Solutions
Archived

Web Policy Agent 3.3.x fails to redirect to OpenAM login or logout URL and shows 403: Forbidden Access error

Last updated Jan 5, 2021

The purpose of this article is to provide assistance if the Web Policy Agent 3.3.x fails to redirect to the OpenAM login or logout page and shows a 403: Forbidden Access error. You will also see the "am_web_get_url_to_redirect: unable to find active Access Manager Auth server" warning in the agent debug log.


1 reader recommends this article

Archived

This article has been archived and is no longer maintained by ForgeRock.

Symptoms

The following error is shown in the agent debug log when the redirect failure occurs:

2015-11-17 10:06:22:725 Error 28669:14f040 all: is_server_alive(): PR_Connect returned error: Connection refused by peer 2015-11-17 10:06:22:726 Warning 28669:14f040 all: am_web_get_url_to_redirect: unable to find active Access Manager Auth server. 2015-11-17 10:06:22:726 Debug 28669:14f040 all: process_access_redirect(): get redirect url returned AM_FAILURE, redirect url [NULL]. 2015-11-17 10:06:22:726 Debug 28669:14f040 all: process_access_redirect(): returning web result AM_WEB_RESULT_FORBIDDEN. 2015-11-17 10:06:22:726 Debug 28669:14f040 all: process_request(): returning web result AM_WEB_RESULT_FORBIDDEN, data [] 2015-11-17 10:06:22:726 Debug 28669:14f040 all: am_web_process_request(): Rendering web result AM_WEB_RESULT_FORBIDDEN 2015-11-17 10:06:22:727 Debug 28669:14f040 all: am_web_process_request(): render result function returned AM_SUCCESS.

Recent Changes

N/A

Causes

The policy agent performs a connectivity check by default prior to redirecting the user to OpenAM for login or logout; however, the OpenAM login or logout URL is typically only accessible to end-users not the policy agent, which causes this connectivity check to fail. In turn, this prevents the policy agent redirecting the user to OpenAM. This connectivity check is unnecessary.

Solution

This issue can be resolved by upgrading to Web Policy Agents 4 or later; you can download this from BackStage.

Alternatively, you can disable this unnecessary connectivity check using either the OpenAM console or ssoadm:

  • OpenAM 13.x console: navigate to: Realms > [Realm Name] > Agents > Web > [Agent Name] > Miscellaneous > Ignore Server Check and select the Enabled option.
  • Pre-OpenAM 13 console: navigate to: Access Control > [Realm Name] > Agents > Web > [Agent Name] > Miscellaneous > Ignore Server Check and select the Enabled option.
  • ssoadm: enter the following command: $ ./ssoadm update-agent -e [realmname] -b [agentname] -u [adminID] -f [passwordfile] -a com.sun.identity.agents.config.ignore.server.check=true replacing [realmname], [agentname], [adminID] and [passwordfile] with appropriate values.

See Also

JEE Policy Agent 3.5.x fails to redirect to AM/OpenAM login or logout URL and shows 500: Internal server error

OpenAM Web Policy Agent Reference › Web Agent Configuration Properties › Agent Configuration Properties

Related Training

N/A

Related Issue Tracker IDs

OPENAM-3294 (Agents should not probe the loginURL / logoutURL before redirecting by default)


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.