All geek questions in one place

Loop redirection issue for web policy agent?

I followed the installation guide for the Apache web policy agent, but this always leads to an endless loop of redirects between the web application server and the application. Firefox says, β€œThe page is not redirecting properly,” and Chrome says β€œthis web page has a redirect cycle.” The setup is Apache 2 on port 80 with a small demo application and a web policy agent and a Tomcat 7 server on port 8080 with an OpenAM server (formerly Sun's OpenSSO):

The Live HTTP Header Firefox plugin shows that the policy agent and the OpenAM server (i.e., Apache and Tomcat servers) are redirected to each other, although the server correctly sets the SSO cookie. The SSO name Token Cookie has a default value of iPlanetDirectoryPro. Any idea how to solve the problem?

+6
source share
2 answers

After a whole week, I finally figured it out using Stackoverflow and OpenAM Mailing list . There were two main problems: missing log files and missing cookie domains. Installing an OpenAM server and a web policy agent is difficult, there are many log files and many different configuration options. If you select the wrong parameters, this will not work. It is impossible to make it work without knowing what is happening, which can only be determined by a suitable log file.

Missing log for web policy agent . The log level must be set in the Java property files. There are two Java Properties files for the web policy agent, OpenSSOAgentBootstrap.properties and OpenSSOAgentConfiguration.properties . The logging and debugging level, called com.sun.identity.agents.config.debug.level , can and must be defined in both (!) Files, and it must be set to a high level, all:4 or all:5 . The format is important. Even if you do, the AgentConfiguration.properties file is only used when the agent is not in central configuration mode. The profile must be set to "local".

Missing cookie domain . Remember to enter the correct Cookie domain when setting up the OpenAM server at the beginning or add it afterwards if it is missing. On the OpenAM server, go to Configuration > System > Platform and change the value of the cookie domain in your domain (for instace .example.com ) if it is missing. Otherwise, the browser will lose your cookie during the redirect process. Somehow I had an empty record for the cookie domain on the OpenAM server, I think I forgot the point ( example.com instead of .example.com ) so that it was invalid (or something like that).

This troubleshooting site has helped find the problem.

+9
source

@ 0x4a6f4672, your post was absolutely helpful. Something else to add to your answer. The following changes are what I had to do in the config to make it work, at least by making it work in the open.

 com.sun.identity.agents.config.user.mapping.mode=USER_ID(Dont use HTTP_HEADER) com.sun.identity.agents.config.user.attribute.name=uid com.sun.identity.agents.config.user.principal=true(Dont use false) com.sun.identity.agents.config.user.token=SsoUserHeader(Keep it as per what is specified in you application- in my case alfresco)

Now you do not start the Agent in centralized mode, but in local mode the parameter specified for the profile attribute can only be set via the properties file, so add the following.

 com.sun.identity.agents.config.profile.attribute.fetch.mode=HTTP_HEADER com.sun.identity.agents.config.profile.attribute.mapping[uid]=SsoUserHeader(whatever you want the header to come in browser as)

0x4a6f4672 said in a statement that it is difficult to debug and if you are not in local mode, so immediately switch to local mode and start tracking logs and change them accordingly.

+1
source

Source: https://habr.com/ru/post/891030/

More articles:


All Articles