Oracle Access Manager 11g R2PS3 (OAM 18.104.22.168) Logout not Using ?end_URL Query Parameter Quick Start Guide
(Doc ID 2199095.1)
Last updated on NOVEMBER 13, 2019
Applies to:Oracle Access Manager - Version 22.214.171.124.0 and later
Information in this document applies to any platform.
Oracle is not responsible for instructions/information from 3rd party sites that may be contained in this KM note.
Oracle Access Manager 11g R2PS3 (OAM 126.96.36.199) logout not using "?end_URL" query parameter Quick Start Guide
The end_url (passed in as query parameter) after logout ... When a WebGate redirects to the server logout page, it records an "end" URL as a query parameter (end_url=http://<FQ_HOSTNAME>:<PORT>/..."), which becomes the landing page that the OAM Server redirects back to after logout.
(Note: The end_url value is configured using param.logout.targeturl in jps-config.xml.)
Oracle Access Manager has a configuration parameter called "oamWhiteListMode" which if set to true, Access Manager redirects to the last URL requested by the consuming application only if it is configured as a white-list URL (oamWhiteListURLConfig)... for more information
Prior to Oracle Access Manager 188.8.131.52.0 the default value for "oamWhiteListMode" was false, but now it is true, which has resulted in symptoms like the following:
- End_url parameter used in SSO Logout Url vulnerable to Open Redirection
- Login page doesn't come after logout unless the browser is closed
- Logout END_URL Does Not Work
- Logout redirect using end_url not working
- Centralized logout end_url is not being processed
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
In this Document