OpenAM custom realm for J2EE Agent

0
votes

I have an issue to force openAM to log in using my custom realm. I have configured my J2EE tomcat agent to use my custom realm /stmdevrealm:

com.sun.identity.agents.config.organization.name =stmdevrealm

My login page is accessible on http://login.stmdev.comp:9150/openam/UI/Login and my protected app is available on http://app.stmdev.comp:9140/agentsample/

When I try to log in to realm using http://login.stmdev.comp:9150/openam/UI/Login?realm=stmdevrealm I am able to log in successfully. However, when I'm accessing my protected app it uses default / realm.

Realm/DNS Aliases for "/" is set as 

login.stmdev.comp

for "app" it is set as: 

 app.stmdev.comp

What did I miss? How to force my agent to use right realm?

1
tomcatopenamopensso
Should I change my OpenAM Login URL to login.stmdev.comp:9150/openam/UI/Login?realm=stmdevrealm at stmdevrealm -> Agents -> J2EE -> my agent -> OpenAM services ?? This looks like workaroud. Is there some better solution? - Kamil Sobala

1 Answers

1
votes

The realm where the agent profile exists is not related to the realm where user's should authenticate against.

Either change login URL property in the agent profile as you mentioned or use a separate DNS alias /FQDN for your sub-realm and specify this one.

However you need to consider the other use-case as well, where users have already a valid SSO Session but are authenticated in a different realm.

If you do not want to allow those users access to the protected app you need a proper policy condition