XUI Login URL with goto parameter causes redirect loop or prevents OpenAM 13.x login page loading
The purpose of this article is to provide assistance if you encounter a redirect loop between OpenAM and Web Policy Agents when using the XUI Login URL with a goto parameter. Alternatively, you may notice that the OpenAM login page gets stuck on the Loading message instead of redirecting.
1 reader recommends this article
Archived
This article has been archived and is no longer maintained by ForgeRock.
Symptoms
Upon authenticating, the user is redirected back to the protected resource and then back to the OpenAM login page for authentication, thereby creating a redirect loop. This does not happen if you use the Chrome™ browser; you just get redirected back to the protected resource without an error.
The browser shows a Loading... message and the URL is similar to the following where there is a ? between the login URL and the goto parameter:
http://openam.example.com:8080/openam/XUI/#login/&realm=employees?goto=http%3A%2F%2Fagent.test.com%2FRecent Changes
Enabled XUI.
Upgraded to OpenAM 13.x, which uses the XUI by default.
Changed the default OpenAM Login URL from /openam/UI/Login to the XUI equivalent: /openam/XUI/#login
Configured the OpenAM Conditional Login URL.
Causes
The policy agent appends the OpenAM Login URL or the OpenAM Conditional Login URL with ?goto= instead of &goto= which is not compatible with the XUI login URL. Instead of redirecting as expected to the protected resource after authentication, the goto parameter is treated as the realm parameter for login. Since this parameter cannot be resolved as a realm, the login page fails to load resulting in the redirect loop.
Solution
This issue can be resolved by updating the OpenAM Login URL or OpenAM Conditional Login URL. First you must revert to the classic UI format (which redirects users to /openam/XUI/#login/&goto= when XUI is enabled). For example:
http://openam.example.com:8080/openam/UI/LoginOpenAM Login URL
You can change the the OpenAM Login URL using either the OpenAM console or ssoadm as detailed in How do I configure policy agents (Web 4.x and JEE 3.5.x) to authenticate users against a specific realm in AM 6, 5.x and OpenAM 13.x?
OpenAM Conditional Login URL
The OpenAM Conditional Login URL is not yet maintainable in the OpenAM console. You can either add it as an advanced property in the OpenAM console or via ssoadm:
- Console: navigate to: Realms > [Realm Name] > Agents > Web > [Agent Name] > Advanced > Custom Properties and add the com.forgerock.agents.conditional.login.url property. For example: com.forgerock.agents.conditional.login.url[0] = example.com|http://openam.example.com:8080/openam/XUI/#login/&
- ssoadm: enter the following command: $ ./ssoadm update-agent -e [realmname] -b [agentname] -u [adminID] -f [passwordfile] -a "com.forgerock.agents.conditional.login.url[0]=[conditionalloginURL]" replacing [realmname], [agentname], [adminID], [passwordfile] and [conditionalloginURL] with appropriate values, where [conditionalloginURL] consists of the domain|login URL. For example: $ ./ssoadm update-agent -e / -b Web -u amadmin -f pwd.txt -a "com.forgerock.agents.conditional.login.url[0]=example.com|http://openam.example.com:8080/openam/XUI/#login/&"
See Web Policy Agent Guide › Configuring Access Management Services Properties for further information on the required format for this property.
See Also
Web Policy Agent Guide › Configuring Access Management Services Properties
Related Training
N/A
Related Issue Tracker IDs
OPENAM-5547 (Agent behaviour when appending goto= to LoginURLs is not compatible with XUI login URL)
OPENAM-8173 (OpenAM Login URL in the agent profile should support XUI login URL)