DEVHIDE
Login Or Sign up

OpenAM Web Agent Redirect Issue #403x

1k Views Asked by At

I am using OpenAM as an authentication solution for my web app. I have configured OpenAM behind a reverse proxy. I have made all the changes regarding headers and its working fine. I have also configured a site for the server. I can login as admin and configure realms and policies. I have configured a web agent to be used with my app. I am facing an issue with the web agent. When I login to my app request goes to OpenAM and it authenticates the user, but cannot redirect to the designated page. It just shows

#403x

on the browser. In the authenticator logs I see the following


amCDC:09/30/2021 01:54:19:020 PM UTC: Thread[http-apr-8080-exec-8,5,main]: TransactionId[786cdea2-e670-488d-955d-f6679002c3c0-1140]
ERROR: Invalid Agent: Could not get agent for the realm
java.lang.Exception: Goto URL not valid for the agent Provider ID
        at com.iplanet.services.cdc.LdapSPValidator.validateAndGetRestriction(LdapSPValidator.java:208)
        at com.iplanet.services.cdc.CDCServlet.redirectWithAuthNResponse(CDCServlet.java:375)
        at com.iplanet.services.cdc.CDCServlet.doGetPost(CDCServlet.java:343)
        at com.iplanet.services.cdc.CDCServlet.doGet(CDCServlet.java:234)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:622)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:292)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
        at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
        at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:44)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
        at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:106)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
        at org.forgerock.openam.audit.context.AuditContextFilter.doFilter(AuditContextFilter.java:51)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
        at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:616)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:528)
        at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1099)
        at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:670)
        at org.apache.tomcat.util.net.AprEndpoint$SocketWithOptionsProcessor.run(AprEndpoint.java:2445)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.lang.Thread.run(Thread.java:745)

amCDC:09/30/2021 01:54:19:020 PM UTC: Thread[http-apr-8080-exec-8,5,main]: TransactionId[786cdea2-e670-488d-955d-f6679002c3c0-1140]
ERROR: CDCServlet.doGetPost
java.lang.Exception: Invalid Agent: Could not get agent for the realm
        at com.iplanet.services.cdc.LdapSPValidator.validateAndGetRestriction(LdapSPValidator.java:227)
        at com.iplanet.services.cdc.CDCServlet.redirectWithAuthNResponse(CDCServlet.java:375)
        at com.iplanet.services.cdc.CDCServlet.doGetPost(CDCServlet.java:343)
        at com.iplanet.services.cdc.CDCServlet.doGet(CDCServlet.java:234)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:622)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:292)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
        at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
        at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:44)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
        at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:106)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
        at org.forgerock.openam.audit.context.AuditContextFilter.doFilter(AuditContextFilter.java:51)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
        at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:616)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:528)
        at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1099)
        at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:670)
        at org.apache.tomcat.util.net.AprEndpoint$SocketWithOptionsProcessor.run(AprEndpoint.java:2445)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.lang.Thread.run(Thread.java:745)

I have done all the relevant configuration for agent as well. I have disabled server lookup, set the following properties as recommended in documentation

com.sun.identity.agents.config.agenturi.prefix
com.sun.identity.agents.config.override.protocol=true
com.sun.identity.agents.config.override.host=true
com.sun.identity.agents.config.override.port=true

My site url is

https://example.com/openam

I create the agent like this

server url = https://example.com:443/openam
agent url = https://example.com:443/

My Agent configurations is as follows

com.sun.identity.agents.config.agent.logout.url[0]=
com.sun.identity.agents.config.agenturi.prefix=https://example.com:443/amagent
com.sun.identity.agents.config.anonymous.user.enable=false
com.sun.identity.agents.config.anonymous.user.id=anonymous
com.sun.identity.agents.config.attribute.multi.value.separator=|
com.sun.identity.agents.config.audit.accesstype=LOG_BOTH
com.sun.identity.agents.config.auth.connection.timeout=2
com.sun.identity.agents.config.cdsso.cdcservlet.url[0]=https://example.com:443/openam/cdcservlet
com.sun.identity.agents.config.cdsso.cookie.domain[0]=
com.sun.identity.agents.config.cdsso.enable=false
com.sun.identity.agents.config.change.notification.enable=true
com.sun.identity.agents.config.cleanup.interval=30
com.sun.identity.agents.config.client.ip.validation.enable=false
com.sun.identity.agents.config.convert.mbyte.enable=false
com.sun.identity.agents.config.cookie.name=iPlanetDirectoryPro
com.sun.identity.agents.config.cookie.reset.enable=false
com.sun.identity.agents.config.cookie.reset[0]=
com.sun.identity.agents.config.cookie.secure=false
com.sun.identity.agents.config.debug.file.rotate=true
com.sun.identity.agents.config.debug.file.size=10000000
com.sun.identity.agents.config.debug.level=All
com.sun.identity.agents.config.domino.check.name.database=false
com.sun.identity.agents.config.domino.ltpa.config.name=LtpaToken
com.sun.identity.agents.config.domino.ltpa.cookie.name=LtpaToken
com.sun.identity.agents.config.domino.ltpa.enable=false
com.sun.identity.agents.config.encode.cookie.special.chars.enable=false
com.sun.identity.agents.config.encode.url.special.chars.enable=false
com.sun.identity.agents.config.fetch.from.root.resource=false
com.sun.identity.agents.config.fqdn.check.enable=true
com.sun.identity.agents.config.fqdn.default=example.com
com.sun.identity.agents.config.fqdn.mapping[]=
com.sun.identity.agents.config.get.client.host.name=false
com.sun.identity.agents.config.ignore.path.info=false
com.sun.identity.agents.config.ignore.path.info.for.not.enforced.list=true
com.sun.identity.agents.config.ignore.preferred.naming.url=true
com.sun.identity.agents.config.ignore.server.check=true
com.sun.identity.agents.config.iis.filter.priority=HIGH
com.sun.identity.agents.config.iis.logonuser=false
com.sun.identity.agents.config.iis.owa.enable=false
com.sun.identity.agents.config.iis.owa.enable.change.protocol=false
com.sun.identity.agents.config.iis.password.header=false
com.sun.identity.agents.config.load.balancer.enable=true
com.sun.identity.agents.config.local.log.rotate=true
com.sun.identity.agents.config.local.log.size=52428800
com.sun.identity.agents.config.locale=en_US
com.sun.identity.agents.config.log.disposition=ALL
com.sun.identity.agents.config.login.url[0]=https://example.com:443/openam/UI/Login
com.sun.identity.agents.config.logout.cookie.reset[0]=
com.sun.identity.agents.config.logout.url[0]=https://example.com:443/openam/UI/Logout
com.sun.identity.agents.config.notenforced.ip[0]=
com.sun.identity.agents.config.notenforced.url.attributes.enable=false
com.sun.identity.agents.config.notenforced.url.invert=false
com.sun.identity.agents.config.notenforced.url[0]=/logout.html
com.sun.identity.agents.config.notenforced.url[1]=/images/*
com.sun.identity.agents.config.notenforced.url[2]=/css/-*-
com.sun.identity.agents.config.notenforced.url[3]=/*.jsp?locale=*
com.sun.identity.agents.config.notification.enable=true
com.sun.identity.agents.config.organization.name=/
com.sun.identity.agents.config.override.host=true
com.sun.identity.agents.config.override.notification.url=true
com.sun.identity.agents.config.override.port=true
com.sun.identity.agents.config.override.protocol=true
com.sun.identity.agents.config.policy.cache.polling.interval=3
com.sun.identity.agents.config.policy.clock.skew=0
com.sun.identity.agents.config.poll.primary.server=5
com.sun.identity.agents.config.polling.interval=60
com.sun.identity.agents.config.postcache.entry.lifetime=10
com.sun.identity.agents.config.postdata.preserve.enable=false
com.sun.identity.agents.config.profile.attribute.cookie.maxage=300
com.sun.identity.agents.config.profile.attribute.cookie.prefix=HTTP_
com.sun.identity.agents.config.profile.attribute.fetch.mode=NONE
com.sun.identity.agents.config.profile.attribute.mapping[]=
com.sun.identity.agents.config.proxy.override.host.port=false
com.sun.identity.agents.config.redirect.param=goto
com.sun.identity.agents.config.remote.log.interval=5
com.sun.identity.agents.config.remote.logfile=amAgent_xyz_com_443.log
com.sun.identity.agents.config.repository.location=centralized
com.sun.identity.agents.config.response.attribute.fetch.mode=NONE
com.sun.identity.agents.config.response.attribute.mapping[]=
com.sun.identity.agents.config.session.attribute.fetch.mode=NONE
com.sun.identity.agents.config.session.attribute.mapping[]=
com.sun.identity.agents.config.sso.cache.polling.interval=3
com.sun.identity.agents.config.sso.only=false
com.sun.identity.agents.config.url.comparison.case.ignore=true
com.sun.identity.agents.config.userid.param=UserToken
com.sun.identity.agents.config.userid.param.type=session
com.sun.identity.client.notification.url=https://example.com:443/UpdateAgentCacheServlet?shortcircuit=false
org.forgerock.openam.agents.config.policy.evaluation.application=iPlanetAMWebAgentService
org.forgerock.openam.agents.config.policy.evaluation.realm=/
sunIdentityServerDeviceKeyValue[0]=agentRootURL=https://example.com:443/
sunIdentityServerDeviceStatus=Active
userpassword=

But still it is not working. Can someone explain what I am missing and how can I resolve this?

regards

EDIT

I have added headers to my nginx setup for the app

proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forward-For op$proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;

now the error has changed

error:  [bq2ptiS62] Unknown issuer: http://example.com:8080/openam/cdcservlet Unknown issuer: http://example.com:8080/openam/cdcservlet {"stack":"Error: Unknown issuer: http://example.com:8080/openam/cdcservlet    
at PolicyAgent.<anonymous> (/node_modules/@forgerock/openam-agent/dist/policyagent/policy-agent.js:483:35)
at step (/node_modules/@forgerock/openam-agent/dist/policyagent/policy-agent.js:57:23)
at Object.next (/node_modules/@forgerock/openam-agent/dist/policyagent/policy-agent.js:38:53)
at fulfilled (/node_modules/@forgerock/openam-agent/dist/policyagent/policy-agent.js:29:58)
at process._tickCallback (internal/process/next_tick.js:68:7)","timestamp":"2021-10-04T15:21:40.630Z"}
openam opensso forgerock
Original Q&A
1

There are 1 best solutions below

5
Bernhard Thalmayr On

The error repsonse body #403x is raised by OpenAM's CDCServlet when the value of the Agent profile property 'Agent Root URL' does not include the one sent with the CDSSO request.

Related Questions in OPENAM

Related Questions in OPENSSO

Related Questions in FORGEROCK

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json

Popular Questions

.

Copyright © 2021 Jogjafile Inc.