Solutions
ForgeRock Identity Platform
Does not apply to Identity Cloud

Login page in AM 6.x hangs on Loading when CORS is enabled

Last updated Jan 12, 2023

The purpose of this article is to provide assistance if you experience issues where the AM login page displays a "Unknown Error - Please contact your Administrator" message and hangs on Loading ... when Cross-origin resource sharing (CORS) is enabled and you are using the Chrome™ browser.

2 readers recommend this article

Symptoms

The following error is shown when accessing the login page using a URL such as: https://am.example.com:8443/am/XUI/#login/

Unknown Error - Please contact your Administrator

When the message disappears, AM hangs and displays a Loading... message.

Variants of this issue can be seen when accessing AM over SSL (for example, using a URL such as: https://am.example.com:8443/am/XUI/#login/) or through a load balancer.

Disabling CORS allows access.

This only affects the Chrome browser; using Firefox® works.

Recent Changes

Enabled the CORS filter.

Added a load balancer in front of AM when CORS was already enabled and working.

Enabled SSL on AM when CORS was already enabled and working.

Added a realm DNS alias when CORS was already enabled and working.

Causes

Some browsers, such as Chrome, send the Origin Header in the request, even in Same-Origin scenarios.

Solution

This issue can be resolved by upgrading to AM 7 or later; you can download this from Backstage.

Workaround

You can work around this issue by adapting the CORS filter configuration to allow all possible server origins. You may have to include the hostname with both http and https protocols, the server name and the load balancer FQDN, and the port number if it is not the default. See Enabling CORS Support for general instructions on setting up a CORS filter:

  • If you need to access more than one hostname, for example, you access AM through a load balancer and also have direct access to the AM server, you should remove or comment out the expectedHostname section in the CORS filter as this only allows one hostname: <!--init-param>    <description>         Expected Hostname (Optional):         The name of the host expected in the request Host header.     </description>     <param-name>expectedHostname</param-name>     <param-value>am.example.com:8443</param-value> </init-param-->
  • Add each URL that is allowed to the Accepted Origins section. Include the protocol and the port if it is not the default. For example, if you want to allow access to https://lb.example.com:443/openam and https://am.example.com:8443/am, as well as a real cross-origin URL such as https://other.origin.example.com:443/myApp, the Accepted Origins section in the CORS filter on am1 would look like this: <init-param>     <description>          Accepted Origins (Required):          A comma separated list of origins from which to accept CORS requests.      </description>      <param-name>origins</param-name>      <param-value>       https://am.example.com:8443/am,https://lb.example.com,https://other.origin.example.com       </param-value> </init-param>
Note

You must restart the web application container in which AM runs to apply these configuration changes.

See How do I troubleshoot issues with CORS in AM (All versions)? if these changes do not resolve your issues.

See Also

Enabling CORS Support

How do I troubleshoot issues with CORS in AM (All versions)?

Related Training

N/A

Related Issue Tracker IDs

OPENAM-13210 (Make CORS filter dynamically configurable)

OPENAM-9890 (Allow list in expected Hostname section of CORS Filter)

Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.