ForgeRock Identity Platform
Does not apply to Identity Cloud

Redirect loop between AM and Agents (All versions) after successful authentication

Last updated Mar 15, 2022

The purpose of this article is to provide assistance if you encounter a redirect loop between AM and Agents after successful authentication.

1 reader recommends this article


After a successful login, the user is redirected back to the protected resource and then back to the AM login page for authentication, thereby creating a redirect loop. The redirect loop may happen automatically without you re-entering your credentials.

You will also notice a redirect URL similar to the following (with URL encoding removed for readability). Note the agent/cdsso-oauth2 parameter:

Additionally, this redirect loop only happens when the agent initially redirects you to the protected resource. If you navigate directly to the login page, you can authenticate successfully.

Recent Changes

Installed Agents or upgraded to a later version.

Configured the AM Login URL List (AM 7.1.2 and later) or AM Login URL (pre-AM 7.1.2) property (com.sun.identity.agents.config.login.url):

  • With a URL that directs the user to a realm, for example: com.sun.identity.agents.config.login.url property=
  • Because you have a custom login.


Communication between the agent and AM uses the OAuth 2.0 Authorization Framework. This means the agent and AM exchange OpenID Connect JSON web tokens (JWTs) containing the information required to authenticate clients and authorize access to protected resources. Agents authenticate to and log out users from the oauth2/authorize endpoint, which is not configurable. See the following links for further information:

This redirect issue can arise in the following scenarios:

  • You want users to authenticate against a specific realm: By default, the AM Login URL List or AM Login URL is not observed and the OAuth2 flow defaults to the root realm rather than a specific realm (you may see realm=%2F in URLs). To configure the agent for this use case, you must specify the Conditional Login URL instead.
  • You have a custom login: When the AM Login URL List or AM Login URL is set (which defines the URL of a custom login page), the Enable Custom Login Mode (AM 7.1.2 and later) or Allow Custom Login Mode (pre-AM 7.1.2) property must also be set to true.


This issue can be resolved as follows depending on the cause:

Authenticate against a specific realm

If you want users to authenticate against a specific realm, you must specify the Conditional Login URL property (com.forgerock.agents.conditional.login.url) with the realm name included as a URL parameter. See How do I configure Agents (All versions) to authenticate users against a specific realm, tree or authentication module in AM? for further information.

Custom login

If you have a custom login, you must also set the Enable Custom Login Mode (AM 7.1.2 and later) or Allow Custom Login Mode (pre-AM 7.1.2) property (org.forgerock.openam.agents.config.allow.custom.login) to true. This is a custom property that you manually set in the agent's profile. 


In Agents 5.0.x and 5.5.x, the possible values for this property were true and false. Agents 5.6 introduced changes, which means the possible values are now 0 (equivalent to false), 1 (equivalent to true) and 2. See What's New in Web Agents 5.6 for further information. 

You can either add it as an advanced property in the console or via the command line (Amster or ssoadm) and set it to true or 1 depending on which Agents version you are using:

  • Console: navigate to: Realms > [Realm Name] > Applications > Agents > [Agent Type] > [Agent Name] > Advanced > Custom Properties and add the property, for example: org.forgerock.openam.agents.config.allow.custom.login=1
  • Amster: follow the steps in How do I update property values in AM (All versions) using Amster? with these values:
    • Entity: WebAgents or J2eeAgents
    • Property: customProperties
    • Property value: org.forgerock.openam.agents.config.allow.custom.login

For example:

"customProperties": {             "inherited": false,             "value": [                 "org.forgerock.openam.agents.config.allow.custom.login=1"             ]         }

  • ssoadm: enter the following command: $ ./ssoadm update-agent -e [realmname] -b [agentname] -u [adminID] -f [passwordfile] -a org.forgerock.openam.agents.config.allow.custom.login=1replacing [realmname], [agentname], [adminID] and [passwordfile] with appropriate values.

See Login Redirect (Web) or Login Redirect (Java) for further information about this setting.

See Also

Agents and policies in AM

Login Redirect (Web)

Login Redirect (Java)

Related Training


Related Issue Tracker IDs


Copyright and Trademarks Copyright © 2022 ForgeRock, all rights reserved.