Issue
Recently, a client with a private users area received complaints regarding an unexpected error page been displayed in Portal. Even a user tweeted that page tagging the company, so the problem was considered critical to the top management. The page was the following standard unfriendly OAM error page:
The URL was: /oam/server/auth_cred_submit.
Firstly, we tried to reproduce the issue, which was not easy because users did not remember the actions they performed. After some testing, the issue was reproduced:
- Access protected URL.
- Portal application login page is displayed.
- Introduce valid credentials.
- Portal home page is accessed.
- Click browser Back button.
- OAM error page appears.
The explanation of this error is:
- The login page submits the "request_id" or the "OAM_REQ" value sent by OAM when redirecting to the external login page.
- When user introduces credentials and click login, a value for request_id is set into the HTTP Header.
- The back button does not reset the values already set via cookie or Header information into the browser.
- The second time "auth_cred_submit" is accessed, the values from the previous login are sent to the server, which interprets them as invalid because are from a different session.
So Oracle Support was contacted about this problem. If that page could not be avoided, at least we wanted to have it customised.
Solution
Apparently, that OAM page cannot be customised, but the engineer managed to reproduce the issue and built an effective workaround. It involves deploying a custom pages application in OAM application server.
- Copy oamcustompages.war file in a local machine. This file is located in the following path: $IDM_HOME/oam/server/tools/custompages/
- Unpack this war file.
- Navigate to the "pages" folder inside the uncompressed war and create a page named: Error.html. That page would contain the HTML code to be displayed in the reproduced scenario, so it should include the cient look&feel.
- Other pages in that folder may be deleted.
- Compress the folders back to oamcustompages.war. Then rename that file, i.e. oamcustompages1.war.
- Deploy the war in the application server where OAM is running. For information about deploying an application to WebLogic Server, check this link.
- OAM Custom Pages must be updated using WLST:
7.1 Start WebLogic Scripting Tool (WLST) in OAM Oracle home, located under the installation folder: /Oracle_IDM1/common/bin).
7.2. Connect to the Weblogic AdminServer as the Weblogic Administration User.
For instance:
wls:/offline> connect();
Please enter your username [weblogic] :weblogic
Please enter your password [welcome1] :Oracle
Please enter your server URL [t3://localhost:7001] :t3://oamadminserver.oracle.com:7001
7.3. Execute the following WLST command:
updateCustomPages(pageExtension ="html", context="/oamcustompages1");
Where context is the name assigned to the war file in step 5.
You should receive the following message: "Custom page configuration updated successfully"
8. Test the scenario. A new error message should be displayed, defined in Error.html file.
<meta http-equiv="refresh" content="0;url=/../oam/server/logout?end_url=/myApp">
As this content is in the page header, as soon as it starts loading, user is redirected to logout page, where session cookie (OAMAuthnCookie_) is removed. Eventually, the login page is displayed to the user, this is specified by the URL parameter end_url. So customers would not even see the error page.
References
Oracle Service Request: SR 3-10186096271 : OAM how to avoid auth_cred_submit page to be displayed to users
Installing and Configuring OAM with WebCenter Portal
Benefits of Oracle Access Manager
Deploying Applications to WebLogic Server
WebLogic Scripting Tool Command Reference
Enabling Error Page Customization
Using meta refresh to create an instant client-side redirect
Configuring Centralized Logout for OAM 11g
