Uploaded image for project: 'OpenAM Agents'
  1. OpenAM Agents
  2. AMAGENTS-1982

Custom login page issue when handling advices

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 5.0.1.1
    • Fix Version/s: 5.5.1.0
    • Component/s: Web Agents
    • Environment:
      Apache 2.4 Linux 64 bit
    • Target Version/s:
    • Verified Version/s:
    • Support Ticket IDs:

      Description

      Bug description

      When using a custom login page together with advices from AM the way the 5.0.1.1 agent handles these appears to be incorrect.

      How to reproduce the issue

      Initial setup

      1). Setup current AM 6.0.0.4 and Apache web agent 5.0.1.1 and check sso only mode to ensure all is OK and that logging into via the XUI works as expected.

      2). In Apache htdocs create two sub-directories named as follows and create an index.html in each:

      • policy1
      • policy2

      3). In AM ensure there are two authentication chains (can use the default ldapservice as one and add a second).  Test these both work by logging into AM with service=chainname in the URL.

      4). In AM create two policies for both of these URLs where each one protects a different resource:

      • policy1 - simple allow all authenticated users for the URLs
      • policy2 - as for policy1 but add an Environment condition for 'Authentication by Service' and choose the chain that was just created.

      5). Test access to http://apache/policy1 and login to AM - ensure policy1 works and is redirected back to Apache.

      6). Access http://apache/policy2 there should be a redirect back to AM, login again (will be the second chain) and the policy2 page should be displayed.

       

      Setup and test custom login page (clear browser cache)

      1). Setup an external custom login page and verify this works as expected.

      2). Adjust the agent profile and add the following via the AM admin UI:

      3). Test access to http://apache/policy1 and login to the custom login page - ensure policy1 works and is redirected back to Apache.

      4). Access http://apache/policy2 there should be a redirect back to the custom login page (screenshot 2).  The URL in the browser bar is:

      http://openam.example.com:8080/custlogin/login.jsp?goto=http%3A%2F%2Fopenam.example.com%3A18080%2F%2Fagent%2Fcustom-login-response%3Fclaims%3D%257B%2522id_token%2522%253A%257B%2522acr%2522%253A%257B%2522essential%2522%253Atrue%252C%2522
      values%2522%253A%255B%2522composite_advice%253A%253CAdvices%253E%253CAttributeValuePair%253E%253C
      Attribute%2520name%253D%255C%2522AuthenticateToServiceConditionAdvice%255C%2522%252F%253E%253CValue
      %253E%252F%253Aldapchain%253C%252FValue%253E%253C%252FAttributeValuePair%253E%253C%252FAdvices%253E
      %2522%255D%257D%257D%257D%26state%3Dd53947a7-3bac-5f45-82ab-80366eb87e97

      5). Enter the username and password.  User is shown the Forbidden page with the following in the browser URL bar (screenshot 3):

      http://openam.example.com:18080//agent/custom-login-response?claims=%7B%22id_token%22%3A%7B%22acr%22%3A%7B%22essential%22%3Atrue%2C%22values%22%3A%5B%22composite_advice%3A%3CAdvices%3E%3CAttributeValuePair%3E%3CAttribute%20name%3D%5C%22AuthenticateToServiceConditionAdvice%5C%22%2F%3E%3CValue%3E%2F%3Aldapchain%3C%2FValue%3E%3C%2FAttributeValuePair%3E%3C%2FAdvices%3E%22%5D%7D%7D%7D&state=d53947a7-3bac-5f45-82ab-80366eb87e97

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                mareks Mareks Malnacs
                Reporter:
                andy.itter Andy Itter
              • Votes:
                0 Vote for this issue
                Watchers:
                8 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: