The following error is shown in the browser when accessing the resource protected by the agent:
redirect_uri_mismatch The redirection URI provided does not match a pre-registered value.
You are then redirected to the login URL, which is in a similar format to this example URL:
Upgraded to, or installed Web Agents 5.x.
CDSSO improvements in Agents 5 means CDSSO is the only SSO mode used by agents; it is achieved using the OAuth 2.0 protocol and the oauth2/authorize endpoint. See Release Notes › Major Improvements for further information.
Where there is a mismatch between the protocols used to access the resource and the one the agent is configured against (for example, you are accessing a resource with a URL that uses the https protocol but you configured your agent with a URL that uses the http protocol), the hidden OAuth2 agent does not understand the redirection URL and prevents access as a security precaution.
This issue can be resolved by setting the root URL for CDSSO to the redirection URL in the following format: protocol://host:port/. For the example URL shown in the Symptoms section, you would specify the following root URL:
You can set the root URL for CDSSO using either the console, Amster or ssoadm:
- Console: navigate to: Realms > [Realm Name] > Applications > Agents > Web > [Agent Name] > Global > Agent Root URL for CDSSO and specify the redirection URL.
Amster: follow the steps in How do I update property values in AM (All versions) using Amster?with these values:
- Entity: WebAgents
- Property: cdssoRootUrl
ssoadm: enter the following command:
$ ./ssoadm update-agent -e [realmname] -b [agentname] -u [adminID] -f [passwordfile] -a sunIdentityServerDeviceKeyValue=agentRootURL=[redirectionURL]replacing [realmname], [agentname], [adminID], [passwordfile] and [redirectionURL] with appropriate values.