January 23, 2019 at 1:18 pm #24549DhilipSwaminathanParticipant
I have configured openam 13 that is going to be behind a aws load balancer. After a successful configuraiton, i am getting error “User name/password combination is invalid.” when i try to login.
This is my Loadbalancer url : http://openamloadbalancer-1083614139.us-west-2.elb.amazonaws.com/openam
This is openam url : http://openam.xyz.com
cookie domain: openam.xyz.com
The issue is due to cookie domain not configured matching load balancer url? or
load balancer url domain having more than 3 dots?
Any help would be much appreciated.
DhilipFebruary 5, 2019 at 10:00 pm #24695william.heplerParticipant
I think your close due to your cookie domain not being CDSSO (Cross Domain SSO) your failing.
You would need to support the domain elb.amazonaws.com/ or you need to setup a DNS alias to your LB that is a hostname in the .xyz.com domain. You would still want a .xyz.com cookie as well. What you currently have is a Host based cookie if you only have cookie domain: openam.xyz.com
That means the cookie is only valid for openam.xyz.com, you could add .xyz.com to your cookie domain list and setup an alias for openamloadbalancer-1083614139.us-west-2.elb.amazonaws.com to elbamazon.xyz.com and that would be the most true to configuration case. Since you wouldn’t likely send end users to a .amazonws.com address.
The dirty way would be to add .amazonws.com.
Cookie domain are further defined here:
Set the list of domains into which OpenAM writes cookies.
If you set multiple cookie domains, OpenAM still only sets the cookie in the domain the client uses to access OpenAM. If this property is left blank, then the fully qualified domain name of the server is used to set the cookie domain, meaning that a host cookie rather than a domain cookie is set.
Note that the HTTP response may contain multiple Set-Cookie headers for each cookie domain in the domain list. Generally, web browsers will ignore Set-Cookie headers for unknown domains.
You can also configure cross domain single sign on (CDSSO) to allow single sign on across multiple domains managed by your organization. For details, see Chapter 11, “Configuring Cross-Domain Single Sign-On” in the Administration Guide.
ssoadm attribute: iplanet-am-platform-cookie-domains
You must be logged in to reply to this topic.