Solutions

Redirect loop between AM and Agent 5.x after successful authentication

Last updated Apr 3, 2019

The purpose of this article is to provide assistance if you encounter a redirect loop between AM and Agent 5.x after successful authentication.


Symptoms

After a successful login, the user is redirected back to the protected resource and then back to the AM login page for authentication, thereby creating a redirect loop. The redirect loop may happen automatically without you re-entering your credentials.

You will also notice a redirect URL similar to the following (with URL encoding removed for readability). Note the agent/cdsso-oauth2 parameter:

https://host1.example.com/openam/XUI/?realm=/employees#login&goto=host1.example.com:8080/openam/oauth2/authorize?response_mode=form_post&state=247f267e-941b-bd7e-284e-8a8f13fbef81&redirect_uri=http://host2.example.net:8080/agent/cdsso-oauth2&response_type=id_token&scope=openid&client_id=webagent&agent_provider=true&agent_realm=%2F&nonce=E7ADEC50C034652415FB830236D4BCBB

Additionally, this redirect loop only happens when the agent initially redirects you to the protected resource. If you navigate directly to the login page, you can authenticate successfully.

Recent Changes

Upgraded to, or installed Agents 5.x.

Configured the AM Login URL (com.sun.identity.agents.config.login.url property):

  • With a URL that directs the user to a realm, for example:
    com.sun.identity.agents.config.login.url property=https://host1.example.com/openam/XUI/?realm=/employees#login
  • Because you have a custom login.

Causes

As of Agents 5, communication between the agent and AM uses the OAuth 2.0 Authorization Framework. This means the agent and AM exchange OpenID Connect JSON web tokens (JWTs) containing the information required to authenticate clients and authorize access to protected resources. Agents authenticate to and log out users from the oauth2/authorize endpoint, which is not configurable. See the following links for further information:

This redirect issue can arise in the following scenarios:

  • You want users to authenticate against a specific realm: By default, the AM Login URL is not observed and the OAuth2 flow defaults to the root realm rather than a specific realm (you may see realm=%2F in URLs). To configure the agent for this use case, you must specify the OpenAM Conditional Login URL instead.
  • You have a custom login: When the AM Login URL is set (which defines the URL of a custom login page), the Allow Custom Login Mode property must also be set to true.

Solution

This issue can be resolved as follows depending on the cause:

Authenticate against a specific realm

If you want users to authenticate against a specific realm, you must specify the OpenAM Conditional Login URL property (com.forgerock.agents.conditional.login.url) with the realm name included as a URL parameter. See How do I configure Agents 5.x to authenticate users against a specific realm, tree or authentication module in AM? for further information.

Custom login

If you have a custom login, you must also set the Allow Custom Login Mode property (org.forgerock.openam.agents.config.allow.custom.login) to true. This is a custom property that you manually set in the agent's profile. You can either add it as an advanced property in the console or via the command line (Amster or ssoadm):

  • Console: navigate to: Realms > [Realm Name] > Applications > Agents > [Agent Type] > [Agent Name] > Advanced > Custom Properties and add the property, for example:
    org.forgerock.openam.agents.config.allow.custom.login=true
  • Amster: follow the steps in How do I update property values in AM (All versions) using Amster? with these values:
    • Entity: WebAgents or J2eeAgents
    • Property: customProperties 
    • Property value: org.forgerock.openam.agents.config.allow.custom.login
    For example:
            "customProperties": {
                "inherited": false,
                "value": [
                    "org.forgerock.openam.agents.config.allow.custom.login=true"
                ]
            }
    
  • ssoadm: enter the following command:
    $ ./ssoadm update-agent -e [realmname] -b [agentname] -u [adminID] -f [passwordfile] -a org.forgerock.openam.agents.config.allow.custom.login=true
    replacing [realmname], [agentname], [adminID] and [passwordfile] with appropriate values.

See Also

Web Agent User Guide › Custom Login Redirection Mode

Java Agent User Guide › Custom Redirection Login Mode

Agents and policies in AM/OpenAM

Related Training

N/A

Related Issue Tracker IDs

N/A



Copyright and TrademarksCopyright © 2019 ForgeRock, all rights reserved.
Loading...