Zero Page Login disallowed after installing the patch for OpenAM Security Advisory #201503 on OpenAM 11.x or 12.x

Last updated Oct 11, 2021

The purpose of this article is to provide assistance if the Zero Page Login functionality stops working after installing the patch for OpenAM Security Advisory #201503 on OpenAM 11.x or 12.x, or upgrading to OpenAM 11.0.3 (which includes the security fixes contained within the security advisory patch).


This article has been archived and is no longer maintained by ForgeRock.


The zero page login functionality ceases to work.

The Zero Page Login Referer Whitelist property in the OpenAM console appears to be blank, indicating that all referers should be allowed; navigate to: Configuration > Authentication > Core > Security > Zero Page Login Referer Whitelist to check.


This property is only available in OpenAM 11.0.3 and later.

Recent Changes

Installed the patch for the OpenAM Security Advisory #201503.

Upgraded to OpenAM 11.0.3.


The recent security fixes set the zero page login referer whitelist property to an empty string rather than an empty list (blank), meaning that all referer URLs are denied.

This can be seen in the amAuth.xml file, where the attribute has the following default value:

<AttributeSchema name=""                 type="list"                  syntax="string"                  i18nKey="a155"                  resourceName="zeroPageLoginReferrerWhiteList">     <DefaultValues>         <Value></Value>     </DefaultValues> </AttributeSchema>


This issue can be resolved by upgrading to OpenAM 12.0.2 or later; you can download this from BackStage.

Alternatively, you can resolve this issue by removing the schema defaults for the attribute using the following ssoadm command:

$ ./ssoadm remove-attr-defs -s iPlanetAMAuthService -t Organization -u [adminID] -f [passwordfile] -a

replacing [adminID] and [passwordfile] with appropriate values.


You must restart the web application container in which OpenAM runs to apply this configuration change. 

This change sets the whitelist to empty, meaning all zero page logins are allowed from any referer; if you are using OpenAM 11.0.3 or later, you should consider specifying a whitelist of allowed URLs instead for improved security.

See Also

OpenAM Administration Guide › Defining Authentication Services › Core - Security

OpenAM Developer's Guide › RESTful Web Services › REST APIs for Authentication & Logout

Related Training


Related Issue Tracker IDs

OPENAM-5826 (Zero Page Login disallowed after OPENAM-sec-201503-v1102-CAS is applied)

Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.