openAM infinite loop after authentitcation

Home Forums ForgeRock Products Access Management openAM infinite loop after authentitcation

Learn more about our upcoming Identity Summits

This topic has 5 replies, 3 voices, and was last updated 5 years, 7 months ago by naeemjmi.

  • Author
    Posts
  • May 24, 2016 at 10:46 am #10719
     [email protected]
    Participant

    I have installed and configured a web agent in my apache 2.4 reverse proxy instance that connect to my web apps executed in tomcat instances by using virtual hosts.

    The policy is executed and i’m redirected to the openam server login page to authenticate.
    After login successfully however the browser is going into an infinite loop i’m not able to determine the cause.

    The web site url is http://www.projet-okinawa.ch that is transformed to web.projet-okinawa.org/okinawa by the reverse proxy module. openAM is executing in openam.projet-okinawa.org server.

    Is this a cross domain problem ?
    I ask this because I don’t know exactly when the agent is treating the headers, after or before the reverse proxy transformation ?

    Thanks

    May 24, 2016 at 11:34 am #10720
     Bhargava.bada
    Participant

    Hi ,

    This might be issue with your agent . The OpenAm able to successfully authenticate the user but your agent not able to get authentication info so redirecting back to OpenAM . again OpenAM able to find authentication session and redirecting to Agent and it is repeatedly going infinite loop . check the Agent logs and openAM logs in debug mode .

    Thanks
    Bhargava

    May 24, 2016 at 4:58 pm #10727
     [email protected]
    Participant

    I set the log level to message to both the agent and openAM instance but i didn’t find any error that can explain the infinite loop. Everything seem working … but really wrong.

    The agent log stop debugging after redirecting to the openAM login page and is not coming back. I think the reason is openAM host url (openam.projet-okinawa.org) has no agent and nor virtual host set in the reverse proxy.

    The openAM CoreSystem log let see that user demo was retrieved :

    * :: READ attempted by [unknown]
frRest:05/24/2016 02:00:36:102 PM UTC: Thread[http-nio-8443-exec-3,5,main]: TransactionId[5d23b676-8a95-459a-b402-4fcc386d90bf-159]
ServerInfoResource :: READ : in realm: /
frRest:05/24/2016 02:00:36:104 PM UTC: Thread[http-nio-8443-exec-3,5,main]: TransactionId[5d23b676-8a95-459a-b402-4fcc386d90bf-159]
ServerInfoResource.getAllServerInfo :: Added resource to response: *
frRest:05/24/2016 02:00:44:335 PM UTC: Thread[http-nio-8443-exec-5,5,main]: TransactionId[5d23b676-8a95-459a-b402-4fcc386d90bf-198]
users :: ACTION|IDFROMSESSION attempted by id=demo,ou=user,dc=openam,dc=forgerock,dc=org
frRest:05/24/2016 02:00:44:336 PM UTC: Thread[http-nio-8443-exec-5,5,main]: TransactionId[5d23b676-8a95-459a-b402-4fcc386d90bf-198]
IdentityResource.idFromSession() :: Retrieved ID for user=demo
frRest:05/24/2016 02:00:44:389 PM UTC: Thread[http-nio-8443-exec-3,5,main]: TransactionId[5d23b676-8a95-459a-b402-4fcc386d90bf-201]
demo :: READ attempted by id=demo,ou=user,dc=openam,dc=forgerock,dc=org
tokenDataLayer:05/24/2016 02:00:44:559 PM UTC: Thread[http-nio-8443-exec-3,5,main]: TransactionId[5d23b676-8a95-459a-b402-4fcc386d90bf-201]
Requesting ConnectionFactory for type DATA_LAYER
tokenDataLayer:05/24/2016 02:00:44:560 PM UTC: Thread[http-nio-8443-exec-3,5,main]: TransactionId[5d23b676-8a95-459a-b402-4fcc386d90bf-201]

    In such cases what is the debugging way to understand what the problem is ?

    May 25, 2016 at 10:00 am #10738
     [email protected]
    Participant

    I finally found my error in the cdsso configuration. That solved the problem of the infinite loop. I have cookie set to both http://www.projet-okinawa.ch and openam.projet-okinawa.org that allow the agent to execute correctly (no more infinite loop).

    May 25, 2016 at 10:13 am #10739
     [email protected]
    Participant

    I still have doubt about properties names : com.sun.identity.agents.config.override.protocol, com.sun.identity.agents.config.override.host, com.sun.identity.agents.config.override.port and com.sun.identity.agents.config.override.notification.url.

    The agent is a web agent installed in the apache instance that execute as a reverse proxy for the web apps that execute on tomcat instances.

    The agent is activated for the web apps virtual host, not for openam. I didn’t set/activate any rewriting rules for the moment except proxyPass and ProxyPassReverse.

    Do I need to set this properties to true ? (the agent is behind a proxy, so I think I have to but I dont’unserstand what they mean, what they do exactly)
    In both cases, is it explained somewhere what they mean and what they do exactly ?

    December 28, 2016 at 6:32 am #15087
     naeemjmi
    Participant

    it might be due to domain name change issue.your agent URL and Openam url domain should be same.
    For eg:openam url- http://www.openam.example.com
    Agent Url – http://www.agent.example.com

    this will share the same cookie as their domain .example.com is same.

  • Author
    Posts
Viewing 6 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.

Leaderboard

The leaderboard is based on our rockin' informal points system, read about it here.
Visit our blog

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?