Forgotten Password URL does not redirect to https properly when cancel is submitted
Article ID: 237582
Updated On:
Products
Issue/Introduction
Forgotten Password is not working as expected on HTTPS. We have unchecked SSL on the webserver but it is still not working on HTTPS.
When in the Forgotten Password screen, if the user clicks cancel, they are redirected to an error page because they have been forwarded to HTTP instead of staying on HTTPS
The environment is integrated with SiteMinder/SSO.
Cause
The logoffUri in the SSO Agent Configuration Object (ACO) is not configured correctly.
The ACO for the IM environment in SiteMinder had the logoffURI pointing to an unfamiliar, incorrect JSP. Per the IM documentation, when SSO is protecting IM, the IM logout.jsp does not do anything. Instead, the ACO logoffURI needs to be set to /iam/im/logout.jsp.
Another cause would be an incorrect Base URL for the Environment in IDM Management Console.
Resolution
Configure the ACO logoffUri via the SSO AdminUI as
/iam/im/logout.jsp
See also, https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-manager/14-4/configuring/ca-single-sign-on-integration/ca-sso-operations/configure-the-logoff-uri.html
An additional possible cause is having the wrong URL set in the Base URL in IDM management Console. We saw similar behavior, the logout was redirecting to http instead of https, but the logoffUri in Siteminder was configured with /iam/im/logout.jsp correctly.
Tracked down to the Base URL in Management Console > Environments > Environment Name being set to the HTTP url:
Changing this to an HTTPS address with the secure port resolved the issue and redirected to the correct URL on logout:
Feedback
