Solutions

Redirect loop between AM and Agent 5.x after successful authentication

Last updated Sep 8, 2020

The purpose of this article is to provide assistance if you encounter a redirect loop between AM and Agent 5.x after successful authentication.


1 reader recommends this article

Symptoms

After a successful login, the user is redirected back to the protected resource and then back to the AM login page for authentication, thereby creating a redirect loop. The redirect loop may happen automatically without you re-entering your credentials.

You will also notice a redirect URL similar to the following (with URL encoding removed for readability). Note the agent/cdsso-oauth2 parameter:

https://host1.example.com/openam/XUI/?realm=/employees#login&goto=host1.example.com:8080/openam/oauth2/authorize?response_mode=form_post&state=247f267e-941b-bd7e-284e-8a8f13fbef81&redirect_uri=http://host2.example.net:8080/agent/cdsso-oauth2&response_type=id_token&scope=openid&client_id=webagent&agent_provider=true&agent_realm=%2F&nonce=E7ADEC50C034652415FB830236D4BCBB

Additionally, this redirect loop only happens when the agent initially redirects you to the protected resource. If you navigate directly to the login page, you can authenticate successfully.

Recent Changes

Upgraded to, or installed Agents 5.x.

Configured the AM Login URL (com.sun.identity.agents.config.login.url property):

  • With a URL that directs the user to a realm, for example:
    com.sun.identity.agents.config.login.url property=https://host1.example.com/openam/XUI/?realm=/employees#login
  • Because you have a custom login.

Causes

As of Agents 5, communication between the agent and AM uses the OAuth 2.0 Authorization Framework. This means the agent and AM exchange OpenID Connect JSON web tokens (JWTs) containing the information required to authenticate clients and authorize access to protected resources. Agents authenticate to and log out users from the oauth2/authorize endpoint, which is not configurable. See the following links for further information:

This redirect issue can arise in the following scenarios:

  • You want users to authenticate against a specific realm: By default, the AM Login URL is not observed and the OAuth2 flow defaults to the root realm rather than a specific realm (you may see realm=%2F in URLs). To configure the agent for this use case, you must specify the OpenAM Conditional Login URL instead.
  • You have a custom login: When the AM Login URL is set (which defines the URL of a custom login page), the Allow Custom Login Mode property must also be set to true.

Solution

This issue can be resolved as follows depending on the cause:

Authenticate against a specific realm

If you want users to authenticate against a specific realm, you must specify the OpenAM Conditional Login URL property (com.forgerock.agents.conditional.login.url) with the realm name included as a URL parameter. See How do I configure Agents 5.x to authenticate users against a specific realm, tree or authentication module in AM? for further information.

Custom login

If you have a custom login, you must also set the Allow Custom Login Mode property (org.forgerock.openam.agents.config.allow.custom.login) to true. This is a custom property that you manually set in the agent's profile. 

Note

In Agents 5.0.x and 5.5.x, the possible values for this property were true and false. Agents 5.6 introduced changes, which means the possible values are now 0 (equivalent to false), 1 (equivalent to true) and 2. See Release Notes › What's New in Web Agents for further information. 

You can either add it as an advanced property in the console or via the command line (Amster or ssoadm) and set it to true or 1 depending on which Agents version you are using:

  • Console: navigate to: Realms > [Realm Name] > Applications > Agents > [Agent Type] > [Agent Name] > Advanced > Custom Properties and add the property, for example:
    org.forgerock.openam.agents.config.allow.custom.login=1
  • Amster: follow the steps in How do I update property values in AM (All versions) using Amster? with these values:
    • Entity: WebAgents or J2eeAgents
    • Property: customProperties 
    • Property value: org.forgerock.openam.agents.config.allow.custom.login
    For example:
            "customProperties": {
                "inherited": false,
                "value": [
                    "org.forgerock.openam.agents.config.allow.custom.login=1"
                ]
            }
  • ssoadm: enter the following command:
    $ ./ssoadm update-agent -e [realmname] -b [agentname] -u [adminID] -f [passwordfile] -a org.forgerock.openam.agents.config.allow.custom.login=1
    replacing [realmname], [agentname], [adminID] and [passwordfile] with appropriate values.

See Web Agent User Guide › Custom Login Redirection Mode  or  Java Agent User Guide › Custom Redirection Login Mode for further information about this setting.

See Also

Agents and policies in AM/OpenAM

User Guide › Login Redirection and Login Conditional Redirection

User Guide › Redirection and Conditional Redirection

Related Training

N/A

Related Issue Tracker IDs

N/A



Copyright and TrademarksCopyright © 2020 ForgeRock, all rights reserved.
Loading...