SAML redirect is ignored when doing an IdP or SP initiated SSO with WDSSO/Kerberos authentication in OpenAM 13.0 and 13.5

Last updated Jan 5, 2021

The purpose of this article is to provide assistance if SAML redirection is ignored when doing an IdP or SP initiated SSO in OpenAM 13.0 and 13.5. This issue occurs when you are using a realm DNS alias for federation and that Realm is setup for Windows Desktop SSO/Kerberos authentication.

1 reader recommends this article

This article has been archived and is no longer maintained by ForgeRock.



If you are using the XUI, you will observe the following behavior after successfully authenticating with the WDSSO authentication module:

  • You are redirected to the default SuccessURL if one has been set up for the WDSSO authentication module, OR
  • You are redirected to OpenAM and see the following message in the browser: You have already logged in. Do you want to log out and then login to a different organization?

Expected behavior: you are redirected to the IdP or SP depending on your setup.

Classic UI

If you are using the Classic UI, you will see the following message in the browser:

An internal authentication error has occurred. Contact your system administrator.

The following error is shown in the Authentication debug log when this happens:

ERROR: LoginViewBean.forwardTo(): There was an Exception doing the forward/redirect org.apache.jasper.JasperException: java.lang.ClassCastException: [Ljava.lang.String; cannot be cast to java.lang.String at org.apache.jasper.servlet.JspServletWrapper.handleJspException( at org.apache.jasper.servlet.JspServletWrapper.service( at org.apache.jasper.servlet.JspServlet.serviceJspFile( at org.apache.jasper.servlet.JspServlet.service( at javax.servlet.http.HttpServlet.service( at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter( at org.apache.catalina.core.ApplicationFilterChain.doFilter( at org.apache.tomcat.websocket.server.WsFilter.doFilter( ... Caused by: java.lang.ClassCastException: [Ljava.lang.String; cannot be cast to java.lang.String at com.sun.identity.saml2.common.SAML2Utils.getParameter( at com.sun.identity.saml2.common.SAML2Utils.getRealm( at org.apache.jsp.saml2.jsp.idpSSOFederate_jsp._jspService( at org.apache.jasper.runtime.HttpJspBase.service( at javax.servlet.http.HttpServlet.service( at org.apache.jasper.servlet.JspServletWrapper.service( ... 72 more

Recent Changes

Upgraded to, or installed OpenAM 13.0 or 13.5.

Made changes to your configuration so that you now have the combination of using a realm DNS alias for federation purposes and have the WDSSO authentication module configured in that realm for authentication.


The realm context is lost in the process when the realm DNS alias is used, which prevents you being correctly redirected to the IdP or SP as expected. 


This issue can be resolved by upgrading to OpenAM 13.5.1 or later; you can download this from BackStage.


Alternatively, the following options are available to resolve this issue:

  • You can update your configuration so that you use the OpenAM DNS URL for federation rather than the realm DNS alias.
  • You can use an alternative authentication module.

See Also


Related Training


Related Issue Tracker IDs

OPENAM-8351 (SAML2 JSP pages making use of the SAML2Auditor are calling the SAML2Utils.getRealm with an incorrect Map structure)

OPENAM-8971 (currentGoto : null is received in XUI when a realm dns is being used for Federation and authentication is done via wdsso/kerberos auth module)

Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.