AM/OpenAM (All versions) redirects to HTTP when deployed on Apache Tomcat with a load balancer doing SSL/TLS offloading
The purpose of this article is to provide assistance if AM/OpenAM redirects to a URL using the http protocol instead of the expected https protocol. This issue occurs when AM/OpenAM is deployed on Apache Tomcat™ with a load balancer or proxy (such as HAProxy) doing SSL/TLS offloading. In particular, this affects deployments where the load balancer or proxy sets the X-Forwarded-Proto header.
1 reader recommends this article
Symptoms
After logging into AM/OpenAM (using a URL with the https protocol), you are redirected to a URL that uses the http protocol.
You may also see this behavior when moving between newer XUI JavaScript®-based administration pages and old JATO console pages. Upon switching back to XUI pages from an old console page, the protocol changes to http.
You will see a 302 redirect response with the wrong protocol, for example:
HTTP/1.1 302 Found
Location: http://host1.example.com:8080/openamRecent Changes
Configured a load balancer or proxy in front of AM/OpenAM to offload SSL/TLS.
Causes
Tomcat is not honoring the X-Forwarded-Proto header set by the load balancer or proxy, or has not been configured for SSL offloading:
- Tomcat needs to honor the X-Forwarded-Proto header set by the load balancer or proxy to ensure that all the client redirect calls are made using the https protocol; otherwise it will switch the protocol to the one associated with the port AM/OpenAM listens on (http).
- Tomcat needs to be configured for SSL offloading else it will receive a Location-Header from AM/OpenAM with protocol http instead of https since the load balancer or proxy is doing SSL offloading.
Solution
You can resolve this issue by making the following changes:
- Configure Tomcat using one of the following options (fixes redirection for SAML2 federation
and/or WS-Federation):
- Configure Tomcat to honor the X-Forwarded-Proto header.
- Configure Tomcat for SSL offloading.
- Configure the Base URL Source Service (OpenAM 12.0.1 and later) (fixes redirection for OAuth2 and other redirection issues).
Configure Tomcat to honor the X-Forwarded-Proto header
You can configure Tomcat to honor the X-Forwarded-Proto header by adding the following to the server.xml file:
<Valve className="org.apache.catalina.valves.RemoteIpValve"
remoteIpHeader="x-forwarded-for"
remoteIpProxiesHeader="x-forwarded-by"
protocolHeader="x-forwarded-proto"
protocolHeaderHttpsValue="https"
/>Configure Tomcat for SSL offloading
You can configure Tomcat for SSL offloading by specifying the proxyPort and proxyName attributes in the <Connector> element in the server.xml file, for example:
<Connector port="8080" protocol="HTTP/1.1"
maxThreads="150" clientAuth="false"
SSLEnabled="false"
scheme="https" secure="true"
proxyPort="443" proxyName="proxy.example.com"
/>Configure the Base URL Source Service
Note
You may need to add the Base URL Source service if it is not listed under Services by clicking Add a Service or Add and then selecting Base URL Source. If you are using ssoadm, you can replace set-realm-svc-attrs in the ssoadm command with add-svc-realm to add this service and set the attributes with the same command.
The Base URL Source Service applies to all XUI pages and the OpenID Base URL. You can set the Base URL Source Service using either the console or ssoadm:
- AM / OpenAM 13.x console: navigate to: Realms > [Realm Name] > Services > Base URL Source and select Host/protocol from incoming request.
- Pre-OpenAM 13 console: navigate to: Access Control > [Realm Name] > Services > Base URL Source and select Host/protocol from incoming request.
-
ssoadm: enter the following command:
$ ./ssoadm set-realm-svc-attrs -s amRealmBaseURL -e [realmname] -u [adminID] -f [passwordfile] -a base-url-source=REQUEST_VALUES
replacing [realmname], [adminID] and [passwordfile] with appropriate values.
You may want to use a different option for the Base URL Source if it's more appropriate to your setup, for example, Fixed value. See OpenID Connect 1.0 Guide › Configuring the Base URL Source Service for further information.
The following table provides the corresponding values to use for the base-url-source attribute if you want to configure this via ssoadm along with the attribute name for other required fields:
| Option | ssoadm value | Other attributes |
|---|---|---|
| Extension class | EXTENSION_CLASS | Extension class name field: base-url-extension-class attribute. |
| Fixed value | FIXED_VALUE | Fixed value base URL field: base-url-fixed-value attribute. |
| Forwarded header | FORWARDED_HEADER | |
| Host/protocol from incoming request | REQUEST_VALUES | |
| X-Forwarded-* headers | X_FORWARDED_HEADERS |
See Also
How do I set up Realm DNS Aliases in OpenAM 12.x and 13.x?
How do I configure SSL offloading at the Policy Agent (All versions) for virtual hosts?
How do I configure a Web Policy Agent (All versions) for SSL offloading?
How do I configure a Java Policy Agent (All versions) for SSL offloading?
OpenID Connect 1.0 Guide › Configuring the Base URL Source Service
Related Training
N/A
Related Issue Tracker IDs
OPENAM-5534 (OAuth2/OIDC SSL connection is based on incoming request not on the site configuration)