Oracle Access Manager (OAM) Logout not Using ?end_URL Query Parameter Quick Start Guide
(Doc ID 2199095.1)
Last updated on FEBRUARY 10, 2023
Applies to:
Oracle Access Manager - Version 11.1.2.3.210611 and laterInformation in this document applies to any platform.
Oracle is not responsible for instructions/information from 3rd party sites that may be contained in this KM note.
Goal
Oracle Access Manager (OAM) logout not using "?end_URL" query parameter Quick Start Guide
The end_url (passed in as query parameter) after logout ... When a WebGate redirects to the server logout page, it records an "end" URL as a query parameter (end_url=http://<FQ_HOSTNAME>:<PORT>/..."), which becomes the landing page that the OAM Server redirects back to after logout.
(Note: The end_url value is configured using param.logout.targeturl in jps-config.xml.)
Oracle Access Manager has a configuration parameter called "oamWhiteListMode" which if set to true, Access Manager redirects to the last URL requested by the consuming application only if it is configured as a white-list URL (oamWhiteListURLConfig)... for more information
Prior to Oracle Access Manager 11.1.2.3.0 the default value for "oamWhiteListMode" was false, but now it is true, which has resulted in symptoms like the following:
- End_url parameter used in SSO Logout Url vulnerable to Open Redirection
- Login page doesn't come after logout unless the browser is closed
- Logout END_URL Does Not Work
- Logout redirect using end_url not working
- Centralized logout end_url is not being processed
Solution
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
| Goal |
| Solution |
| References |