Configuring an app to use secure single sign-on is a reasonably complex thing, so problems will inevitably arise. Fortunately, they’re usually quite simple to fix once you know what symptoms to look for.
I sign in, and the browser gets caught in a redirect loop between my app and Web sign-on.
This means that Web sign-on thinks you’re signed in, but your app thinks you’re not, so they are passing responsibility to each other indefinitely. Web sign-on generally knows best, so the likely cause is your app not seeing the cookies that have been created. Before starting, clear any cookies for warwick.ac.uk, websignon.warwick.ac.uk, and your app hostname.
- Check your application logs first. They may have an error. It may be an error due to an expired certificate, in which case you need to update your keystore with a renewed certificate (which you can get from ITS Web Team). Read the pages below Certificates and Keys to see how to check your certificates in both your Apache config (for HTTPS) and your keystore (used for new-mode SSO).
- Check in your sso-config.xml. Do the cookie domain and path match your application? If not, it won’t be able to see the cookies created.
- In rarer cases, check the login URL. For "old" mode this should use /slogin, but for "new" mode it should use /hs.
- If it’s a test box, you might be using websignon-test, though generally you don’t need to. If that’s the case, check that you’re using it in both the sso-config and the system properties for userlookup. If only one of them use websignon-test they’ll get very confused between them. Delete cookies for either websignon server before trying again.
I sign in, but immediately redirects back to a permission denied page.
This is generally for the same reasons as those above, except in certain circumstances Web sign-on will stay on the login page rather than send you back to the application. The solution tends to be the same though.
I can’t log out of my new-mode app.
When the user requests Websignon’s logout URL, Websignon goes through each of the application sessions that it knows about and makes a request to that app’s logout servlet. If there’s a problem making this request, then your app won’t notice that it’s logged out. It’s usually a problem with the SSL setup for your logout URL.