Last updated on MARCH 08, 2017
Applies to:Oracle Access Manager - Version 126.96.36.199.0 and later
Information in this document applies to any platform.
Oracle Access Manger 11gr2ps3 (OAM 188.8.131.52.0) logout not using "?end_URL" query parameter Quick Start Guide
The end_url (passed in as query parameter) after logout ... When a Webgate redirects to the server logout page, it records an "end" URL as a query parameter (end_url=http://host:port/..."), which becomes the landing page that the OAM Server redirects back to after logout.
(Note: The end_url value is configured using param.logout.targeturl in jps-config.xml.)
Oracle Access Manager has a configuration parameter called "oamWhiteListMode" which if set to true, Access Manager redirects to the last URL requested by the consuming application only if it is configured as a white-list URL (oamWhiteListURLConfig)... for more information
Prior to Oracle Access Manager 184.108.40.206.0 the default value for "oamWhiteListMode" was false, but now it is true, which has resulted in symtoms like the following:
- End_url parameter used in SSO Logout Url vulnerable to Open Redirection
- Login page doesn't come after logout unless the browser is closed
- Logout END_URL Does Not Work
- Logout redirect using end_url not working
- Centralized logout end_url is not being processed
Sign In with your My Oracle Support account
Don't have a My Oracle Support account? Click to get started
Million Knowledge Articles and hundreds of Community platforms