OAM 11gR2 as Service Provider with DCC WebGate: Custom Error Page Configuration Causes HTTP-503 Service Unavailable and Blank Page In Browser (Doc ID 2033769.1)

Last updated on MARCH 08, 2017

Applies to:

Oracle Access Manager - Version 11.1.2.2.0 and later
Information in this document applies to any platform.

Symptoms

Oracle Access Manager (OAM) 11.1.2.2 is configured as Service Provider (SP) with a third party Identity Provider (IdP). OAM is configured with a DCC WebGate.

The OAM Server custom error page is not displayed when OAM SP Identity Federation SSO fails. A blank page is displayed in the browser and the HTTP Header trace shows that DCC webgate is returning HTTP-503 Service Unavailable error to the client.

The DCC WebGate login, error and logout pages have been customised with reference to the following documentation:

Oracle Fusion Middleware Online Documentation Library, 11g Release 1 (11.1.2.2)
Fusion Middleware Developer's Guide for Oracle Access Management
4.6 Using the Credential Collectors with Custom Pages

However for Identity Federation SSO the custom error and logout pages must be configured on the OAM Server, not on the DCC WebGate.

The requirement is to configure a custom error page for the cases where Identity Federation SSO fails. For example, when OAM as SP encounters some error when processing responses from the IdP.

Therefore OAM Server has been configured with a custom error page using the updateCustomPages WLST command, as described in the following documentation:

Oracle Fusion Middleware Online Documentation Library, 11g Release 1 (11.1.2.2)
Fusion Middleware Developer's Guide for Oracle Access Management
4.7 Specifying the Custom Error and Logout Page Deployment Paths

The custom error page is not displayed when OAM SP Identity Federation SSO fails. Only a blank page is displayed in the browser and the HTTP Header trace shows that DCC webgate returned HTTP-503 Service Unavailable to the client.

The problem does not reproduce with the ECC. Also the problem does not reproduce with DCC WebGate and the default OAM Server error page.

The OAM Server log shows that a ClassCastException was generated when processing the forward to custom error page:


Steps to reproduce
1. Configure OAM with a DCC WebGate for login.
2. Configure OAM as Service Provider with an Identity Provider.
3. Protect an application resource with FederationScheme authentication scheme.
4. Misconfigure the Identity Provider NameID mapping settings in OAM Console to cause Identity Federation SSO failure e.g. specify the incorrect user attribute name.
5. Access the FederationScheme protected resource.
6. The IdP login page is displayed.
7. Submit valid IdP domain credentials.
6. A blank page is displayed in the browser with HTTP-503 Service Unavailable response.

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms