My Oracle Support Banner

Oracle Access Manager 11g (OAM 11.1.1.5.x) How To Prevent URL Redirection to an Unwanted OAM Logout Landing Page (Doc ID 1603720.1)

Last updated on NOVEMBER 14, 2019

Applies to:

Oracle Access Manager - Version 11.1.1.5.0 and later
Information in this document applies to any platform.

Goal

Oracle Access Manager 11g (OAM 11.1.1.5.x) How To Prevent URL Redirection to an Unwanted OAM Logout Landing Page

  • OAM has a feature using a query string "end_url" to redirect a browser to a landing page after logging out.  However a URL can be append either manually or programmatically to the end_url parameter and the browser will be redirected there. The OAM server performs the server side logout operations and redirects the browser to the URL specified in the "end_url" query parameter whether logged in or out, but this is not a desired behavior.
  • By default OAM server and the hostname variations for the WebGate host identifiers are automatically whitelisted.
  • So simply enabling oamSetWhiteListMode may be enough, but the URL whitelist maybe be broader, so using oamWhiteListURLConfig command allows adding additional URLs as needed.
  • Once oamSetWhiteListMode is enabled and any additional URLs are included using oamWhiteListURLConfig , OAM only allows the browser to redirect to the hostnames and URLs allowed.

The goal would be to only allow URLs expected and approved!


 

Solution

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Goal
Solution


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.