CDSSO – realms with multiples DNSAlias

Tagged: , , , ,

This topic has 7 replies, 4 voices, and was last updated 1 week, 1 day ago by Andy Cory.

  • Author
    Posts
  • #28006
     letroncoso
    Participant

    Hi all
    my test environment is AM 5.5.1, for now.

    In an realm, I have multiple DNSAlias ​​configured, for example idensaml.domain1.com and idensaml.domain2.com, with the corresponding Cookie Domains (Configure> Global Services > Platform)
    To simplify the tests we are entering the profile through each dns
    http://idensaml.domain1.com:8780/openam
    http://idensaml.domain2.com:8780/openam

    My problem is that by not sharing a cookie, each of them asks me for authentication and it is correct, according to the documentation to solve it, I should use a web / java agent.

    I recognize it, I tried to install the java agent for tomcat, in the AM and this did not work. This approach would be correct, there is some documentation on how to install a java agent in the AM. There would be another way to do it

    Thanks in advance

    #28007
     Jatinder Singh
    Participant

    A Java Agent is configured within AM but installed in the application you want to protect. We typically use a Java Agent when the application is a Java Web Application. If your application is not Java based, you may want to look into using a Web Agent or IG. Now since you are attempting to install a Java Agent, I would suggest to follow the Java Agent > User Guide as it is very detailed. And don’t forget to also update your web.xml file descriptor, as otherwise your agent filter will not get invoked.

    #28014
     letroncoso
    Participant

    Thanks for your reply.
    Since most of the documentation is to put the agent on an external web server and not on the web server where the AM runs.
    So my question is about whether it is feasible to put a java agent on the AM tomcat, so there is CDSSO between both dns aliases.
    Since once I install the java agent, I lose access to AM. I found a KB https://backstage.forgerock.com/knowledge/kb/article/a54838100
    which we are verifying.

    #28015
     Jatinder Singh
    Participant

    You cannot put Java Agent and AM within the same container. An agent is basically an enforcer of the policies and decisions made by AM; as such, is placed on the application side one wants to protect. If you want to implement CDSSO between AM and the application you want to protect, placing Java Agent on the same machine as AM won’t help. CDSSO is essentially achieved using the OAuth2 authorization process by the agent. So as you can see – the location of the agent doesn’t matter as long as there is connectivity between AM and the Agent.

    Hope this helps!

    #28019
     Scott Heger
    Participant

    An agent may help, depending on what domain the app it is protecting is using and which AM domain it is using in its agent profile. Before going any further, let me ask this: Why do you have two different domains for AM? Typically DNS aliases are used with the same domain, but different hostnames. For example:

    http://idensaml1.domain.com:8780/openam
    http://idensaml2.domain.com:8780/openam

    But you may have a valid reason to use different domains. If you can explain that it may help us provide you a solution. Also, what domain or domains are your applications in?

    Oh, and as a best practice, deploy AM as something other than /openam. :)

    #28029
     Andy Cory
    Participant

    So my question is about whether it is feasible to put a java agent on the AM tomcat

    No, it is not. I think you are misunderstanding something fundamental, installing an agent in the same container is not a solution to a scenario I can imagine even if it were possible to somehow get it running. Can you share more detail about your use case?

    #28030
     letroncoso
    Participant

    The scenario is basically a company that has multiple products.
    2 of products use the same realm, and access with 2 different domains, which is why the DNS alias to the realm was configured; Now they want to have SSO between them, since they have 2 domains, they do not have a cookie in common, this would not be viable, which is why, it was seen in the documentation that the agents would be recommended.
    So the question would be how to have SSO between 2 DNS aliases of a realm.

    #28039
     Andy Cory
    Participant

    What are your protected resources? And what is it that protects them? I understand that you have AM configured to authenticate users in a realm, and they can authenticate in that realm using either of two DNS aliases. Using either alias they should get a session on AM and a cookie containing the session ID, and with whichever domain they came in on. What I don’t get is what they use that cookie for. I would expect them to access a resource that requires authentication – commonly, this resource would be running on a web server or HTTP server somewhere, which would have an agent deployed to it. The agent would require the cookie. It sounds like you don’t have any agent in this scenario yet. So what is it that the user authenticates to actually do?

Viewing 8 posts - 1 through 8 (of 8 total)

You must be logged in to reply to this topic.

©2020 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?