This article has been archived and is no longer maintained by ForgeRock.
Upon authenticating, the user is redirected back to the protected resource and then back to the OpenAM login page for authentication, thereby creating a redirect loop. This does not happen if you use the Chrome™ browser; you just get redirected back to the protected resource without an error.
The browser shows a Loading... message and the URL is similar to the following where there is a ? between the login URL and the goto parameter:http://openam.example.com:8080/openam/XUI/#login/&realm=employees?goto=http%3A%2F%2Fagent.test.com%2F
Upgraded to OpenAM 13.x, which uses the XUI by default.
Changed the default OpenAM Login URL from /openam/UI/Login to the XUI equivalent: /openam/XUI/#login
Configured the OpenAM Conditional Login URL.
The policy agent appends the OpenAM Login URL or the OpenAM Conditional Login URL with ?goto= instead of &goto= which is not compatible with the XUI login URL. Instead of redirecting as expected to the protected resource after authentication, the goto parameter is treated as the realm parameter for login. Since this parameter cannot be resolved as a realm, the login page fails to load resulting in the redirect loop.
This issue can be resolved by updating the OpenAM Login URL or OpenAM Conditional Login URL. First you must revert to the classic UI format (which redirects users to /openam/XUI/#login/&goto= when XUI is enabled). For example:http://openam.example.com:8080/openam/UI/Login
OpenAM Login URL
You can change the the OpenAM Login URL using either the OpenAM console or ssoadm as detailed in How do I configure policy agents (Web 4.x and JEE 3.5.x) to authenticate users against a specific realm in AM 6, 5.x and OpenAM 13.x?
OpenAM Conditional Login URL
The OpenAM Conditional Login URL is not yet maintainable in the OpenAM console. You can either add it as an advanced property in the OpenAM console or via ssoadm:
- Console: navigate to: Realms > [Realm Name] > Agents > Web > [Agent Name] > Advanced > Custom Properties and add the com.forgerock.agents.conditional.login.url property. For example: com.forgerock.agents.conditional.login.url = example.com|http://openam.example.com:8080/openam/XUI/#login/&
- ssoadm: enter the following command: $ ./ssoadm update-agent -e [realmname] -b [agentname] -u [adminID] -f [passwordfile] -a "com.forgerock.agents.conditional.login.url=[conditionalloginURL]" replacing [realmname], [agentname], [adminID], [passwordfile] and [conditionalloginURL] with appropriate values, where [conditionalloginURL] consists of the domain|login URL. For example: $ ./ssoadm update-agent -e / -b Web -u amadmin -f pwd.txt -a "com.forgerock.agents.conditional.login.url=example.com|http://openam.example.com:8080/openam/XUI/#login/&"
See Web Policy Agent Guide › Configuring Access Management Services Properties for further information on the required format for this property.