Controlling Redirects

Authentication Challenge Redirect

When a client first accesses a protected resource, IAG will attempt to redirect the client so that it can perform authentication.

Defaults when Using OIDC

If an OIDC identity source is configured, clients are redirected to /pkmsoidc?iss=default to start the OIDC authentication process.

Configuration

For creating a customized authentication process, the URL where challenged clients are redirected to can be customized using the auth_challenge_redirect entry.

In the example below, clients are redirected to the URL /auth_app/login with a query string parameter named originalUrl containing the URL the client attempted to access when challenged to authenticate.

version: 21.09

identity:
  auth_challenge_redirect: 
    url: /auth_app/login
    parameters:
    - name: originalUrl
      source: macro
      value: URL

See the YAML reference for the auth_challenge_redirect entry.

Further information about creating a customized authentication process using external authentication can be found in the External Authentication topic.

Authentication Complete Redirect

Default Behavior

Once a client has successfully authenticated, IAG will redirect the client to the initial resource they attempted to access when the authentication challenge took place.

Static Configuration

IAG can also be configured to redirect clients after authentication to a specific URL using the auth_complete_redirect entry.

In the example below, clients are redirected to the URL /application/landing with a query string parameter named originalUrl containing the URL the client attempted to access when challenged to authenticate.

version: 21.09

identity:
  auth_complete_redirect: 
    url: /application/landing
    parameters:
    - name: originalUrl
      source: macro
      value: URL

See the reference for the auth_complete_redirect entry.

External Authentication Header

When using external authentication, the external authentication application can indicate to IAG that the client should be redirected to a specific URL. See the AM-EAI-REDIR-URL header in External Authentication Headers.

Redirect URL Prioritization

In some situations there may be more than one possible redirect URL. The ordered list below indicates which redirect URL will take priority.

  1. The auth_complete_redirect URL (if configured)
  2. The URL indicated in the AM-EAI-REDIR-URL header (if this was an external authentication event)
  3. The original resource the client attempted to access when challenged for authentication
  4. If none of the above are present, the login_success management page. (See Custom Pages)

Did this page help you?