Uploaded image for project: 'OpenAM Agents'
  1. OpenAM Agents
  2. AMAGENTS-1982

Custom login page issue when handling advices

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 5.0.1.1
    • 5.5.1.0
    • Web Agents
    • Apache 2.4 Linux 64 bit

    Description

      Bug description

      When using a custom login page together with advices from AM the way the 5.0.1.1 agent handles these appears to be incorrect.

      How to reproduce the issue

      Initial setup

      1). Setup current AM 6.0.0.4 and Apache web agent 5.0.1.1 and check sso only mode to ensure all is OK and that logging into via the XUI works as expected.

      2). In Apache htdocs create two sub-directories named as follows and create an index.html in each:

      • policy1
      • policy2

      3). In AM ensure there are two authentication chains (can use the default ldapservice as one and add a second).  Test these both work by logging into AM with service=chainname in the URL.

      4). In AM create two policies for both of these URLs where each one protects a different resource:

      • policy1 - simple allow all authenticated users for the URLs
      • policy2 - as for policy1 but add an Environment condition for 'Authentication by Service' and choose the chain that was just created.

      5). Test access to http://apache/policy1 and login to AM - ensure policy1 works and is redirected back to Apache.

      6). Access http://apache/policy2 there should be a redirect back to AM, login again (will be the second chain) and the policy2 page should be displayed.

       

      Setup and test custom login page (clear browser cache)

      1). Setup an external custom login page and verify this works as expected.

      2). Adjust the agent profile and add the following via the AM admin UI:

      3). Test access to http://apache/policy1 and login to the custom login page - ensure policy1 works and is redirected back to Apache.

      4). Access http://apache/policy2 there should be a redirect back to the custom login page (screenshot 2).  The URL in the browser bar is:

      http://openam.example.com:8080/custlogin/login.jsp?goto=http%3A%2F%2Fopenam.example.com%3A18080%2F%2Fagent%2Fcustom-login-response%3Fclaims%3D%257B%2522id_token%2522%253A%257B%2522acr%2522%253A%257B%2522essential%2522%253Atrue%252C%2522
      values%2522%253A%255B%2522composite_advice%253A%253CAdvices%253E%253CAttributeValuePair%253E%253C
      Attribute%2520name%253D%255C%2522AuthenticateToServiceConditionAdvice%255C%2522%252F%253E%253CValue
      %253E%252F%253Aldapchain%253C%252FValue%253E%253C%252FAttributeValuePair%253E%253C%252FAdvices%253E
      %2522%255D%257D%257D%257D%26state%3Dd53947a7-3bac-5f45-82ab-80366eb87e97

      5). Enter the username and password.  User is shown the Forbidden page with the following in the browser URL bar (screenshot 3):

      http://openam.example.com:18080//agent/custom-login-response?claims=%7B%22id_token%22%3A%7B%22acr%22%3A%7B%22essential%22%3Atrue%2C%22values%22%3A%5B%22composite_advice%3A%3CAdvices%3E%3CAttributeValuePair%3E%3CAttribute%20name%3D%5C%22AuthenticateToServiceConditionAdvice%5C%22%2F%3E%3CValue%3E%2F%3Aldapchain%3C%2FValue%3E%3C%2FAttributeValuePair%3E%3C%2FAdvices%3E%22%5D%7D%7D%7D&state=d53947a7-3bac-5f45-82ab-80366eb87e97

      Attachments

        Issue Links

          Activity

            People

              mareks Mareks Malnacs
              andy.itter Andy Itter
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: