Oracle Access Manger 11gr2ps3 (OAM 184.108.40.206.0) Logout not Using ?end_URL Query Parameter Quick Start Guide
(Doc ID 2199095.1)
Last updated on JULY 26, 2018
Applies to:Oracle Access Manager - Version 220.127.116.11.0 and later
Information in this document applies to any platform.
Oracle Access Manger 11gr2ps3 (OAM 18.104.22.168.0) logout not using "?end_URL" query parameter Quick Start Guide
The end_url (passed in as query parameter) after logout ... When a Webgate redirects to the server logout page, it records an "end" URL as a query parameter (end_url=http://host:port/..."), which becomes the landing page that the OAM Server redirects back to after logout.
(Note: The end_url value is configured using param.logout.targeturl in jps-config.xml.)
Oracle Access Manager has a configuration parameter called "oamWhiteListMode" which if set to true, Access Manager redirects to the last URL requested by the consuming application only if it is configured as a white-list URL (oamWhiteListURLConfig)... for more information
Prior to Oracle Access Manager 22.214.171.124.0 the default value for "oamWhiteListMode" was false, but now it is true, which has resulted in symtoms like the following:
- End_url parameter used in SSO Logout Url vulnerable to Open Redirection
- Login page doesn't come after logout unless the browser is closed
- Logout END_URL Does Not Work
- Logout redirect using end_url not working
- Centralized logout end_url is not being processed
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
In this Document
|This document is being delivered to you via Oracle Support's Rapid Visibility (RaV) process and therefore has not been subject to an independent technical review.|