1

I am very new to networking, I am facing an issue trying to implement opensso behind load balancing. The load balancer uses IP addresses, openam agent is expected to work on IIS server which is running asp.net application. Openam only works on DNS, but load balancer is only working on IP and not able to communicate. This is a common scenario anybody has worked on such issues in past please provide guidance.

Deepak
  • 13
  • 4

1 Answers1

0

There are some technical details you need to understand, especially https://www.rfc-editor.org/rfc/rfc6265 (AKA "cookie spec"). This is the reason why OpenAM BY DEFAULT can only work on FQDNs, however it can only work on IPs if you understood the technical foundation.

Agents by default probe the OpenAM URLs (see https://bugster.forgerock.org/jira/browse/OPENAM-3294).

If an OpenAM site is configured agents also communicate with the primary site URL, configured for that site (and when the OpenAM instance belongs to that site), when validating the SSO token of a "user" and when sending policy decision requests.

If there is no OpenAM site configured, agents communicate with the server URL of the OpenAM instance where the SSO session was created (I call this the 'authoritative OpenAM instance').

OpenAM also need to be aware of which FQDNs it has to handle. This can either be achieved via an OpenAM site (understand the consequences WRT to agent communication) or via 'fqdn mapping' (advanced server property com.sun.identity.server.fqdnMap[FQDN]=FQDN)

Now you also need to understand name resolution in TCP/IP protocol stack.

clients actually communicate on IP level first (putting aside the lower levels).

A loadbalancer typically defines a 'virtual server' which has a VIP assigned (terms are confusing as on an HTTP server you can also have such a thing like a 'virtual server' but it may act on a different level of the network stack).

So you could do (after you understood the technical foundation)

  • create name resolution for the VIP of the LB to an appropriate FQDN
  • create OpenAM site leveraging that FQDN
  • assign OpenAM instances to that site
  • configure agent's to use FQDN of the OpenAM site as LoginURL (and potentially naming url in agent bootstrap file)
  • potentially re-configure cookie domains in OpenAM platform service
  • restart OpenAM
Community
  • 1
  • 1
Bernhard Thalmayr
  • 2,674
  • 1
  • 11
  • 7