The user is redirected incorrectly when the redirect URL is too long; shortening the URL results in a successful redirection.
An error similar to the following is shown in the patternMatching debug log when this happens:RedirectUrlValidator.isRedirectUrlValid: The url was length nnnn which is longer than the allowed maximum of 2000
Where nnnn signifies the length of the redirect URL.
The maximum redirect URL that can be validated by AM/OpenAM is 2000 characters by default. If the length of the URL exceeds this, validation of the requested goto URL will not succeed and therefore does not redirect to the expected page.
This issue can be resolved by increasing the maximum length of the redirect URL to at least the number stated in the patternMatching debug log. This is an advanced property (org.forgerock.openam.redirecturlvalidator.maxUrlLength), which is available in AM and OpenAM 13.5.x. You cannot increase the maximum length in OpenAM 13.
You can update this property using either the console, Amster (AM 5 and later) or ssoadm:
- AM / OpenAM 13.5 console: navigate to: Configure > Server Defaults > Advanced > org.forgerock.openam.redirecturlvalidator.maxUrlLength and enter the maximum redirect URL length that can be validated.
- OpenAM 13 console: navigate to: Configuration > Servers and Sites > Default Server Settings > Advanced > org.forgerock.openam.redirecturlvalidator.maxUrlLength and enter the maximum redirect URL length that can be validated.
Amster: follow the steps in How do I update property values in AM (All versions) using Amster?with these values:
- Entity: DefaultAdvancedProperties
- Property: org.forgerock.openam.redirecturlvalidator.maxUrlLength
- ssoadm: enter the following command: $ ./ssoadm update-server-cfg -s default -u [adminID] -f [passwordfile] -a org.forgerock.openam.redirecturlvalidator.maxUrlLength=[length] replacing [adminID], [passwordfile] and [length] with appropriate values.
You must restart the web application container in which AM/OpenAM runs to apply these configuration changes.