Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-15744

com.sun.identity.enableUniqueSSOTokenCookie=true results in infinite redirects

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 13.5.0, 13.5.1, 5.0
    • Fix Version/s: 13.5.3
    • Component/s: cdsso, policy, web agents
    • Labels:
    • Sprint:
      AM Sustaining Sprint 70
    • Story Points:
      5
    • Needs backport:
      No
    • Support Ticket IDs:
    • Needs QA verification:
      Yes
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description, Yes but I used my own steps. (If so, please add them in a new comment)

      Description

      Bug description

      com.sun.identity.enableUniqueSSOTokenCookie=true results in infinite redirects

      How to reproduce the issue

      Steps used to reproduce
      configure  4 virtualbox  linux hosts running centos

      1. openam1350.vbox.com
      2. apache.vbox.com
      3. apache2.vbox.com
      4. apache3.vbox.com

      1. configured openam1350.vbox.com with an embedded datastore
      2. configure the following agent profiles (The assumption is each of these is a host running apache 2.4) apache.vbox.com, apache2.vbox.com, apache3.vbox.com
      3. Configure cookie hijacking prevention according to https://backstage.forgerock.com/docs/openam/13.5/admin-guide/#enable-cdsso-cookie-hijacking-protection
      4. Install 4.1.0 agent on each apache instance
      5. Configure Authorization Policies for each apache instance. 
      6. Clear browser cache and attempt to access each apache instance

      a. http://apache.vbox.com:7777/ successful
      b. http://apache2.vbox.com:7777/ results in continuous loop to  http://openam1350.vbox.com:8080/openam/cdcservlet?goto=http%3A%2F%2Fapache2.vbox.com%3A7777%2F&RequestID=1575406575500&MajorVersion=1&MinorVersion=0&ProviderID=http%3A%2F%2Fapache2.vbox.com%3A7777%2Famagent&IssueInstant=2019-12-03T20%3A56%3A15Z
      c. also a loop

      Expected behaviour

      direct to AM to authorize
      
      Current behaviour
      sent in a loop
      
      
      

      Work around

      Remove com.sun.identity.enableUniqueSSOTokenCookie property to true

      Code analysis

      OPTIONAL - If you already investigated the code, please share your finding here (remove this text)

      org.forgerock.$className.java
      ...
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                lawrence.yarham Lawrence Yarham
                Reporter:
                steve.nolan Steve Nolan
              • Votes:
                0 Vote for this issue
                Watchers:
                7 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: