OAM 11g: Redirect Back To Originally Requested Page Using Success URL end_url Parameter Fails Or Goes To Application Homepage Instead (Doc ID 1598382.1)

Last updated on SEPTEMBER 12, 2023

Applies to:

Symptoms

An Oracle Access Manager (OAM) 11g authentication policy has been configured with a Success URL pointing to a custom page that performs post-login processing then redirects back to the originally requested protected page using the end_url parameter value.

OAM 11g automatically passes the originally requested protected resource URL to the Success URL page as end_url parameter, as a URL query parameter.

Generally this is working, with the following flow:

1. An OAM-protected application page is requested.
2. User is redirected to the OAM 11g SSO login page and submits valid credentials.
3. OAM performs authentication and redirects the user to the Success URL with end_url parameter added as a URL query parameter.
4. The Success URL page performs post login processing then redirects the user back to the OAM-protected resource using the end_url parameter value.
5. The OAM-protected application page is displayed.

However when the OAM-protected application page includes URL parameters the final redirection (step 5) fails.

Either an application error occurs - because the application URL is missing required parameters - or as in the case of Oracle E-Business ( EBS ) the user is redirected back to the EBS Homepage instead of the page that triggered redirect for OAM login, this will occur if the EBS URL requested is invalid. This can commonly occur where the EBS session has expired and the user is redirected to OAM for relogin when clicking an EBS application link.

Closer examination of the HTTP Header trace for failing case shows that the application page URL originally includes URL query parameters, and all but the first of these parameters are lost in the final redirect back to the application page after login.

It looks like the Success URL page is not redirecting back to the complete application URL.

Example:

1. User requests OAM-protected application URL https://app.oracle.com/pages/setPrefs.jsp?param1=val1&param2=val2&param3=val3 from an unauthenticated browser session or one where the OAM session has expired.
2. The OAM SSO login page is displayed for (re) login.
3. The user submits valid OAM credentials.
4. The Success URL page redirects the user back to https://app.oracle.com/pages/setPrefs.jsp?param1=val1    (Note missing param2 and param3 from original URL)
5. The application either generates an error or redirects the user to the default homepage.

Changes

Cause

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.