OpenAM 11.0.0 Getting Started Guide – ForBidden issue

This topic has 5 replies, 5 voices, and was last updated 4 years, 5 months ago by Andy Cory.

  • Author
    Posts
  • #1326
     mpagadala
    Participant

    Hi,

    I am evaluating the OpenAM 11.0.0. I followed the steps described in OpenAM-11.0.0-Getting-Started. I am using following software.

    1. apache-tomcat-7.0.55
    2. java version “1.6.0_45”
    3. Apache HTTP Server, version 2.2.
    4. Apache-v2.2-WINNT-32-Agent-3.3.0

    Everything went well. But I got “ForBidden” issue when I hit section “1.4 Trying it Out” Step 2.
    I used he same URLs described in the getting started guide.

    Here is my host file content :

    127.0.0.1 localhost openam.example.com http://www.example.com

    Here is the logs from Apache Http server.

    Starting the Apache2.2 service
    The Apache2.2 service is running.
    ] Apache/2.2.25 (Win32) configured — resuming normal operations
    [Thu Nov 20 11:12:53 2014] [notice] Server built: Jul 10 2013 01:52:12
    [Thu Nov 20 11:12:53 2014] [notice] Parent: Created child process 9832
    [Thu Nov 20 11:12:53 2014] [notice] Web Policy Agent shared memory configuration: notif_shm_size[2099200], pdp_shm_size[3213312], max_pid_count[256], max_pdp_count[256]
    [Thu Nov 20 11:12:53 2014] [notice] Child 9832: Child process is running
    [Thu Nov 20 11:12:53 2014] [notice] Child 9832: Acquired the start mutex.
    [Thu Nov 20 11:12:53 2014] [notice] Child 9832: Starting 64 worker threads.
    [Thu Nov 20 11:12:53 2014] [notice] Child 9832: Starting thread to listen on port 8000.

    Any help would be appreciated.

    Thanks,
    Murali
    Talent Partners
    646.981.6859

    #1412
     Jamie Bowen
    Moderator

    I take it you’re using windows Murali?

    What URL are you browsing too when you get the Forbidden message?

    #1537
     mpagadala
    Participant

    I was on vacation last week, hence couldn’t reply.
    Yes I am using Windows 7.
    Browser : Chrome and IE 10

    Today, I started over with clean install and this time I am able to see the openam login page when I hit the URL http://www.example.com:8000. But when I login by providing the username password then I got below error.

    This webpage has a redirect loop

    The webpage at http://localhost:8080/openam/UI/Login?goto=http%3A%2F%2Fwww.example.com%3A8000 has resulted in too many redirects.
    Clearing your cookies for this site or allowing third-party cookies may fix the problem. If not, it is possibly a server configuration issue and not a problem with your computer.
    Learn more about this problem.
    Error code: ERR_TOO_MANY_REDIRECTS

    Thanks for your time.

    #1868
     Nicolas Seigneur
    Participant

    This is likely caused by OpenAM server being access through localhost, you should never access OpenAM using Localhost, but rather through the FQDN.

    What happens here, from what I understand, is that when you hit http://www.example.com:8000, the Agent redirect you to OpenAM but on localhost. When successfully authenticated, OpenAM will try to set the iPlanetDirectoryPro cookie, presumably on Localhost…?

    Since the cookie is rejected, the Agent does not find a SessionID, so it sends you back to OpenAM on localhost where it would, again presumably, find the SessionID, seeing you are authenticated, sending you back to the agent, causing an endless loop.

    Make sure the cookie domain, the FQDN of OpenAM, FQDN of the protected resource, should all match, otherwise you will require CDSSO.

    Nicolas

    #18516
     eshraiman
    Participant

    If you are following Getting started guide there is one important step left out there.

    You have to set correct cookie domain which should be example.com not openam.example.com as openAM defaults to.

    Go to configure -> Global Services -> Platform and set cookie domains parameter to example.com

    #18545
     Andy Cory
    Participant

    Any evaluation of OpenAM 11.0.0 undertaken in 2014 is hopefully finished by now :-)

Viewing 6 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?