SingleSignOnFilter set the wrong goto URL

This topic contains 3 replies, has 2 voices, and was last updated by  Dusty 3 months ago.

  • Author
    Posts
  • #22653
     Dusty 
    Participant

    Hi,

    We have a setup similar to this:

    
    ----> Application Gateway     ----> Identity Gateway       ----->  Access Management
          https://www.example.com       http://www.example.com         http://am.example.com
                                                  |
                                                  |
                                                  |    
                                           Service Provider
                                           http://sp.example.com
    

    We have an Application Gateway which does SSL offloading. The Identity Gateway protects Service Provider with the SingleSignOnFilter. The filter correctly redirects to AM, which correctly authenticates the User. The problem is, AM redirects the User Agent to http://www.example.com instead of https://www.example.com. The SSO filter sets the goto URL to the wrong URL. What is the best way to fix this? Or do I add an extra filter to the chain of the amHandler to correct the goto URL?

    Thanks
    Dusty

    #22668
     violette 
    Participant

    Hello Dusty,

    I don’t know which version your are using but you could try to use the SingleSignOnFilter’s loginEndpoint attribute as described in https://backstage.forgerock.com/docs/ig/6/reference/#SingleSignOnFilter where you can set the location to which the request is redirected after authentication (in the goto parameter).

    Example of use:

    
    "loginEndpoint" : "https://openam.example.com/openam?service=TwoFactor&goto=${urlEncodeQueryParameterNameOrValue(contexts.router.originalUri)}"
    

    Cheers,

    • This reply was modified 6 months, 3 weeks ago by  violette.
    #22670
     Dusty 
    Participant

    Hi,

    Thanks for your reply! The loginEndpoint is indeed an easier solution!

    Greets

    #23890
     Dusty 
    Participant

    Hi,

    The problem was that Tomcat wasn’t respecting the X-forwarded-* headers. If you add the following to server.xml, the SSO filter will redirect to the correct URLs, including the correct scheme.

    
    <Valve className="org.apache.catalina.valves.RemoteIpValve"
        remoteIpHeader="x-forwarded-for"
        remoteIpProxiesHeader="x-forwarded-by"
        protocolHeader="x-forwarded-proto"
        protocolHeaderHttpsValue="https"
    />
    

    Regards
    Dusty

Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.

©2019 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?