OpenAM 13 login fails with User name/password combination is invalid error if you use host-based cookies

Symptoms

The following error is shown in the browser when you attempt to log in, even though your credentials are correct:

Logging in using the Classic UI works, although this UI is deprecated in OpenAM 13.

The following cookie domains property value is shown if you call the /openam/json/serverinfo endpoint:

The cookie domains list is returned without a value.

Recent Changes

Upgraded to, or installed OpenAM 13.

Switched from using the Classic UI to the XUI.

Configured OpenAM to use host-based cookies rather than domain cookies.

Causes

The empty cookie domains server property prevents the iPlanetDirectoryPro cookie being set, which prevents the login succeeding. This cookie domains property is incorrectly set when host-based cookies are used in the XUI; it should show as follows with double quotes when empty, which allows the iPlanetDirectoryPro cookie to be set: 

Solution

This issue can be resolved by upgrading to OpenAM 13.5 or later; you can download this from BackStage.

Workaround

Alternatively, this issue can be resolved by setting the cookie domains to "" using the following ssoadm command:

replacing [adminID] and [passwordfile] with appropriate values.

See Also

Best practice for upgrading to OpenAM 13.x

Best practice for upgrading to OpenAM 12.x

Authentication fails in OpenAM 13.0 with an AuthId JWT Signature not valid error

Related Training

N/A

Related Issue Tracker IDs

OPENAM-5264 (Can't login to OpenAM with no cookies set in the platform service)