There is a deviation in behavior from authentication chains to tree. When using SAML2 SP redirect, normally the generated URL to AM will have AM appended with a "goto=<SAMLURL_with_someid>". Now the issue is that this gotoURL is store in the Session properties "successURL".
Before this, in authentication modules, the gotoURL will not end up to this value and normally uses the profile values (like /openam/console). Howver with AuthTree, this priperty will end up with the gotoURL
This is very impactful for SAML2 type request where if one later goes back to IDP with any goto and issue ("AM_URL/am/UI/Login") this goes to the original old SP SAML2 request (which is long invalid).
To make it simple w/o SAML, you can see this
- Create a default auth service to use a Tree (say Example)
- Login with ?goto=<someURL"
- Now access AMURL as "AMURL/UI/Lgin"
- You can inspect the Session Token properties from CTS (to see the successURL property value have the gotoURL value"
There is no workaround possible. DO not use tree and continue to use a Auth Chain
The tree node confuses SuccessURL and GotoURL and set teh SuccessURL property to the final value the tree goes to.
In the original auth chain, the successURL is always the user profile unless this is explicit changed. Anyway the gotoURL is still disjoint from the property value.
In fact the "successURL" property is actually more correct to say the URL to follow if already authenticated.