This article has been archived and is no longer maintained by ForgeRock.
The zero page login functionality ceases to work.
The Zero Page Login Referer Whitelist property in the OpenAM console appears to be blank, indicating that all referers should be allowed; navigate to: Configuration > Authentication > Core > Security > Zero Page Login Referer Whitelist to check.
This property is only available in OpenAM 11.0.3 and later.
Installed the patch for the OpenAM Security Advisory #201503.
Upgraded to OpenAM 11.0.3.
The recent security fixes set the zero page login referer whitelist property to an empty string rather than an empty list (blank), meaning that all referer URLs are denied.
This can be seen in the amAuth.xml file, where the openam.auth.zero.page.login.referer.whitelist attribute has the following default value:<AttributeSchema name="openam.auth.zero.page.login.referer.whitelist" type="list" syntax="string" i18nKey="a155" resourceName="zeroPageLoginReferrerWhiteList"> <DefaultValues> <Value></Value> </DefaultValues> </AttributeSchema>
This issue can be resolved by upgrading to OpenAM 12.0.2 or later; you can download this from BackStage.
Alternatively, you can resolve this issue by removing the schema defaults for the openam.auth.zero.page.login.referer.whitelist attribute using the following ssoadm command:$ ./ssoadm remove-attr-defs -s iPlanetAMAuthService -t Organization -u [adminID] -f [passwordfile] -a openam.auth.zero.page.login.referer.whitelist
replacing [adminID] and [passwordfile] with appropriate values.
You must restart the web application container in which OpenAM runs to apply this configuration change.
This change sets the whitelist to empty, meaning all zero page logins are allowed from any referer; if you are using OpenAM 11.0.3 or later, you should consider specifying a whitelist of allowed URLs instead for improved security.