Different load balancer FQDNs for OpenAM acting as IDP proxy?

This topic has 1 reply, 2 voices, and was last updated 7 months, 3 weeks ago by William Hepler.

  • Author
    Posts
  • #27317
     jwillis
    Participant

    Hi all,

    I’m not a FR expert, so apologize in advance if my questions below don’t make sense.

    We’re using FR OpenAM as an IDP proxy.

    We have a load balancer end point setup in front of our two FR servers, and up until a couple of weeks ago, all of our traffic was internal. Our consumer applications call/redirect traffic to the load balancer end point FQDN; let’s call it myFrLbInternal.abc.com. So, if I try to login fresh to consumer application A, application A won’t see a FR generated SAML token in my session and will redirect me to a URI under myFrLbInternal.abc.com to go authenticate (who will then redirect me to go talk to AD and so on).

    Now we have a need for traffic to come in externally on another load balancer end point that will have a completely different FQDN; let’s call it myFrLbExternal.xyz.com. The traffic goes through the normal path of a DMZ and a reverse proxy before it gets to our load balancer, which forwards the traffic to the same set of FR Open AM servers used internally. A different directory source (not AD) will be used for this path. So, for folks logging into external consumer application B, I need that traffic to be redirected to myFrLbExternal.xyz.com.

    The redirects issued from the consumer application are working fine; the issue seems to be when I get to the actual FR servers, they expect to see traffic coming in on myFrLbInternal.abc.com (I’m guessing by looking at the HTTP Host header). It’s not working when the traffic is coming in on myFrLbExternal.xyz.com; I’m getting redirected to one of the FR servers itself, which obviously is not resolvable to the outside world.

    We’ll probably end up setting up completely new FR servers to handle external traffic, which may be the better design anyway, but wanted to ask if anyone knew why the above would not work.

    Thanks,
    Joe

    #27512
     William Hepler
    Participant

    You could look at trying either Site configuration or Base URL Source Service.
    https://backstage.forgerock.com/docs/am/6.5/oidc1-guide/#configure-base-url-source

    Both of these allow AM to accept request from different hostnames and correctly respond when there is a mismatch between internal and external hostnames.

Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.

©2020 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?