Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-9528

Redirect loop with CDSSO with all browsers but IE

    XMLWordPrintable

    Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Cannot Reproduce
    • Agents-4.0.0, 13.0.0
    • None
    • Protected Resource ->Ubuntu, Apache 2.4 with reverse proxy + Agent 4.0.0
      OpenAM: Ubuntu, OpenAM deployed in docker container
    • Rank:
      1|hzrwbz:

      Description

      Hi,
      We are getting a redirect loop between OpenAM 13.0.0 and our WebAgent 4. So we cannot access our application after authentication. This problem only occurs in Chrome v. 52, Safari and Firefox whereby IE v. 13 works as expected.

      Background:
      • We have setup OpenAM on server A with a domain openam.XXX.com and Apache with a running application as protected resource with a policy agent on server B with domain resource.YYY.net. Therefore, CDSSO is activated.
      • The Agent configuration centralized
      • CDSSO Servlet configuration is default
      • Both domains are listed in the cookie domain list.
      • Date is in sync
      • Protected Ressource is built on Apache 2.4.18

      Web Agent Log
      2016-08-03 14:04:18.527 +0000 DEBUG [0x7ff9d0ff1700:20685][source/apache/agent.c:475] set_custom_response(): status: redirect (exit: redirect)
      2016-08-03 14:04:18.527 +0000 DEBUG [0x7ff9d0ff1700:20685][source/apache/agent.c:733] amagent_auth_handler(): exit status: redirect (1)
      2016-08-03 14:04:18.542 +0000 DEBUG [0x7ff9d37f6700:20684][source/apache/agent.c:669] amagent_auth_handler(): begin
      2016-08-03 14:04:18.542 +0000 DEBUG [0x7ff9d37f6700:20684][source/config.c:1491] am_get_agent_config(): agent configuration read from a cache
      2016-08-03 14:04:18.542 +0000 DEBUG [0x7ff9d37f6700:20684][source/apache/agent.c:486] get_method_num(): method GET (GET, 0)
      2016-08-03 14:04:18.542 +0000 DEBUG [0x7ff9d37f6700:20684][source/apache/agent.c:495] get_method_num(): number corresponds to GET method
      2016-08-03 14:04:18.542 +0000 DEBUG [0x7ff9d37f6700:20684][source/process.c:129] setup_request_data():
      2016-08-03 14:04:18.542 +0000 DEBUG [0x7ff9d37f6700:20684][source/process.c:151] setup_request_data(): client ip: 12.123.12.12
      2016-08-03 14:04:18.542 +0000 DEBUG [0x7ff9d37f6700:20684][source/process.c:189] setup_request_data(): client hostname: (empty)
      2016-08-03 14:04:18.542 +0000 DEBUG [0x7ff9d37f6700:20684][source/process.c:197] setup_request_data(): original request url: http://Name2003.yyy.net/favicon.ico
      2016-08-03 14:04:18.542 +0000 DEBUG [0x7ff9d37f6700:20684][source/process.c:214] setup_request_data(): no token in query parameters
      2016-08-03 14:04:18.542 +0000 DEBUG [0x7ff9d37f6700:20684][source/process.c:319] setup_request_data():
      method: GET
      original url: http://Name2003.yyy.net/favicon.ico
      proto: http
      host: Name2003.yyy.net
      port: 80
      path: /favicon.ico
      query:
      complete: http://Name2003.yyy.net:80/favicon.ico
      overridden: http://Name2003.yyy.net:80/favicon.ico
      pathinfo: (empty)
      normalized (pathinfo removed): (empty)
      overridden (pathinfo removed): (empty)
      2016-08-03 14:04:18.542 +0000 DEBUG [0x7ff9d37f6700:20684][source/process.c:334] validate_url():
      2016-08-03 14:04:18.542 +0000 DEBUG [0x7ff9d37f6700:20684][source/process.c:346] validate_url(): request url validation feature is not enabled
      2016-08-03 14:04:18.542 +0000 DEBUG [0x7ff9d37f6700:20684][source/process.c:354] handle_notification():
      2016-08-03 14:04:18.542 +0000 DEBUG [0x7ff9d37f6700:20684][source/process.c:410] validate_fqdn_access():
      2016-08-03 14:04:18.542 +0000 DEBUG [0x7ff9d37f6700:20684][source/process.c:430] validate_fqdn_access(): host name Name2003.yyy.net is valid (maps to fqdn default: Name2003.yyy.net)
      2016-08-03 14:04:18.542 +0000 DEBUG [0x7ff9d37f6700:20684][source/process.c:741] validate_token():
      2016-08-03 14:04:18.542 +0000 DEBUG [0x7ff9d37f6700:20684][source/process.c:832] validate_token(): sso token: (empty), status: success
      2016-08-03 14:04:18.542 +0000 DEBUG [0x7ff9d37f6700:20684][source/process.c:491] handle_not_enforced():
      2016-08-03 14:04:18.542 +0000 DEBUG [0x7ff9d37f6700:20684][source/process.c:552] handle_not_enforced(): application logout url feature is not enabled
      2016-08-03 14:04:18.542 +0000 DEBUG [0x7ff9d37f6700:20684][source/process.c:610] handle_not_enforced(): not enforced client ip validation feature is not enabled
      2016-08-03 14:04:18.542 +0000 DEBUG [0x7ff9d37f6700:20684][source/process.c:613] handle_not_enforced(): validating http://Name2003.yyy.net:80/favicon.ico
      2016-08-03 14:04:18.542 +0000 DEBUG [0x7ff9d37f6700:20684][source/process.c:684] handle_not_enforced(): not enforced url validation feature is not enabled
      2016-08-03 14:04:18.542 +0000 DEBUG [0x7ff9d37f6700:20684][source/process.c:729] handle_not_enforced(): extended not enforced url validation feature is not enabled
      2016-08-03 14:04:18.542 +0000 DEBUG [0x7ff9d37f6700:20684][source/process.c:732] handle_not_enforced(): http://Name2003.yyy.net:80/favicon.ico is enforced
      2016-08-03 14:04:18.542 +0000 DEBUG [0x7ff9d37f6700:20684][source/process.c:930] validate_policy(): for http://Name2003.yyy.net:80/favicon.ico (ignoring pathinfo: no), entry status: not found
      2016-08-03 14:04:18.542 +0000 DEBUG [0x7ff9d37f6700:20684][source/process.c:948] validate_policy(): running in sso-only mode
      2016-08-03 14:04:18.542 +0000 DEBUG [0x7ff9d37f6700:20684][source/process.c:1808] handle_exit(): (entry status: invalid session)
      2016-08-03 14:04:18.542 +0000 DEBUG [0x7ff9d37f6700:20684][source/process.c:2140] handle_exit(): resetting session cookie in .yyy.net domain
      2016-08-03 14:04:18.542 +0000 DEBUG [0x7ff9d37f6700:20684][source/process.c:1465] do_cookie_set_generic(): iPlanetDirectoryPro=;Max-Age=0;Expires=Thu, 01-Jan-1970 00:00:01 GMT;Domain=.yyy.net;Path=/
      2016-08-03 14:04:18.542 +0000 DEBUG [0x7ff9d37f6700:20684][source/process.c:2140] handle_exit(): resetting session cookie in .XXX.com domain
      2016-08-03 14:04:18.542 +0000 DEBUG [0x7ff9d37f6700:20684][source/process.c:1465] do_cookie_set_generic(): iPlanetDirectoryPro=;Max-Age=0;Expires=Thu, 01-Jan-1970 00:00:01 GMT;Domain=.XXX.com;Path=/
      2016-08-03 14:04:18.542 +0000 DEBUG [0x7ff9d37f6700:20684][source/process.c:1465] do_cookie_set_generic(): iPlanetDirectoryPro=;Max-Age=0;Expires=Thu, 01-Jan-1970 00:00:01 GMT;Path=/
      2016-08-03 14:04:18.542 +0000 DEBUG [0x7ff9d37f6700:20684][source/process.c:1786] find_active_login_server(): selected login url: http://iamaas-openam-itreplaced.adop.XXX.com:80/openam/cdcservlet?goto=http%3A%2F%2FName2003.yyy.net%3A80%2Ffavicon.ico&RequestID=1470233058542&MajorVersion=1&MinorVersion=0&ProviderID=http%3A%2F%2FName2003.yyy.net%3A80%2Famagent&IssueInstant=2016-08-03T14%3A04%3A18Z
      2016-08-03 14:04:18.542 +0000 DEBUG [0x7ff9d37f6700:20684][source/process.c:2281] handle_exit(): find_active_login_server value: http://iamaas-openam-itreplaced.adop.XXX.com:80/openam/cdcservlet?goto=http%3A%2F%2FName2003.yyy.net%3A80%2Ffavicon.ico&RequestID=1470233058542&MajorVersion=1&MinorVersion=0&ProviderID=http%3A%2F%2FName2003.yyy.net%3A80%2Famagent&IssueInstant=2016-08-03T14%3A04%3A18Z
      2016-08-03 14:04:18.542 +0000 DEBUG [0x7ff9d37f6700:20684][source/apache/agent.c:475] set_custom_response(): status: redirect (exit: redirect)
      2016-08-03 14:04:18.542 +0000 DEBUG [0x7ff9d37f6700:20684][source/apache/agent.c:733] amagent_auth_handler(): exit status: redirect (1)
      2016-08-03 14:04:18.877 +0000 DEBUG [0x7ff9d2ff5700:20684][source/apache/agent.c:669] amagent_auth_handler(): begin
      2016-08-03 14:04:18.877 +0000 DEBUG [0x7ff9d2ff5700:20684][source/config.c:1491] am_get_agent_config(): agent configuration read from a cache
      2016-08-03 14:04:18.877 +0000 DEBUG [0x7ff9d2ff5700:20684][source/apache/agent.c:486] get_method_num(): method POST (POST, 2)
      2016-08-03 14:04:18.877 +0000 DEBUG [0x7ff9d2ff5700:20684][source/apache/agent.c:495] get_method_num(): number corresponds to POST method
      2016-08-03 14:04:18.877 +0000 DEBUG [0x7ff9d2ff5700:20684][source/process.c:129] setup_request_data():
      2016-08-03 14:04:18.877 +0000 DEBUG [0x7ff9d2ff5700:20684][source/process.c:151] setup_request_data(): client ip: 12.123.12.12
      2016-08-03 14:04:18.877 +0000 DEBUG [0x7ff9d2ff5700:20684][source/process.c:189] setup_request_data(): client hostname: (empty)
      2016-08-03 14:04:18.877 +0000 DEBUG [0x7ff9d2ff5700:20684][source/process.c:197] setup_request_data(): original request url: http://Name2003.yyy.net/
      2016-08-03 14:04:18.877 +0000 DEBUG [0x7ff9d2ff5700:20684][source/process.c:214] setup_request_data(): no token in query parameters
      2016-08-03 14:04:18.877 +0000 DEBUG [0x7ff9d2ff5700:20684][source/process.c:319] setup_request_data():
      method: POST
      original url: http://Name2003.yyy.net/
      proto: http
      host: Name2003.yyy.net
      port: 80
      path: /
      query:
      complete: http://Name2003.yyy.net:80/
      overridden: http://Name2003.yyy.net:80/
      pathinfo: (empty)
      normalized (pathinfo removed): (empty)
      overridden (pathinfo removed): (empty)
      2016-08-03 14:04:18.877 +0000 DEBUG [0x7ff9d2ff5700:20684][source/process.c:334] validate_url():
      2016-08-03 14:04:18.877 +0000 DEBUG [0x7ff9d2ff5700:20684][source/process.c:346] validate_url(): request url validation feature is not enabled
      2016-08-03 14:04:18.877 +0000 DEBUG [0x7ff9d2ff5700:20684][source/process.c:354] handle_notification():
      2016-08-03 14:04:18.877 +0000 DEBUG [0x7ff9d2ff5700:20684][source/process.c:368] handle_notification(): http://Name2003.yyy.net:80/ is not an agent notification url http://Name2003.yyy.net:80/UpdateAgentCacheServlet?shortcircuit=false
      2016-08-03 14:04:18.877 +0000 DEBUG [0x7ff9d2ff5700:20684][source/process.c:410] validate_fqdn_access():
      2016-08-03 14:04:18.877 +0000 DEBUG [0x7ff9d2ff5700:20684][source/process.c:430] validate_fqdn_access(): host name Name2003.yyy.net is valid (maps to fqdn default: Name2003.yyy.net)
      2016-08-03 14:04:18.877 +0000 DEBUG [0x7ff9d2ff5700:20684][source/process.c:741] validate_token():
      2016-08-03 14:04:18.886 +0000 DEBUG [0x7ff9d2ff5700:20684][source/apache/agent.c:628] get_request_body(): read 3708 bytes

      OpenAM CDCservlet Log

        Attachments

          Activity

            People

            Unassigned Unassigned
            ytheva Yathursan Theva [X] (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: