ELB healthcheck causing redirect loop Skip to main content
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Jeanne HoweJeanne Howe 

ELB healthcheck causing redirect loop

We are trying to set up JIRA to authenticate via Okta. We use AWS ELB and have a healthcheck that runs to ensure the app is available. The ELB looks for a return code of 200. Okta returms a 302 (redirect). The healthcheck looks for <JIRA base url>/status. This url does not require authentication, so why is Okta trying to redirect the healthcheck?
Wils DawsonWils Dawson (Okta, Inc.)
Hi Jeanne,

Is the ELB healthchecking Okta or JIRA? You said "Okta returns a 302 redirect" so it sounds like your ELB might be going through Okta to check the JIRA app. It seems like it should be checking JIRA directly, not going through Okta. If you're trying to healthcheck the JIRA app through Okta, you'll get a 302 redirect to JIRA. So that would be the first thing I'd ensure (the ELB is checking JIRA directly).

If that's already the case, JIRA (or some other system that intercepts the healthcheck) would be redirecting to Okta with a 302. If that's the case, it sounds like JIRA is configured to authenticate a user that tries to hit that endpoint, or something else is intercepting the request and kicking it back to Okta for authentication. For confirmation, can you provide the Okta url that's in the 302 from JIRA?

Jeanne HoweJeanne Howe
The ELB checks JIRA directly, it should not be going thorugh Okta. Here is the write-out to the log file:
2015-12-08 15:47:36,807 http-bio-8080-exec-2 INFO anonymous 947x22x22 - /status [jira.authenticator.okta.OktaJiraAuthenticator] User wasn't fou
nd not in session, nor in assertion, redirecting to: https://mhe.oktapreview.com/app/jira_onprem/exk51bvii8MdvN1hw0h7/sso/saml?RelayState=https%3A%2F%2Fjir
I think the issue is in the way Okta was configure. It is configured to use the <JIAR base url>. I beleave it should be configured to use the <JIRA base url>/secure/Dashboard.jspa
Wils DawsonWils Dawson (Okta, Inc.)

Yes that thought is probably correct. Looks like JIRA is expecting a valid session for the /status endpoint. I'm not sure how JIRA can be configured to exclude that endpoint and whether or not it's on the Okta side or the JIRA side, but someone else in the community may be able to help you there. I believe the configuration change will need to be made in JIRA, but am not familiar with that interaction specifically.

Thanks and good luck,