The user is redirected incorrectly when the redirect URL is too long; shortening the URL results in a successful redirection.
An error similar to the following is shown in the patternMatching debug log when this happens:RedirectUrlValidator.isRedirectUrlValid: The url was length nnnn which is longer than the allowed maximum of 2000
Where nnnn signifies the length of the redirect URL.
The maximum redirect URL that can be validated by AM is 2000 characters by default. If the length of the URL exceeds this, validation of the requested goto URL will not succeed and therefore does not redirect to the expected page.
This issue can be resolved by increasing the maximum length of the redirect URL to at least the number stated in the patternMatching debug log. This is an advanced property (org.forgerock.openam.redirecturlvalidator.maxUrlLength).
You can update this property using either the console, Amster or ssoadm:
- Console: navigate to: Configure > Server Defaults > Advanced > org.forgerock.openam.redirecturlvalidator.maxUrlLength and enter the maximum redirect URL length that can be validated.
Amster: follow the steps in How do I update property values in AM (All versions) using Amster? with these values:
- Entity: DefaultAdvancedProperties
- Property: org.forgerock.openam.redirecturlvalidator.maxUrlLength
- ssoadm: enter the following command: $ ./ssoadm update-server-cfg -s default -u [adminID] -f [passwordfile] -a org.forgerock.openam.redirecturlvalidator.maxUrlLength=[length]replacing [adminID], [passwordfile] and [length] with appropriate values.
You must restart the web application container in which AM runs to apply these configuration changes.