and authorized successfully.

Hello - 

Are you using a mix of HTTP and HTTPS in the environment? 

for example...
Let's say App1 with agent one redirects to a different agent functioning as a credential collector. 

App1 is HTTP
the credential collector serving the authentication scheme is HTTPS. 

If you have "usesecurecookies" = yes on the credential collector agent, then when the SMSESSION cookie is set, it's set with secure=true. 

When that happens it not transited to on the non-secure transaction (HTTP) to App1. 

Then the authentication process restarts; thus the loop. 

Another possible cause is that the the user is "Authenticated" via the authentication scheme, but not Authorized by policy, thus a loop. 

However, this is just two possible causes. 

A review of the following would be required to indentify the actual cause. 

• Fiddler Trace or similar. 
• Agent Log
• SMPS Trace logs  

I hope this helps. 

-James 

SSO Support 

Thanks for the reply James.

I can see that user is authenticated as well as authorized hence its cant be because of that.

For First possibility, usesecurecookies is not set as yes as we can see the trace that smsession cookie's secure flag is not set.

Hi,

Are you testing with IE browser?

Do you see the same behavior when using other browsers like Chrome or Firefox?

If this is happening only with IE browser then the security zone setting in IE may causing looping behavior as well.

If you have siteA as trusted zone and siteB as Internet zone, IE uses separate memory space to store the cookies.

So, when IE visit the site in Internet Zone, the cookie would not be submitted.

If you have fiddler trace, try and see if the SMSESSION cookie is  being submitted or not when the browser is being redirected.

If IE is not submitting the SMSESSION cookie then you can check from fiddler what is the PID(ProcessID of iexplorer.exe) column and see if it has a different one than the one visiting the trusted zone.

If the cookie is indeed being submitted then try to look into your smaccess.log and see if it tells why the browser is being redirected.

Regards,

Kim

Thanks Kim.

I have tested on all 3 broswers and result remains the same. If I look at the traces then it tells smsession cookie is getting submitted and again its redirecting to the login page

Make sure that you do NOT have the CookieProvider parameter set for the ACO that is loaded by the web server that is actually providing the cookie provider functionality. That might cause a loop as it redirects to itself.

Satyendra, 

If you like, you can create a new support case. 

That way SSO Support can assist in reviewing agent trace logs and a fiddler trace. 

If that is what you want to do, you can  reference this thread in the case you create. 

Kind Regards,
James

Thanks all.

it has been resolved. It was ultimately an error on Application side.

Thank you all for your inputs

That's great to hear it's resolved. 

Thanks for letting us know.