End users using the Chrome browser may see the following in their browsers when they are authenticating:
The information you're about to submit is not secure.
You will notice that the goto parameter in the login URL uses the http protocol.
End users have upgraded to Chrome 88.
Chrome 88 introduces warnings on forms that directly submit to http:// or that redirect to http:// with the form data preserved through the redirect. See Issue 1158169: Form is not Secure issue on new version for Chrome for further information.
The URL specified in the goto parameter can be set by an Agent or a SAML2 flow depending on how authentication is initiated. Additionally, it can be changed from https to http if there is a load balancer or proxy in front of AM doing SSL/TLS offloading.
This issue can be resolved as follows:
- Review your load balancer or proxy settings to ensure all communications are using https and requests are routed entirely on https. The comments in Issue 1158169: Form is not Secure issue on new version for Chrome discuss various load balancer and proxy settings that may be helpful to review in conjunction with your settings. Configuring your load balancer or proxy is outside the scope of ForgeRock support; if you want more tailored advice, consider engaging Deployment Support Services.
- For Agent initiated login flows: ensure you have configured your Agent for SSL Offloading:
- For SAML2 initiated login flows: review your federation settings to ensure all URLs use https.
- Configure the Base URL Source appropriately for your authentication flows. Setting it to the Fixed value option and specifying the base URL is helpful to ensure that any requests that come into AM are redirected to a specific host and protocol, but other options, such as Host/protocol from incoming request may be more suitable depending on your setup.
Configure the Base URL source service
You may need to add the Base URL Source service if it is not listed under Services by clicking Add a Service or Add and then selecting Base URL Source. If you are using ssoadm, you can replace set-realm-svc-attrs in the ssoadm command with add-svc-realm to add this service and set the attributes with the same command.
The Base URL Source Service applies to all XUI pages and the OpenID Base URL. You can set the Base URL Source Service using either the AM admin UI, Amster or ssoadm:
- AM admin UI: navigate to: Realms > [Realm Name] > Services > Base URL Source, select the Base URL Source and complete any other fields as needed.
Amster: follow the steps in How do I update property values in AM (All versions) using Amster? with these values:
- Entity: BaseUrlSource
- Property: source and any other properties as needed (extensionClassName or fixedValue).
- ssoadm: enter the following command: $ ./ssoadm set-realm-svc-attrs -s amRealmBaseURL -e [realmname] -u [adminID] -f [passwordfile] -a base-url-source=[source]replacing [realmname], [adminID], [passwordfile] and [source] with appropriate values, and adding any other properties as needed.
See Configure the Base URL source service for further information.
The following table provides the corresponding values to use for the Amster source attribute or the ssoadm base-url-source attribute if you want to configure this via the command line, along with the attribute names for other required fields:
|Option||source or base-url-source value||Other attributes: Amster||Other attributes: ssoadm|
|Extension class||EXTENSION_CLASS||Extension class name field: extensionClassName attribute.||Extension class name field: base-url-extension-class attribute.|
|Fixed value||FIXED_VALUE||Fixed value base URL field: fixedValue attribute.||Fixed value base URL field: base-url-fixed-value attribute.|
|Host/protocol from incoming request||REQUEST_VALUES|
Overriding protocol, host, and port (Web Agents)
Override protocol, host, and port (Java Agents)