How to configure cookie name for Openam that is behind Load Balancer

This topic contains 1 reply, has 2 voices, and was last updated by  william.hepler 6 months, 2 weeks ago.

  • Author
  • #24549


    I have configured openam 13 that is going to be behind a aws load balancer. After a successful configuraiton, i am getting error “User name/password combination is invalid.” when i try to login.

    This is my Loadbalancer url :

    This is openam url :

    cookie domain:

    The issue is due to cookie domain not configured matching load balancer url? or

    load balancer url domain having more than 3 dots?

    Any help would be much appreciated.



    I think your close due to your cookie domain not being CDSSO (Cross Domain SSO) your failing.
    You would need to support the domain or you need to setup a DNS alias to your LB that is a hostname in the domain. You would still want a cookie as well. What you currently have is a Host based cookie if you only have cookie domain:

    That means the cookie is only valid for, you could add to your cookie domain list and setup an alias for to and that would be the most true to configuration case. Since you wouldn’t likely send end users to a address.

    The dirty way would be to add

    Cookie domain are further defined here:
    Cookie Domains
    Set the list of domains into which OpenAM writes cookies.

    If you set multiple cookie domains, OpenAM still only sets the cookie in the domain the client uses to access OpenAM. If this property is left blank, then the fully qualified domain name of the server is used to set the cookie domain, meaning that a host cookie rather than a domain cookie is set.

    Note that the HTTP response may contain multiple Set-Cookie headers for each cookie domain in the domain list. Generally, web browsers will ignore Set-Cookie headers for unknown domains.

    You can also configure cross domain single sign on (CDSSO) to allow single sign on across multiple domains managed by your organization. For details, see Chapter 11, “Configuring Cross-Domain Single Sign-On” in the Administration Guide.

    ssoadm attribute: iplanet-am-platform-cookie-domains

Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.

©2019 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?