Solutions
Archived

XUI Login URL with goto parameter causes redirect loop or prevents OpenAM 13.x login page loading

Last updated Jan 5, 2021

The purpose of this article is to provide assistance if you encounter a redirect loop between OpenAM and Web Policy Agents when using the XUI Login URL with a goto parameter. Alternatively, you may notice that the OpenAM login page gets stuck on the Loading message instead of redirecting.


1 reader recommends this article

Archived

This article has been archived and is no longer maintained by ForgeRock.

Symptoms

Upon authenticating, the user is redirected back to the protected resource and then back to the OpenAM login page for authentication, thereby creating a redirect loop. This does not happen if you use the Chrome™ browser; you just get redirected back to the protected resource without an error.

The browser shows a Loading... message and the URL is similar to the following where there is a ? between the login URL and the goto parameter:

http://openam.example.com:8080/openam/XUI/#login/&realm=employees?goto=http%3A%2F%2Fagent.test.com%2F

Recent Changes

Enabled XUI.

Upgraded to OpenAM 13.x, which uses the XUI by default.

Changed the default OpenAM Login URL from /openam/UI/Login to the XUI equivalent: /openam/XUI/#login

Configured the OpenAM Conditional Login URL.

Causes

The policy agent appends the OpenAM Login URL or the OpenAM Conditional Login URL with ?goto= instead of &goto= which is not compatible with the XUI login URL. Instead of redirecting as expected to the protected resource after authentication, the goto parameter is treated as the realm parameter for login. Since this parameter cannot be resolved as a realm, the login page fails to load resulting in the redirect loop.

Solution

This issue can be resolved by updating the OpenAM Login URL or OpenAM Conditional Login URL. First you must revert to the classic UI format (which redirects users to /openam/XUI/#login/&goto= when XUI is enabled). For example:

http://openam.example.com:8080/openam/UI/Login

OpenAM Login URL

You can change the the OpenAM Login URL using either the OpenAM console or ssoadm as detailed in How do I configure policy agents (Web 4.x and JEE 3.5.x) to authenticate users against a specific realm in AM 6, 5.x and OpenAM 13.x?

OpenAM Conditional Login URL

The OpenAM Conditional Login URL is not yet maintainable in the OpenAM console. You can either add it as an advanced property in the OpenAM console or via ssoadm:

  • Console: navigate to: Realms > [Realm Name] > Agents > Web > [Agent Name] > Advanced > Custom Properties and add the com.forgerock.agents.conditional.login.url property. For example: com.forgerock.agents.conditional.login.url[0] = example.com|http://openam.example.com:8080/openam/XUI/#login/&
  • ssoadm: enter the following command: $ ./ssoadm update-agent -e [realmname] -b [agentname] -u [adminID] -f [passwordfile] -a "com.forgerock.agents.conditional.login.url[0]=[conditionalloginURL]" replacing [realmname], [agentname], [adminID], [passwordfile] and [conditionalloginURL] with appropriate values, where [conditionalloginURL] consists of the domain|login URL. For example: $ ./ssoadm update-agent -e / -b Web -u amadmin -f pwd.txt -a "com.forgerock.agents.conditional.login.url[0]=example.com|http://openam.example.com:8080/openam/XUI/#login/&"

See Web Policy Agent Guide › Configuring Access Management Services Properties for further information on the required format for this property.

See Also

How do I configure policy agents (Web 4.x and JEE 3.5.x) to authenticate users against a specific realm in AM 6, 5.x and OpenAM 13.x?

Web Policy Agent Guide › Configuring Access Management Services Properties 

Related Training

N/A

Related Issue Tracker IDs

OPENAM-5547 (Agent behaviour when appending goto= to LoginURLs is not compatible with XUI login URL)

OPENAM-8173 (OpenAM Login URL in the agent profile should support XUI login URL)


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.