After logging into AM (using a URL with the https protocol), you are redirected to a URL that uses the http protocol.
You will see a 302 redirect response with the wrong protocol, for example:HTTP/1.1 302 Found Location: http://host1.example.com:8080/openam
Configured a load balancer or proxy in front of AM to offload SSL/TLS.
Tomcat is not honoring the X-Forwarded-Proto header set by the load balancer or proxy, or has not been configured for SSL offloading:
- Tomcat needs to honor the X-Forwarded-Proto header set by the load balancer or proxy to ensure that all the client redirect calls are made using the https protocol; otherwise it will switch the protocol to the one associated with the port AM listens on (http).
- Tomcat needs to be configured for SSL offloading else it will receive a Location-Header from AM with protocol http instead of https since the load balancer or proxy is doing SSL offloading.
You can resolve this issue by making the following changes:
- Configure Tomcat using one of the following options (fixes redirection for SAML2 federation and/or WS-Federation):
- Configure Tomcat to honor the X-Forwarded-Proto header.
- Configure Tomcat for SSL offloading.
- Configure the Base URL Source Service (fixes redirection for OAuth2 and other redirection issues).
Configure Tomcat to honor the X-Forwarded-Proto header
You can configure Tomcat to honor the X-Forwarded-Proto header by adding the following to the server.xml file:<Valve className="org.apache.catalina.valves.RemoteIpValve" remoteIpHeader="x-forwarded-for" remoteIpProxiesHeader="x-forwarded-by" protocolHeader="x-forwarded-proto" protocolHeaderHttpsValue="https" />
See Apache Tomcat API > Class RemoteIpValve for further information.
Configure Tomcat for SSL offloading
You can configure Tomcat for SSL offloading by specifying the proxyPort and proxyName attributes in the <Connector> element in the server.xml file, for example:<Connector port="8080" protocol="HTTP/1.1" maxThreads="150" clientAuth="false" SSLEnabled="false" scheme="https" secure="true" proxyPort="443" proxyName="proxy.example.com" />
Configure the Base URL Source Service
You may need to add the Base URL Source service if it is not listed under Services by clicking Add a Service or Add and then selecting Base URL Source. If you are using ssoadm, you can replace set-realm-svc-attrs in the ssoadm command with add-svc-realm to add this service and set the attributes with the same command.
The Base URL Source Service applies to all XUI pages and the OpenID Base URL. You can set the Base URL Source Service using either the console or ssoadm:
- Console: navigate to: Realms > [Realm Name] > Services > Base URL Source and select Host/protocol from incoming request.
- ssoadm: enter the following command: $ ./ssoadm set-realm-svc-attrs -s amRealmBaseURL -e [realmname] -u [adminID] -f [passwordfile] -a base-url-source=REQUEST_VALUES replacing [realmname], [adminID] and [passwordfile] with appropriate values.
You may want to use a different option for the Base URL Source if it's more appropriate to your setup, for example, Fixed value. See Security Guide › Configuring the Base URL Source Service for further information.
The following table provides the corresponding values to use for the base-url-source attribute if you want to configure this via ssoadm along with the attribute name for other required fields:
|Option||ssoadm value||Other attributes|
|Extension class||EXTENSION_CLASS||Extension class name field: base-url-extension-class attribute.|
|Fixed value||FIXED_VALUE||Fixed value base URL field: base-url-fixed-value attribute.|
|Host/protocol from incoming request||REQUEST_VALUES|
Related Issue Tracker IDs