How To Prevent URL Redirection to an Unwanted OAM Logout Landing Page (Doc ID 1603720.1)

Last updated on SEPTEMBER 21, 2016

Applies to:

Oracle Access Manager - Version 11.1.1.5.0 and later
Information in this document applies to any platform.

Goal

OAM has a feature using a query string "end_url" to redirect a browser to a landing page after logging out.  

However a URL can be append either manually or programmatically to the end_url parameter and the browser will be redirected there.

For example https://www.acme.com/oam/server/logout?end_url=http://www.badsite.com/signup.jsp where www.acme.com is a valid OAM protected site, the browser will instead be redirected to http://www.badsite.com/signup.jsp

 

The OAM server performs the server side logout operations and redirects the browser to the URL specified in the "end_url" query parameter whether logged in or out.  

This is not a desired behavior.  

The goal would be to only allow URLs expected and approved.

 

 


 

Solution

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms