Solutions
ForgeRock Identity Platform
Does not apply to Identity Cloud

The information you're about to submit is not secure warning in Chrome when end-users attempt to authenticate to AM (All versions)

Last updated Feb 24, 2021

The purpose of this article is to provide assistance if end-users see "The information you're about to submit is not secure" warnings in the Chrome™ browser when they are trying to authenticate to AM.


Symptoms

End-users using the Chrome browser may see the following in their browsers when they are authenticating:

The information you're about to submit is not secure.

You will notice that the goto parameter in the login URL uses the http protocol.

Recent Changes

End-users have upgraded to Chrome 88.

Causes

Chrome 88 introduces warnings on forms that directly submit to http:// or that redirect to http:// with the form data preserved through the redirect. See Issue 1158169: Form is not Secure issue on new version for Chrome for further information.

The URL specified in the goto parameter can be set by an Agent or a SAML2 flow depending on how authentication is initiated. Additionally, it can be changed from https to http if there is a load balancer or proxy in front of AM doing SSL/TLS offloading. 

Solution

This issue can be resolved as follows:

  1. Review your load balancer or proxy settings to ensure all communications are using https and requests are routed entirely on https. The comments in Issue 1158169: Form is not Secure issue on new version for Chrome discuss various load balancer and proxy settings that may be helpful to review in conjunction with your settings. Configuring your load balancer or proxy is outside the scope of ForgeRock support; if you want more tailored advice, consider engaging Deployment Support Services.
  2. For Agent initiated login flows: ensure you have configured your Agent for SSL Offloading:
  3. For SAML2 initiated login flows: review your federation settings to ensure all URLs use https.
  4. Configure the Base URL Source appropriately for your authentication flows. Setting it to the Fixed value option and specifying the base URL is helpful to ensure that any requests that come into AM are redirected to a specific host and protocol, but other options, such as Host/protocol from incoming request may be more suitable depending on your setup.

Configure the Base URL Source Service

Note

You may need to add the Base URL Source service if it is not listed under Services by clicking Add a Service or Add and then selecting Base URL Source. If you are using ssoadm, you can replace set-realm-svc-attrs in the ssoadm command with add-svc-realm to add this service and set the attributes with the same command.

The Base URL Source Service applies to all XUI pages and the OpenID Base URL. You can set the Base URL Source Service using either the console, Amster or ssoadm:

  • Console: navigate to: Realms > [Realm Name] > Services > Base URL Source, select the Base URL Source and complete any other fields as needed.
  • Amster: follow the steps in How do I update property values in AM (All versions) using Amster? with these values:
    • Entity: BaseUrlSource
    • Property: source and any other properties as needed (extensionClassName or fixedValue).
  • ssoadm: enter the following command: $ ./ssoadm set-realm-svc-attrs -s amRealmBaseURL -e [realmname] -u [adminID] -f [passwordfile] -a base-url-source=[source]replacing [realmname], [adminID], [passwordfile] and [source] with appropriate values, and adding any other properties as needed.

See Security Guide › Configuring the Base URL Source Service for further information.

The following table provides the corresponding values to use for the Amster source attribute or the ssoadm base-url-source attribute if you want to configure this via the command line, along with the attribute names for other required fields:

Option source or  base-url-source value Other attributes: Amster Other attributes: ssoadm
Extension class EXTENSION_CLASS Extension class name field: extensionClassName attribute. Extension class name field: base-url-extension-class attribute.
Fixed value FIXED_VALUE Fixed value base URL field: fixedValue attribute. Fixed value base URL field: base-url-fixed-value attribute.
Forwarded header FORWARDED_HEADER    
Host/protocol from incoming request REQUEST_VALUES    
X-Forwarded-* headers X_FORWARDED_HEADERS    

See Also

AM (All versions) redirects to HTTP when deployed on Apache Tomcat with a load balancer doing SSL/TLS offloading

IG (All versions) redirects to HTTP when a reverse proxy or load balancer is doing SSL/TLS offloading

Web Agents › LB Different Protocol and Port

Java Agents › LB Different Protocol and Port

Related Training

N/A

Related Issue Tracker IDs

N/A



Copyright and TrademarksCopyright © 2021 ForgeRock, all rights reserved.
Loading...