Policy Agent (All versions) does not redirect user correctly if the redirect URL is too long

Last updated Jul 9, 2018

The purpose of this article is to provide assistance if users are not redirected by the policy agent as expected when the redirect URL is too long.


The user is redirected incorrectly when the redirect URL is too long; shortening the URL results in a successful redirection.

An error similar to the following is shown in the patternMatching debug log when this happens:

RedirectUrlValidator.isRedirectUrlValid: The url was length nnnn which is longer than the allowed maximum of 2000

Where nnnn signifies the length of the redirect URL. 

Recent Changes



The maximum redirect URL that can be validated by AM/OpenAM is 2000 characters by default. If the length of the URL exceeds this, validation of the requested goto URL will not succeed and therefore does not redirect to the expected page.


This issue can be resolved by increasing the maximum length of the redirect URL to at least the number stated in the patternMatching debug log. This is an advanced property (org.forgerock.openam.redirecturlvalidator.maxUrlLength), which is available in AM, OpenAM 13.5.x and OpenAM 12.0.4. Prior to these versions, you cannot increase the maximum length.

You can update this property using either the console, Amster (AM 5 and later) or ssoadm:

  • AM / OpenAM 13.5 console: navigate to: Configure > Server Defaults > Advanced > org.forgerock.openam.redirecturlvalidator.maxUrlLength and enter the maximum redirect URL length that can be validated.
  • Pre-OpenAM 13.5 console: navigate to: Configuration > Servers and Sites > Default Server Settings > Advanced > org.forgerock.openam.redirecturlvalidator.maxUrlLength and enter the maximum redirect URL length that can be validated.
  • Amster: follow the steps in How do I update property values in AM (All versions) using Amster?with these values:
    • Entity: DefaultAdvancedProperties
    • Property: org.forgerock.openam.redirecturlvalidator.maxUrlLength
  • ssoadm: enter the following command:
    $ ./ssoadm update-server-cfg -s default -u [adminID] -f [passwordfile] -a org.forgerock.openam.redirecturlvalidator.maxUrlLength=[length]
    replacing [adminID], [passwordfile] and [length] with appropriate values.

You must restart the web application container in which AM/OpenAM runs to apply these configuration changes.

See Also

redirect_uri_mismatch error occurs after upgrading to, or installing Web Agents 5.x

JEE Policy Agent 3.5.x fails to redirect to AM/OpenAM login or logout URL and shows 500: Internal server error

Agents and policies in AM/OpenAM

Reference › Advanced Properties

Related Training


Related Issue Tracker IDs

OPENAM-13109 (Default org.forgerock.openam.redirecturlvalidator.maxUrlLength is too short)

Copyright and TrademarksCopyright © 2018 ForgeRock, all rights reserved.