SSO Redirect Loop
Last updated
Was this helpful?
dev
Last updated
Was this helpful?
This guide helps customers diagnose and resolve SSO login redirect loop issues when using Microsoft Azure, Google Workspace, or Okta for authentication.
Incorrect redirect URIs are a common cause of SSO loops.
Azure: Go to Azure AD > Enterprise Applications > [Your Application] > Authentication.
Google: Go to Google Admin Console > Security > Set up single sign-on (SSO).
Okta: Go to Okta Admin > Applications > [Your App] > Sign On.
Ensure the redirect URI matches exactly what is expected, as documented in the Quilt . This includes:
Case sensitivity (Azure and Okta are case-sensitive!)
Proper https:// scheme
Trailing slashes (if required)
Double-check the Logout URL, as incorrect values can cause infinite redirects.
SSO provider logs can help pinpoint misconfigurations.
Azure: Navigate to Azure AD > Enterprise Applications > [Your Application] > Sign-In Logs.
Google: Go to Google Admin Console > Reports > Audit > SAML.
Okta: Go to Okta Admin > System Log.
Look for failed sign-ins and error codes:
AADSTS50011 (Azure): Redirect URI mismatch.
AADSTS50008 (Azure): Invalid token signature.
AADSTS50105 (Azure): User is not assigned to the app.
403 or 400 errors (Google/Okta): Often indicate incorrect redirect URIs or token issues.
Use browser DevTools (F12) to examine the authentication flow:
Open the Network tab before attempting to log in.
Filter requests by sso, redirect, or login.
Look for repeated requests to the same URL, indicating a loop.
Click on the Request/Response Headers to check error messages.
Incorrect claims or missing attributes can cause authentication failures.
If using SAML, use SAML-tracer (Firefox) or Fiddler to inspect assertions.
Ensure the issuer (iss) and audience (aud) claims match what the application expects.
Look for authentication-related errors or unexpected redirects.
Verify that the expected redirect URIs are being returned.
Redirect loop after login
Verify redirect URIs and logout URL in Azure/Google/Okta
Authentication fails silently
Check SSO provider logs for error codes
Incorrect token claims
Ensure the ID token contains the expected claims
User not authorized
Assign the user to the SSO Enterprise App
Invalid signature error
Confirm the correct token signing algorithm is used
If the issue persists after these checks, provide the following information to your support team:
SSO Provider Sign-In Logs with error codes.
Browser Network logs (HAR file) showing redirects.
SAML assertion (if applicable) or decoded OIDC token.
ECS logs from the registry.
Following these steps should help you diagnose and resolve most SSO redirect loop issues efficiently across Azure, Google, and Okta.
If using OIDC, paste the ID token into or to check claims.
Follow the usual to collect the ECS logs for the registry service: