AWS EC2 Server in Proxy config, OKTA SSO goes into infinite loop Skip to main content
https://support.okta.com/help/answers?id=9060z000000789tqaa&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Julio MartinezJulio Martinez 

AWS EC2 Server in Proxy config, OKTA SSO goes into infinite loop

Hello, and thanks.
Sure thing.
We are trying to get SSO active on one of our custom built websites.
Let me give you some info on how it’s setup so that you can get an underlying understanding on our problem.
All of our hosting is on AWS ( Amazon ) EC2 servers.

We have a proxy server that uses name based addressing to send you to the correct end destination.
It uses Apache and the VirtualHost protocol.
The site we want to secure lives on a separate server that we call the “Subdomain Server”.
This server hosts many subdomains. 

All of them are linux based using PHP, MySQL and Apache.

The Proxy server looks at the subdomain in the URL request, and then parses out the correct subdomain server through private IP connections behind Amazons AWS firewall.
There are no direct connections to any of the subdomains without going through the proxy server.
The subdomain server is setup to deny any direct attempts to connect to it.

Also Amazon does not allow any connections to the Private IPs of any Server.

All servers have Elastic IPs associated with them. These IP addresses are assigned outside of the Virtual EC2 server itself.
So the server would have no idea what is public facing IP address would be.
What that means is that if a server were to reboot, it would not loose the public IP it was bound to.
If we did not do that, every time a server reboots, it would automatically get a new IP and that is a problem.

So from what I can tell, the SSO system generates a “RelayState” with a return path to the script that has called it.
The problem we are having is that when an attempt to login happens, it first goes to Okta successfully.
Okta asks to send the login creds, we click “Send” and then it enters an infinite loop of redirects.
When we stop it and look at the address (URL) string, we notice that it is grabbing the Private IP of the subdomain server and sending the full path of the script in question starting with a full root path. This will not work because Amazon blocks all attempts to access a server via the Private IPs of any server.
Also the full path is not the path it should be sending out since it is completely ignoring the proxy server and it's method for producing a correct viable url to the script in question.

Sorry, I know that’s a lot of info.
My questions are below.

Question #1: Does Okta work with proxy server configurations like what we have?
If NO: Should we setup a dedicated server with it’s own unique dedicated URL and Elastic IP?
If YES to this: How do we get around the software grabbing the Private IP of the server and not using the elastic IP?

Question #2: Is there a way to setup the software to send out the correct information without entering into the Infinite redirect loop?
Meaning that it should send out the correct URL where the script lives, taking into account that it cannot be IP based and that it sends the correct path to the script?
Darron HellmannDarron Hellmann (Okta)
Hi Julio

This is a lot of great information and an interseting use case. My recommendation is to open a support ticket so that we can efficiently track and assist you with your request. Unfortunately, there are quite a few moving pieces to consider and a support ticket would be the best platform for an enriched conversation. We look forward to discussing your use case.