When using a custom login page together with advices from AM the way the 188.8.131.52 agent handles these appears to be incorrect.
1). Setup current AM 184.108.40.206 and Apache web agent 220.127.116.11 and check sso only mode to ensure all is OK and that logging into via the XUI works as expected.
2). In Apache htdocs create two sub-directories named as follows and create an index.html in each:
3). In AM ensure there are two authentication chains (can use the default ldapservice as one and add a second). Test these both work by logging into AM with service=chainname in the URL.
4). In AM create two policies for both of these URLs where each one protects a different resource:
- policy1 - simple allow all authenticated users for the URLs
- policy2 - as for policy1 but add an Environment condition for 'Authentication by Service' and choose the chain that was just created.
5). Test access to http://apache/policy1 and login to AM - ensure policy1 works and is redirected back to Apache.
6). Access http://apache/policy2 there should be a redirect back to AM, login again (will be the second chain) and the policy2 page should be displayed.
Setup and test custom login page (clear browser cache)
1). Setup an external custom login page and verify this works as expected.
2). Adjust the agent profile and add the following via the AM admin UI:
- AM Services > AM Login URL: http://openam.example.com:8080/custlogin/login.jsp (adjust as appropriate)
- Advanced > Custom Properties: org.forgerock.openam.agents.config.allow.custom.login=true
3). Test access to http://apache/policy1 and login to the custom login page - ensure policy1 works and is redirected back to Apache.
4). Access http://apache/policy2 there should be a redirect back to the custom login page (screenshot 2). The URL in the browser bar is:
5). Enter the username and password. User is shown the Forbidden page with the following in the browser URL bar (screenshot 3):