The information you're about to submit is not secure warning in Chrome when end users attempt to authenticate to AM (All versions)

Symptoms

End users using the Chrome browser may see the following in their browsers when they are authenticating:

The information you're about to submit is not secure.

You will notice that the goto parameter in the login URL uses the http protocol.

Recent Changes

End users have upgraded to Chrome 88.

Causes

Chrome 88 introduces warnings on forms that directly submit to http:// or that redirect to http:// with the form data preserved through the redirect. See Issue 1158169: Form is not Secure issue on new version for Chrome for further information.

The URL specified in the goto parameter can be set by an Agent or a SAML2 flow depending on how authentication is initiated. Additionally, it can be changed from https to http if there is a load balancer or proxy in front of AM doing SSL/TLS offloading.

Solution

This issue can be resolved as follows:

1. Review your load balancer or proxy settings to ensure all communications are using https and requests are routed entirely on https. The comments in Issue 1158169: Form is not Secure issue on new version for Chrome discuss various load balancer and proxy settings that may be helpful to review in conjunction with your settings. Configuring your load balancer or proxy is outside the scope of ForgeRock support; if you want more tailored advice, consider engaging Deployment Support Services.
2. For Agent initiated login flows: ensure you have configured your Agent for SSL Offloading:
   • How do I configure a Web Agent (All versions) for SSL offloading?
   • How do I configure a Java Agent (All versions) for SSL offloading?
3. For SAML2 initiated login flows: review your federation settings to ensure all URLs use https.
4. Configure the Base URL Source appropriately for your authentication flows. Setting it to the Fixed value option and specifying the base URL is helpful to ensure that any requests that come into AM are redirected to a specific host and protocol, but other options, such as Host/protocol from incoming request may be more suitable depending on your setup.

Configure the Base URL source service

The Base URL Source Service applies to all XUI pages and the OpenID Base URL. You can set the Base URL Source Service using either the AM admin UI, Amster or ssoadm:

• AM admin UI: navigate to: Realms > [Realm Name] > Services > Base URL Source, select the Base URL Source and complete any other fields as needed.
• Amster: follow the steps in How do I update property values in AM (All versions) using Amster? with these values:
  • Entity: BaseUrlSource
  • Property: source and any other properties as needed (extensionClassName or fixedValue).
• ssoadm: enter the following command: $ ./ssoadm set-realm-svc-attrs -s amRealmBaseURL -e [realmname] -u [adminID] -f [passwordfile] -a base-url-source=[source]replacing [realmname], [adminID], [passwordfile] and [source] with appropriate values, and adding any other properties as needed.

See Configure the Base URL source service for further information.

The following table provides the corresponding values to use for the Amster source attribute or the ssoadm base-url-source attribute if you want to configure this via the command line, along with the attribute names for other required fields:

See Also

AM (All versions) redirects to HTTP when deployed on Apache Tomcat with a load balancer doing SSL/TLS offloading

IG (All versions) redirects to HTTP when a reverse proxy or load balancer is doing SSL/TLS offloading

Overriding protocol, host, and port (Web Agents)

Override protocol, host, and port (Java Agents)

Related Training

N/A

Related Issue Tracker IDs

N/A