AM/OpenAM (All versions) redirects to HTTP when deployed on Apache Tomcat with a load balancer doing SSL/TLS offloading

Symptoms

After logging into AM/OpenAM (using a URL with the https protocol), you are redirected to a URL that uses the http protocol.

You may also see this behavior when moving between newer XUI JavaScript®-based administration pages and old JATO console pages. Upon switching back to XUI pages from an old console page, the protocol changes to http.

You will see a 302 redirect response with the wrong protocol, for example:

HTTP/1.1 302 Found
Location: http://host1.example.com:8080/openam

Recent Changes

Configured a load balancer or proxy in front of AM/OpenAM to offload SSL/TLS.

Causes

Tomcat is not honoring the X-Forwarded-Proto header set by the load balancer or proxy, or has not been configured for SSL offloading:

• Tomcat needs to honor the X-Forwarded-Proto header set by the load balancer or proxy to ensure that all the client redirect calls are made using the https protocol; otherwise it will switch the protocol to the one associated with the port AM/OpenAM listens on (http).
• Tomcat needs to be configured for SSL offloading else it will receive a Location-Header from AM/OpenAM with protocol http instead of https since the load balancer or proxy is doing SSL offloading.

Solution

You can resolve this issue by making the following changes:

1. Configure Tomcat using one of the following options (fixes redirection for SAML2 federation and/or WS-Federation):
   • Configure Tomcat to honor the X-Forwarded-Proto header.
   • Configure Tomcat for SSL offloading.
2. Configure the Base URL Source Service (fixes redirection for OAuth2 and other redirection issues).

Configure Tomcat to honor the X-Forwarded-Proto header

You can configure Tomcat to honor the X-Forwarded-Proto header by adding the following to the server.xml file:

<Valve className="org.apache.catalina.valves.RemoteIpValve"
    remoteIpHeader="x-forwarded-for"
    remoteIpProxiesHeader="x-forwarded-by"
    protocolHeader="x-forwarded-proto"
    protocolHeaderHttpsValue="https"
/>

Configure Tomcat for SSL offloading

You can configure Tomcat for SSL offloading by specifying the proxyPort and proxyName attributes in the <Connector> element in the server.xml file, for example:

<Connector port="8080" protocol="HTTP/1.1"
    maxThreads="150" clientAuth="false"
    SSLEnabled="false"
    scheme="https" secure="true"
    proxyPort="443" proxyName="proxy.example.com"
/>

Configure the Base URL Source Service

The Base URL Source Service applies to all XUI pages and the OpenID Base URL. You can set the Base URL Source Service using either the console or ssoadm:

• Console: navigate to: Realms > [Realm Name] > Services > Base URL Source and select Host/protocol from incoming request.
• ssoadm: enter the following command:

  $ ./ssoadm set-realm-svc-attrs -s amRealmBaseURL -e [realmname] -u [adminID] -f [passwordfile] -a base-url-source=REQUEST_VALUES

  replacing [realmname], [adminID] and [passwordfile] with appropriate values.

You may want to use a different option for the Base URL Source if it's more appropriate to your setup, for example, Fixed value. See Security Guide › Configuring the Base URL Source Service for further information.

The following table provides the corresponding values to use for the base-url-source attribute if you want to configure this via ssoadm along with the attribute name for other required fields:

See Also

How do I set up Realm DNS Aliases in OpenAM 13.x?

How do I configure SSL offloading at the Agent (All versions) for virtual hosts?

How do I configure a Web Agent (All versions) for SSL offloading?

How do I configure a Java Agent (All versions) for SSL offloading?

Security Guide › Configuring the Base URL Source Service

Related Training

N/A

Related Issue Tracker IDs

OPENAM-5534 (OAuth2/OIDC SSL connection is based on incoming request not on the site configuration)