How to configure cookie name for Openam that is behind Load Balancer

This topic contains 1 reply, has 2 voices, and was last updated by  william.hepler 6 months, 2 weeks ago.

  • Author
    Posts
  • #24549
     DhilipSwaminathan 
    Participant

    Hi,

    I have configured openam 13 that is going to be behind a aws load balancer. After a successful configuraiton, i am getting error “User name/password combination is invalid.” when i try to login.

    This is my Loadbalancer url : http://openamloadbalancer-1083614139.us-west-2.elb.amazonaws.com/openam

    This is openam url : http://openam.xyz.com

    cookie domain: openam.xyz.com

    The issue is due to cookie domain not configured matching load balancer url? or

    load balancer url domain having more than 3 dots?

    Any help would be much appreciated.

    Thanks,
    Dhilip

    #24695
     william.hepler 
    Participant

    I think your close due to your cookie domain not being CDSSO (Cross Domain SSO) your failing.

    https://backstage.forgerock.com/docs/openam/13.5/admin-guide/index.html#chap-cdsso
    You would need to support the domain elb.amazonaws.com/ or you need to setup a DNS alias to your LB that is a hostname in the .xyz.com domain. You would still want a .xyz.com cookie as well. What you currently have is a Host based cookie if you only have cookie domain: openam.xyz.com

    That means the cookie is only valid for openam.xyz.com, you could add .xyz.com to your cookie domain list and setup an alias for openamloadbalancer-1083614139.us-west-2.elb.amazonaws.com to elbamazon.xyz.com and that would be the most true to configuration case. Since you wouldn’t likely send end users to a .amazonws.com address.

    The dirty way would be to add .amazonws.com.

    Cookie domain are further defined here:
    https://backstage.forgerock.com/docs/openam/13.5/reference/index.html#chap-config-ref
    Cookie Domains
    Set the list of domains into which OpenAM writes cookies.

    If you set multiple cookie domains, OpenAM still only sets the cookie in the domain the client uses to access OpenAM. If this property is left blank, then the fully qualified domain name of the server is used to set the cookie domain, meaning that a host cookie rather than a domain cookie is set.

    Note that the HTTP response may contain multiple Set-Cookie headers for each cookie domain in the domain list. Generally, web browsers will ignore Set-Cookie headers for unknown domains.

    You can also configure cross domain single sign on (CDSSO) to allow single sign on across multiple domains managed by your organization. For details, see Chapter 11, “Configuring Cross-Domain Single Sign-On” in the Administration Guide.

    ssoadm attribute: iplanet-am-platform-cookie-domains

Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.

©2019 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?