October 20, 2015 at 3:04 am #5901arunpatnaikParticipant
I am trying to evaluate if OpemAM would be a good fit for implementing an authentication service with the following requirements:
A) multiple tenants (isolation with each tenant having their own realm)
B) user name is/needs to be unique across realms
C) same client attempts to authenticate users across realms
I see that A is possible. Not sure about B. And I could not understand for C to work how it needs to indicate the realm against which the authentication should happen.
Has anyone done something like this using OpenAM? Appreciate any pointers/suggestions.
ArunOctober 23, 2015 at 10:40 am #5937Andrew PotterParticipant
Each realm can have its own store of user credentials, or every realm can use the same store…or any combination in between. So if every realm used the same credential store then you would have uniqueness across the entire deployment. Or uniqueness in each realm if you went for a store per realm.
The uniqueness is enforced by the underlying store e.g. OpenDJ/ LDAP directory rather than OpenAM.
For C you can append the realm as a parameter to the login url. You can also configure a domain name to map to a specific realm. The docs describe this.October 23, 2015 at 6:56 pm #5950Peter MajorModerator
For C) it’s important to know that OpenAM normally only allows a user to be logged in against a single realm. If you want to be able to be authenticated against more than one realm in OpenAM, then you will need to use different cookie domains to achieve that.October 23, 2015 at 7:15 pm #5952arunpatnaikParticipant
Thanks, that helps.October 6, 2016 at 11:26 am #13504FrotonisParticipant
@peter-major can you please let me know how can i set different cookie creation per realm? As know OpenAM will create cookie for each cookie domain i set in configuration. Is there possibility to create cookie just for given realm?
I have realm A and i am Authenticated in. I have created cookie for .domain.tt
I wanna be authenticated to realm B, but i was attempted to logout from realm A (because i am logged in the different organization).
But my goal is to have token for .domain.tt which can be validated againts realm A and some other token (it doesnt matter if it will be token with same name but for different cookie domain .mali.domain.tt or cookie with different name => this solution is better for me) will be related to realm B.
It is possible or i have to have another instance of OpenAm to create two different cookies one per realm?
Thanks for answerOctober 8, 2016 at 8:00 pm #13563Peter MajorModerator
Cookie domain is a global setting, can not be set on a per realm basis. You could try to use the com.sun.identity.authentication.setCookieToAllDomains=false advanced server property to only set cookies for matching cookie domains.
Cookie name is a global setting as well.
You really should be using different cookie domains for the different realms as long as you want to be authenticated in both realms at the same time.
October 10, 2016 at 7:37 am #13569FrotonisParticipant
- This reply was modified 2 years, 8 months ago by Peter Major.
Thanks for response Peter. I thought so but I was not sure.December 14, 2018 at 6:07 pm #24268SireeshaParticipant
You mentioned that Cookie domain is a global setting and cannot be set per realm basis. In that case, How can I use different cookie domains for different realms and let user authenticated into both realms at same time?
We do have a similar scenario like original question, where a user authenticated to an application A configured under Realm A and need to do SingleSignOn into an application B configured under Realm B (The userstore for both Realm A and Realm B are same, but we have different chains for both realms hence we cannot put app A and B under same realm) How can we achieve SSO between Realm A and Realm B?April 10, 2019 at 5:31 pm #25507Andy CoryParticipant
Cookie domain is a global setting, not per realm, but you can set multiple cookie domains in that global list. And then each realm can have its own DNS alias. E.g., you have Realm A mapped to a.domain.com and Realm B mapped to b.domain.com, and both a.domain.com and b.domain.com are set as cookie domains, meaning OpenAM will (try to) create a cookie for both those domains. However, if you’ve authenticated to Realm A on a.domain.com, only the a.domain.com cookie should be seen by the browser, and only that cookie would be sent by the browser back to OpenAM. Therefore, because of browser behaviour (governed by cookie spec), you effectively have one valid cookie per realm.
In answer to your second paragraph, I don’t believe you can achieve that – if you login to Realm A your session isn’t valid in Realm B despite the same userstore being configured for both. I have a similar issue with one pool of users, but different groups of users require different configuration for OpenAM’s user self service processes, which are realm-specific. I’m struggling to achieve that one.
You must be logged in to reply to this topic.