Solutions
ForgeRock Identity Platform
Does not apply to Identity Cloud

Redirect loop between AM and Agents (All versions) after successful authentication

Last updated Jan 11, 2023

The purpose of this article is to provide assistance if you encounter a redirect loop between AM and Agents after successful authentication. This issue affects both Web and Java Agents.


1 reader recommends this article

Symptoms

After a successful login, the user is redirected back to the protected resource and then back to the AM login page for authentication, thereby creating a redirect loop. The redirect loop may happen automatically without you re-entering your credentials.

You will also notice a redirect URL similar to the following (with URL encoding removed for readability). Note the agent/cdsso-oauth2 parameter:

https://am1.example.com/am/XUI/?realm=/employees#login&goto=am1.example.com:443/am/oauth2/authorize?response_mode=form_post&state=247f267e-941b-bd7e-284e-8a8f13fbef81&redirect_uri=https://am2.example.net:8443/agent/cdsso-oauth2&response_type=id_token&scope=openid&client_id=webagent&agent_provider=true&agent_realm=%2F&nonce=E7ADEC50C034652415FB830236D4BCBB

Additionally, this redirect loop only happens when the agent initially redirects you to the protected resource. If you navigate directly to the login page, you can authenticate successfully.

Recent Changes

Installed Agents or upgraded to a later version.

Configured the AM Login URL List (AM 7.1.2 and later) or AM Login URL (pre-AM 7.1.2) property (com.sun.identity.agents.config.login.url):

  • With a URL that directs the user to a realm, for example: com.sun.identity.agents.config.login.url property=https://am1.example.com/am/XUI/?realm=/employees#login
  • Because you have a custom login.

Causes

Communication between the agent and AM uses the OAuth 2.0 Authorization Framework. This means the agent and AM exchange OpenID Connect JSON web tokens (JWTs) containing the information required to authenticate clients and authorize access to protected resources. Agents authenticate to and log out users from the oauth2/authorize endpoint, which is not configurable. See the following links for further information:

This redirect issue can arise in the following scenarios:

  • You want users to authenticate against a specific realm: By default, the AM Login URL List or AM Login URL is not observed and the OAuth2 flow defaults to the root realm rather than a specific realm (you may see realm=%2F in URLs). To configure the agent for this use case, you must specify the Conditional Login URL instead.
  • You have a custom login: When the AM Login URL List or AM Login URL is set (which defines the URL of a custom login page), the Enable Custom Login Mode (AM 7.1.2 and later) or Allow Custom Login Mode (pre-AM 7.1.2) property must also be set to 1 or 2 (true in pre-Agents 5.6).

Solution

This issue can be resolved as follows depending on the cause:

Authenticate against a specific realm

If you want users to authenticate against a specific realm, you must specify the Conditional Login URL property (com.forgerock.agents.conditional.login.url) with the realm name included as a URL parameter. See How do I configure Agents (All versions) to authenticate users against a specific realm, tree or authentication module in AM? for further information.

Custom login

If you have a custom login, you must also set the Enable Custom Login Mode (AM 7.1.2 and later) or Allow Custom Login Mode (pre-AM 7.1.2) property (org.forgerock.openam.agents.config.allow.custom.login) to 1 or 2 (or true in pre-Agents 5.6).

You can set this property using either the AM admin UI, Amster or ssoadm:

  • AM 7 and later admin UI: navigate to: Realms > [Realm Name] > Applications > Agents > Web > [Agent Name] > AM Services > Enable Custom Login Mode or Allow Custom Login Mode and enter 1 or 2 as required (or true in pre-Agents 5.6).
  • AM 6.x admin UI: navigate to: Realms > [Realm Name] > Applications > Agents > [Agent Type] > [Agent Name] > Advanced > Custom Properties and add the property with a value of 1 or 2 as required (or true in pre-Agents 5.6). For example: org.forgerock.openam.agents.config.allow.custom.login=1
  • Amster: follow the steps in How do I update property values in AM (All versions) using Amster? with these values:
    • Entity: WebAgents or J2eeAgents
    • Property: customProperties
    • Property value: org.forgerock.openam.agents.config.allow.custom.login

For example:

"customProperties": {            "inherited": false,             "value": [                 "org.forgerock.openam.agents.config.allow.custom.login=1"             ]         }

  • ssoadm: enter the following command: $ ./ssoadm update-agent -e [realmname] -b [agentname] -u [adminID] -f [passwordfile] -a org.forgerock.openam.agents.config.allow.custom.login=1replacing [realmname], [agentname], [adminID] and [passwordfile] with appropriate values.

See Login Redirect (Web) or Login Redirect (Java) for further information about this setting.

See Also

Agents and policies in AM

Login Redirect (Web)

Login Redirect (Java)

Related Training

N/A

Related Issue Tracker IDs

N/A


Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.