Tagged: Authentication, realm
This topic has 4 replies, 2 voices, and was last updated 4 years, 5 months ago by cedric.
-
AuthorPosts
-
January 12, 2018 at 11:48 am #20517
cedric
ParticipantI understand that adding realm parameters to login page URL allow authenticating against that specific realm. E.g http://openam.example.com:8080/openam/UI/Login?realm=hr
The problem is for my application, I am modelling each tenant as a realm. Each realm would contain its’ own DataStore configured to different LDAP Organization DN using the same embedded OpenDJ provided. Since all tenants’ user are logging in using the same login form, I am unable to determine beforehand what realm I should be authenticating against.
Is there anyway to solve this particular situation?
January 12, 2018 at 12:14 pm #20518Andy Cory
ParticipantHi Cedric
How do your users reach the login page? A common use-case is that a user tries to access a resource that is protected by an AM agent and is redirected to the login page. The URL (including the realm param) to the login page is specified in the configuration for the agent. Are your tenants part of the same organisation, or entirely unrelated? If the former, then some sort of launch page with links to the same login page but with different params is a possibility.
By the way, using the embedded OpenDJ for a user store is not recommended for anything other than a simple dev environment or PoC.
-Andy
January 12, 2018 at 5:32 pm #20520cedric
ParticipantHi Andy,
In my case tenants are not part of the same organization. I have thought of similar idea to allow user to confirm their realm before redirecting to login page with the correct realm param.
I am wondering if this is the only way to do it or if there is a better approach.
January 15, 2018 at 5:37 pm #20542Andy Cory
ParticipantHi Cedric
If tenants are from different organisations, each organisation would be given its own login URL, which would contain the realm param. (Or an alternative method of differentiating between realms, such as mapping a DNS alias to a realm.) Either way, each organisation would identify itself by the URL used to reach the login page. This seems like quite a simple use-case, so I could be missing what difficulty you are facing.
-Andy
January 17, 2018 at 7:46 am #20576cedric
ParticipantHi Andy,
Thanks for the suggestion. Guess I was constraining myself to the scenario where all user will see the same default login URL initially.
-
AuthorPosts
You must be logged in to reply to this topic.