SSO with multiple tenants using multiple realms

This topic contains 8 replies, has 6 voices, and was last updated by  Andy Cory 2 months, 2 weeks ago.

  • Author
    Posts
  • #5901
     arunpatnaik 
    Participant

    I am trying to evaluate if OpemAM would be a good fit for implementing an authentication service with the following requirements:

    A) multiple tenants (isolation with each tenant having their own realm)
    B) user name is/needs to be unique across realms
    C) same client attempts to authenticate users across realms

    I see that A is possible. Not sure about B. And I could not understand for C to work how it needs to indicate the realm against which the authentication should happen.

    Has anyone done something like this using OpenAM? Appreciate any pointers/suggestions.

    Thanks
    Arun

    #5937
     Andrew Potter 
    Participant

    Each realm can have its own store of user credentials, or every realm can use the same store…or any combination in between. So if every realm used the same credential store then you would have uniqueness across the entire deployment. Or uniqueness in each realm if you went for a store per realm.
    The uniqueness is enforced by the underlying store e.g. OpenDJ/ LDAP directory rather than OpenAM.

    For C you can append the realm as a parameter to the login url. You can also configure a domain name to map to a specific realm. The docs describe this.

    #5950
     Peter Major 
    Moderator

    For C) it’s important to know that OpenAM normally only allows a user to be logged in against a single realm. If you want to be able to be authenticated against more than one realm in OpenAM, then you will need to use different cookie domains to achieve that.

    #5952
     arunpatnaik 
    Participant

    Thanks, that helps.

    #13504
     Frotonis 
    Participant

    @peter-major can you please let me know how can i set different cookie creation per realm? As know OpenAM will create cookie for each cookie domain i set in configuration. Is there possibility to create cookie just for given realm?

    For example:

    I have realm A and i am Authenticated in. I have created cookie for .domain.tt
    I wanna be authenticated to realm B, but i was attempted to logout from realm A (because i am logged in the different organization).

    But my goal is to have token for .domain.tt which can be validated againts realm A and some other token (it doesnt matter if it will be token with same name but for different cookie domain .mali.domain.tt or cookie with different name => this solution is better for me) will be related to realm B.

    It is possible or i have to have another instance of OpenAm to create two different cookies one per realm?

    Thanks for answer

    #13563
     Peter Major 
    Moderator

    Cookie domain is a global setting, can not be set on a per realm basis. You could try to use the com.sun.identity.authentication.setCookieToAllDomains=false advanced server property to only set cookies for matching cookie domains.

    Cookie name is a global setting as well.

    You really should be using different cookie domains for the different realms as long as you want to be authenticated in both realms at the same time.

    • This reply was modified 2 years, 8 months ago by  Peter Major.
    #13569
     Frotonis 
    Participant

    Thanks for response Peter. I thought so but I was not sure.

    #24268
     Sireesha 
    Participant

    Hello Peter

    You mentioned that Cookie domain is a global setting and cannot be set per realm basis. In that case, How can I use different cookie domains for different realms and let user authenticated into both realms at same time?

    We do have a similar scenario like original question, where a user authenticated to an application A configured under Realm A and need to do SingleSignOn into an application B configured under Realm B (The userstore for both Realm A and Realm B are same, but we have different chains for both realms hence we cannot put app A and B under same realm) How can we achieve SSO between Realm A and Realm B?

    #25507
     Andy Cory 
    Participant

    Cookie domain is a global setting, not per realm, but you can set multiple cookie domains in that global list. And then each realm can have its own DNS alias. E.g., you have Realm A mapped to a.domain.com and Realm B mapped to b.domain.com, and both a.domain.com and b.domain.com are set as cookie domains, meaning OpenAM will (try to) create a cookie for both those domains. However, if you’ve authenticated to Realm A on a.domain.com, only the a.domain.com cookie should be seen by the browser, and only that cookie would be sent by the browser back to OpenAM. Therefore, because of browser behaviour (governed by cookie spec), you effectively have one valid cookie per realm.

    In answer to your second paragraph, I don’t believe you can achieve that – if you login to Realm A your session isn’t valid in Realm B despite the same userstore being configured for both. I have a similar issue with one pool of users, but different groups of users require different configuration for OpenAM’s user self service processes, which are realm-specific. I’m struggling to achieve that one.

    -Andy

Viewing 9 posts - 1 through 9 (of 9 total)

You must be logged in to reply to this topic.

©2019 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?