Issue with realm redirection with webagents 5 and openAM 5.5.1

This topic has 20 replies, 10 voices, and was last updated 3 years, 4 months ago by William Hepler.

  • Author
    Posts
  • #21632
     aniru2dh
    Participant

    Hi All,

    I am setting up a test environment with openAM 5.5 and webagent 5.0.

    I have created a sub realm /test and created a agent and policy. Installed webagent on apache 2.4 web server

    Whenever I hit the application url It redirects to top level realm, my expectation is it should redirect to the realm where the agent is setup. I have customized the UI for the sub realm using default dark-theme so that when there is a request for application url, it should redirect the user to sub realm page but not the top realm.

    Thanks,
    Anirudh.

    #21633
     Rajesh R
    Participant

    On your OpenAM Console to to the Test Realm > Applications> Agents > webagent > OpenAM Services > OpenAM Login URL

    Modify the OpenAM Login URL to point to your Test Realm (Eg: – http://openam.example.com:18080/openam?realm=test)

    #21635
     aniru2dh
    Participant

    @rajeshr I have changed the openam login url but still the same issue.

    openam Login url: http://openam.web.domain:8080/tolltest/?realm=test

    application url: http://apache.web.domain:80

    When I hit the above application url, it redirects to below url

    Url shown in the browser:

    http://openam.web.domain:8080/tolltest/XUI/?realm=%2F&goto=http%3A%2F%2Fopenam.web.domain%3A8080%2Ftolltest%2Foauth2%2Fauthorize%3Fresponse_type%3Did_token%26scope%3Dopenid%26client_id%3Dapache-httpd%26redirect_uri%3Dhttp%253A%252F%252Fapache.web.domain%253A80%252Fagent%252Fcdsso-oauth2%26state%3Df8784bb5-995a-844d-89c5-c756d5771f36%26nonce%3DE847BB7A472BC3F57D0FD335F331DECD%26response_mode%3Dform_post%26agent_provider%3Dtrue%26agent_realm%3D%252Ftest#login/

    I have also updated the realm and application names in the Agent Policy client service settings:
    Realm:/test
    Application: sample(policy set id created under realm /test)

    Please let me know if I am missing something.

    Thanks,
    Anirudh

    #21636
     aniru2dh
    Participant

    openam Login url: http://openam.web.domain:8080/tolltest?realm=test (extra / was present in the previous post )

    #21639
     Rajesh R
    Participant

    On intercepting a client request, the WebAgent simply redirects the request to the URL as mentioned in the ‘OpenAM Login URL’ field of agent configuration. So it’s strange that the request is still getting redirected to the top level realm. Browser cache, perhaps?

    You could try putting a dummy url there as well, just to see if the configuration change in the Web Agent is being picked up or not.

    #21640
     aniru2dh
    Participant

    I have modified the url to google for testing and as per the logs I could see the parameter is being set but I still get the same login page. I have cleared browser cache as well deleted complete history and then tried the url.

    log info:

    2018-04-27 15:51:33.799 +0530 DEBUG [dbe7fe1d-af3c-b44f-b87d-024a4acd200f][source/config_parser.c:413]parse_config_string_map() com.sun.identity.agents.config.login.url is set to (0 -> http://www.google.com), 1 value(s)

    Are there any limitations with webagents 5.0. Does it require any restart as well

    #21706

    Restarting a web container that has a web agent installed on it can not hurt and would not be a limitation if it turns out to resolve your issue. That is one of the first things to try beyond restarting OpenAM as well especially if you tried install/uninstall several times and tweaked configurations in between.

    –Nikolaos

    #21707

    Looking at your specific issue more carefully I suspect your issue is that you are not specifying the URL properly.

    If you are using the “realm” login URL parameter then you must specify the full path of the subrealm including its parent part beginning with a / e.g. if the parent realm is “sp” and subrealm is “test” then try:

    http://openam.web.domain:8080/tolltest?realm=/sp/test

    Alternatively if you are using the XUI login URL with realm specified inline in the URL path part then you should NOT specify the full path of the subrealm e.g try:

    http://openam.web.domain:8080/tolltest/XUI/#login/test

    HTH,

    –Nikolaos

    #21727
     aniru2dh
    Participant

    Hi Nikolaos,

    I tried using the XUI Login but it is still the same. Also the sub-realm is under top level realm /, so the login url I am using is http://openam.web.domain:8080/tolltest/XUI/#login/test.

    I also did a webserver start after changing the login URL parameter. Any suggestions or things to check from my end to fix the issue.

    Thanks,
    Anirudh.

    #21734

    So if you directly try with your web browser can you login to that /test subrealm?
    http://openam.web.domain:8080/tolltest/XUI/#login/test

    If it does work then one other thing you appear to be doing different than typical (albeit its a best practice) is to use a custom webapp context other than “openam”. Perhaps you can try to redeploy OpenAM using “openam” and see if that makes a difference – some times things can be buggy when non-typical deployments are made. Beyond that it is hard to assist.

    ASIDE: I don’t set the Policy realm typically but I don’t think this matters.

    –Nikolaos

    #21745
     grk
    Participant

    @aniru2dh are you using centralized or local configuration? If you are using local configuration, you need to update agent.conf stored on web server under agent installation dir. Otherwiese, switch to “centralized”.

    Thanks,

    #21747
     aniru2dh
    Participant

    @grk : we are using centralized configuration for the agent.

    @nikolaosgac : regarding your suggestion to redeploy OpenAm to openam. for testing purpose this might be good but what would be the case if I have to deploy this in a prod environment in which case it is not a good idea to use openam as there could be chance of client requesting to use customized names for deployment.

    Thanks,
    Anirudh.

    #21755
     maryland
    Participant

    Hi Anirudh, Can you please confirm the agent profile realm value…

    Edit Agent Profile –> OpenAM Services tab –> Policy Client Service link –> Realm value (Which realm to start evaluating from)

    Thanks!

    #21794
     aniru2dh
    Participant

    @Maryland : The realm value is set correctly to /test in agent profile->Policy Client Service link.

    #21825
     aniru2dh
    Participant

    Anyone has any other suggestions to fix the issue.

    Thanks,
    Anirudh.

Viewing 15 posts - 1 through 15 (of 21 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?