SSO with multiple tenants using multiple realms

This topic has 8 replies, 6 voices, and was last updated 3 years, 2 months ago by Andy Cory.

  • Author
  • #5901

    I am trying to evaluate if OpemAM would be a good fit for implementing an authentication service with the following requirements:

    A) multiple tenants (isolation with each tenant having their own realm)
    B) user name is/needs to be unique across realms
    C) same client attempts to authenticate users across realms

    I see that A is possible. Not sure about B. And I could not understand for C to work how it needs to indicate the realm against which the authentication should happen.

    Has anyone done something like this using OpenAM? Appreciate any pointers/suggestions.


     Andrew Potter

    Each realm can have its own store of user credentials, or every realm can use the same store…or any combination in between. So if every realm used the same credential store then you would have uniqueness across the entire deployment. Or uniqueness in each realm if you went for a store per realm.
    The uniqueness is enforced by the underlying store e.g. OpenDJ/ LDAP directory rather than OpenAM.

    For C you can append the realm as a parameter to the login url. You can also configure a domain name to map to a specific realm. The docs describe this.

     Peter Major

    For C) it’s important to know that OpenAM normally only allows a user to be logged in against a single realm. If you want to be able to be authenticated against more than one realm in OpenAM, then you will need to use different cookie domains to achieve that.


    Thanks, that helps.


    @peter-major can you please let me know how can i set different cookie creation per realm? As know OpenAM will create cookie for each cookie domain i set in configuration. Is there possibility to create cookie just for given realm?

    For example:

    I have realm A and i am Authenticated in. I have created cookie for
    I wanna be authenticated to realm B, but i was attempted to logout from realm A (because i am logged in the different organization).

    But my goal is to have token for which can be validated againts realm A and some other token (it doesnt matter if it will be token with same name but for different cookie domain or cookie with different name => this solution is better for me) will be related to realm B.

    It is possible or i have to have another instance of OpenAm to create two different cookies one per realm?

    Thanks for answer

     Peter Major

    Cookie domain is a global setting, can not be set on a per realm basis. You could try to use the com.sun.identity.authentication.setCookieToAllDomains=false advanced server property to only set cookies for matching cookie domains.

    Cookie name is a global setting as well.

    You really should be using different cookie domains for the different realms as long as you want to be authenticated in both realms at the same time.

    • This reply was modified 5 years, 9 months ago by Peter Major.

    Thanks for response Peter. I thought so but I was not sure.


    Hello Peter

    You mentioned that Cookie domain is a global setting and cannot be set per realm basis. In that case, How can I use different cookie domains for different realms and let user authenticated into both realms at same time?

    We do have a similar scenario like original question, where a user authenticated to an application A configured under Realm A and need to do SingleSignOn into an application B configured under Realm B (The userstore for both Realm A and Realm B are same, but we have different chains for both realms hence we cannot put app A and B under same realm) How can we achieve SSO between Realm A and Realm B?

     Andy Cory

    Cookie domain is a global setting, not per realm, but you can set multiple cookie domains in that global list. And then each realm can have its own DNS alias. E.g., you have Realm A mapped to and Realm B mapped to, and both and are set as cookie domains, meaning OpenAM will (try to) create a cookie for both those domains. However, if you’ve authenticated to Realm A on, only the cookie should be seen by the browser, and only that cookie would be sent by the browser back to OpenAM. Therefore, because of browser behaviour (governed by cookie spec), you effectively have one valid cookie per realm.

    In answer to your second paragraph, I don’t believe you can achieve that – if you login to Realm A your session isn’t valid in Realm B despite the same userstore being configured for both. I have a similar issue with one pool of users, but different groups of users require different configuration for OpenAM’s user self service processes, which are realm-specific. I’m struggling to achieve that one.


Viewing 9 posts - 1 through 9 (of 9 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?