Authenticating against various realm

This topic contains 4 replies, has 2 voices, and was last updated by  cedric 11 hours, 23 minutes ago.

  • Author
    Posts
  • #20517
     cedric 
    Participant

    I understand that adding realm parameters to login page URL allow authenticating against that specific realm. E.g http://openam.example.com:8080/openam/UI/Login?realm=hr

    The problem is for my application, I am modelling each tenant as a realm. Each realm would contain its’ own DataStore configured to different LDAP Organization DN using the same embedded OpenDJ provided. Since all tenants’ user are logging in using the same login form, I am unable to determine beforehand what realm I should be authenticating against.

    Is there anyway to solve this particular situation?

    #20518
     Andy Cory 
    Participant

    Hi Cedric

    How do your users reach the login page? A common use-case is that a user tries to access a resource that is protected by an AM agent and is redirected to the login page. The URL (including the realm param) to the login page is specified in the configuration for the agent. Are your tenants part of the same organisation, or entirely unrelated? If the former, then some sort of launch page with links to the same login page but with different params is a possibility.

    By the way, using the embedded OpenDJ for a user store is not recommended for anything other than a simple dev environment or PoC.

    -Andy

    #20520
     cedric 
    Participant

    Hi Andy,

    In my case tenants are not part of the same organization. I have thought of similar idea to allow user to confirm their realm before redirecting to login page with the correct realm param.

    I am wondering if this is the only way to do it or if there is a better approach.

    #20542
     Andy Cory 
    Participant

    Hi Cedric

    If tenants are from different organisations, each organisation would be given its own login URL, which would contain the realm param. (Or an alternative method of differentiating between realms, such as mapping a DNS alias to a realm.) Either way, each organisation would identify itself by the URL used to reach the login page. This seems like quite a simple use-case, so I could be missing what difficulty you are facing.

    -Andy

    #20576
     cedric 
    Participant

    Hi Andy,

    Thanks for the suggestion. Guess I was constraining myself to the scenario where all user will see the same default login URL initially.

Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.

©2018 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?