This webpage has a redirect loop (ERR_TOO_MANY_REDIRECTS) - ForgeRock OpenAM

So, you (believe) you've configured the agent to protect your application URLs as part of your SSO implementation. You attempt this by accessing the application URL and you're 302 re-directed to the forgeRock OpenAM login screen (so far so good).
February 9, 2016
ForgeRockOpenAMOpenAM-12.x
E_WARNING Error in file posts.php at line 313: fopen(http://www.technicalconfessions.com/images/postimages/postIcons/pp424.png): failed to open stream: HTTP request failed! HTTP/1.1 404 Not Found E_WARNING Error in file posts.php at line 313: fclose() expects parameter 1 to be resource, boolean given

Though this is when things go wrong. When you successfully authenticate, your browser throws a big wobble by stating that you've made too many redirects (ERR_TOO_MANY_REDIRECTS). Your localhost_access_log.txt will indicate that multiple 302 requests are returning back to the application. Basically the application that you're trying to access is not accepting the OpenAM cookie (or at least doesn't acknowledge a valid one) The application sends the browser to OpenAM for you to authenticate. OpenAM however acknowledges that you have an active session (and an active domain cookie) and basically says, 'Do don't need to auth again, you already have a valid token, go back to the application'.

An simple example is that the application 'app1.bus1.com' resides on a separate domain of OpenAM '.business1.com' and therefore the domain cookie differs.


How Can I see this happening?

Get a tracer. Chrome's plugin SAML tracer. cookie inspector


SOLUTION

ForgeRock has a functionality called cross-domain single sign on (CDSSO). Basically it will allow OpenAM to create a cookie to access different DNS domains to where OpenAM is deployed. So even though you're accessing app1.bus1.com, the policy agent will extract the SSOToken from LARES and sets the cookie domain to the FQDN of the resource, which is pretty cool!

To the material in question is, HOW TO: Enable CDSSO For a Java EE Policy Agent Obviously this is different for just web policy agents though the same document provides both just incase the page is unavailable, perform the following tasks

  • In the OpenAM console, browse to Access Control > Realm Name > Agents > Web > Agent Name > SSO.
  • Enable Cross Domain SSO.
  • Set the list of URLs for CDSSO Servlet URL to the Cross Domain Controller Servlet URLs of the servers the agent accesses, such as http://openam.example.com:8080/openam/cdcservlet. If the agent accesses OpenAM through a load balancer, use the load balancer URLs, such as http://load-balancer.example.com:8080/openam/cdcservlet.
  • Add the domains involved in CDSSO in the Cookies Domain List.
  • If necessary, update the Agent Root URL for CDSSO list on the Global tab page. If the policy agent is on a server with virtual host names, add the virtual host URLs to the list. If the policy agent is behind a load balancer, add the load balancer URL to the list.
  • Save your work.

About the author

Daniel is a Technical Manager with over 10 years of consulting expertise in the Identity and Access Management space.
Daniel has built from scratch this blog as well as technicalconfessions.com
Follow Daniel on twitter @nervouswiggles

Comments

Other Posts

ForgeRock IDM - org.forgerock.script.exception.ScriptCompilationException: missing ; before statemen

OpenIDMsync.confForgeRock

September 17, 2017
Created by: Daniel Redfern
ForgeRock IDM - org.forgerock.script.exception.ScriptCompilationException: missing ; before statement
Read More...

Caused by: org.forgerock.json.resource.BadRequestException: Target does not support attribute groups

OpenIDMForgeRockICFConnector

September 17, 2017
Created by: Daniel Redfern
When performing the attempt of a reconciliation from ForgeRock IDM to Active Directory, I would get the following error
Read More...

ForgeRock OpenIDM - InvalidCredentialException: Remote framework key is invalid

OpenIDMForgeRockICFConnectorAD

September 17, 2017
Created by: Daniel Redfern
In the past, the similar error occurred though for the Oracle Identity Management solution. invalidcredentialexception remote framework key is invalid Because they all share the ICF connector framework, the error/solution would be the same.
Read More...

ERROR Caused by com.google.api.client.auth.oauth2.TokenResponseException 400 Bad Request - invalid_g

OpenIDMIDMGoogleGoogle-AppsICFreconciliation

September 12, 2017
Created by: Daniel Redfern
During the reconcilation from OpenIDM to the ICF google apps connector, the following error response would occur. ERROR Caused by com.google.api.client.auth.oauth2.TokenResponseException 400 Bad Request - invalid_grant
Read More...

forgerock-openidm-encryptedjwt-error

OpenIDMIDMForgeRockJWTIAM

August 29, 2017
Created by: Daniel Redfern
Received the JWT error
Read More...

Unexpected character ('¾' (code 190)): expected a valid value

ForgeRock-OpenIDMOpenIDMIDMKeystore

June 25, 2017
Created by: Daniel Redfern
Unexpected character occurred when the IP addresses changes and the virtual instance was migrated into a separate network subnet.
Read More...
E_WARNING Error in file posts.php at line 464: fopen(http://www.technicalconfessions.com/images/postimages/postIcons/pp444.png): failed to open stream: HTTP request failed! HTTP/1.1 404 Not Found E_WARNING Error in file posts.php at line 464: fclose() expects parameter 1 to be resource, boolean given

OpenDJ Error - Connect Error Result Code: 91 (Connect Error)

OpenDJLDAPldapsearchForgeRock

June 5, 2017
Created by: Daniel Redfern
When trying to connect, I would then receive the following error "Connect Error Result Code: 91 (Connect Error)"
Read More...

Tomcat NioEndpoint$SocketProcessor.doRun java.lang.NullPointerException error

TomcatJava-8PKICAS

June 5, 2017
Created by: Daniel Redfern
When initiating the Tomcat instance, the cas-stderr log file will log a SEVERE error logging multiple times every few seconds
Read More...

IDM ERROR - JDBC repository configured but datasource default was not found

ForgeRockIDMJDBC

May 23, 2017
Created by: Daniel Redfern
IDM ERROR - JDBC repository configured but datasource default was not found
Read More...

OpenIDM Issue - javax.crypto.BadPaddingException: Given final block not properly padded

OpenIDMIDMForgeRockcryptography

May 23, 2017
Created by: Daniel Redfern
org.forgerock.json.JsonException: org.forgerock.json.crypto.JsonCryptoException: javax.crypto.BadPaddingException: Given final block not properly padded
Read More...