SSO Redirect Loop
Overview
This guide helps customers diagnose and resolve SSO login redirect loop issues when using Microsoft Azure, Google Workspace, or Okta for authentication.
Step 1: Verify Redirect URIs
Incorrect redirect URIs are a common cause of SSO loops.
Azure: Go to Azure AD > Enterprise Applications > [Your Application] > Authentication.
Google: Go to Google Admin Console > Security > Set up single sign-on (SSO).
Okta: Go to Okta Admin > Applications > [Your App] > Sign On.
Ensure the redirect URI matches exactly what is expected, as documented in the Quilt technical reference. This includes:
Case sensitivity (Azure and Okta are case-sensitive!)
Proper
https://schemeTrailing slashes (if required)
Double-check the Logout URL, as incorrect values can cause infinite redirects.
Step 2: Review SSO Provider Sign-In Logs
SSO provider logs can help pinpoint misconfigurations.
Azure: Navigate to Azure AD > Enterprise Applications > [Your Application] > Sign-In Logs.
Google: Go to Google Admin Console > Reports > Audit > SAML.
Okta: Go to Okta Admin > System Log.
Look for failed sign-ins and error codes:
AADSTS50011 (Azure): Redirect URI mismatch.
AADSTS50008 (Azure): Invalid token signature.
AADSTS50105 (Azure): User is not assigned to the app.
403 or 400 errors (Google/Okta): Often indicate incorrect redirect URIs or token issues.
Step 3: Inspect Browser Network Requests
Use browser DevTools (F12) to examine the authentication flow:
Open the Network tab before attempting to log in.
Filter requests by
sso,redirect, orlogin.Look for repeated requests to the same URL, indicating a loop.
Click on the Request/Response Headers to check error messages.
Step 4: Verify Token Claims (SAML or OIDC)
Incorrect claims or missing attributes can cause authentication failures.
If using SAML, use SAML-tracer (Firefox) or Fiddler to inspect assertions.
Ensure the issuer (iss) and audience (aud) claims match what the application expects.
Step 5: Collect CloudWatch Logs for ECS
Follow the usual troubleshooting steps to collect the ECS logs for the registry service:
Look for authentication-related errors or unexpected redirects.
Verify that the expected redirect URIs are being returned.
Common Fixes
Redirect loop after login
Verify redirect URIs and logout URL in Azure/Google/Okta
Authentication fails silently
Check SSO provider logs for error codes
Incorrect token claims
Ensure the ID token contains the expected claims
User not authorized
Assign the user to the SSO Enterprise App
Invalid signature error
Confirm the correct token signing algorithm is used
Next Steps
If the issue persists after these checks, provide the following information to your support team:
SSO Provider Sign-In Logs with error codes.
Browser Network logs (HAR file) showing redirects.
SAML assertion (if applicable) or decoded OIDC token.
ECS logs from the registry.
Following these steps should help you diagnose and resolve most SSO redirect loop issues efficiently across Azure, Google, and Okta.
Last updated
Was this helpful?