Solutions
ForgeRock Identity Platform
Does not apply to Identity Cloud

Login page in AM (All versions) hangs on Loading when CORS is enabled

Last updated Apr 13, 2021

The purpose of this article is to provide assistance if you experience issues where the AM login page displays a "Unknown Error - Please contact your Administrator" message and hangs on Loading ... when Cross-origin resource sharing (CORS) is enabled and you are using the Chrome™ browser.


2 readers recommend this article

Symptoms

The following error is shown when accessing the login page using a URL such as: http://host1.example.com:18080/openam/XUI/#login/

Unknown Error - Please contact your Administrator

When the message disappears, AM hangs and displays a Loading... message.

Variants of this issue can be seen when accessing AM over SSL (for example, using a URL such as: https://host1.example.com:18443/openam/XUI/#login/) or through a load balancer.

Disabling CORS allows access.

This only affects the Chrome browser; using Firefox® works.

Recent Changes

Enabled the CORS filter.

Added a load balancer in front of AM when CORS was already enabled and working.

Enabled SSL on AM when CORS was already enabled and working.

Added a realm DNS alias when CORS was already enabled and working.

Causes

Some browsers, such as Chrome, send the Origin Header in the request, even in Same-Origin scenarios.

Solution

This issue can be resolved by adapting the CORS filter configuration to allow all possible server origins. You may have to include the hostname with both http and https protocols, the server name and the load balancer FQDN, and the port number if it is not the default. See Security Guide › Configuring CORS Support for general instructions on setting up a CORS filter:

  • If you need to access more than one hostname, for example, you access AM through a load balancer and also have direct access to the AM server, you should remove or comment out the Expected Hostname section in the CORS filter as this only allows one hostname: <!--init-param>    <description>         Expected Hostname (Optional):         The name of the host expected in the request Host header.     </description>     <param-name>expectedHostname</param-name>     <param-value>host1.example.com:18080</param-value> </init-param-->An RFE exists to allow a list of hostnames to be specified instead: OPENAM-9890 (Allow list in expected Hostname section of CORS Filter).
  • Add each URL that is allowed to the Accepted Origins section. Include the protocol and the port if it is not the default. For example, if you want to allow access to https://lb.example.com:443/openam and http://host1.example.com:18080/openam, as well as a real cross-origin URL such as https://other.origin.example.com:443/myApp, the Accepted Origins section in the CORS filter on openam1 would look like this: <init-param>     <description>          Accepted Origins (Required):          A comma separated list of origins from which to accept CORS requests.      </description>      <param-name>origins</param-name>      <param-value>       http://host1.example.com:18080,https://lb.example.com,https://other.origin.example.com       </param-value> </init-param>
Note

You must restart the web application container in which AM runs to apply these configuration changes.

See How do I troubleshoot issues with the CORS filter in AM (All versions)? if these changes do not resolve your issues.

See Also

Security Guide › Configuring CORS Support

How do I troubleshoot issues with the CORS filter in AM (All versions)?

Related Training

N/A

Related Issue Tracker IDs

OPENAM-9890 (Allow list in expected Hostname section of CORS Filter)


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.