How do I reduce the number of policy referrals in OpenAM 11.0.0?
The purpose of this article is to provide information on changes you can make to reduce the number of policy referrals you have in OpenAM 11.0.0. Reducing policy referrals should improve the performance of policy evaluation.
Archived
This article has been archived and is no longer maintained by ForgeRock.
Reducing the number of policy referrals
You can use Realm Alias Referrals if each sub-realm is already mapped or can be mapped to a different DNS alias. Realm Alias Referrals allow you to create policies in sub-realms without the need for referral policies from the top level or parent realm. You must then create policies to protect HTTP or HTTPS resources that have a fully qualified hostname that matches the DNS alias of the realm.
Realm DNS aliases are an alternative to using Fully Qualified Domain Names (FQDNs) in OpenAM as they implicitly add the realm to the request. For example, http://example.com:8080/openam/UI/Login is interpreted as http://example.com:8080/openam/UI/Login?realm=myrealm when realm DNS aliases are used.
Example
Where you have the following configuration:
- Website URL (protected by a web policy agent): http://website.example.com:80/index.html
- OpenAM server URL: http://openam.example.com:8080/openam
- Realm name: myRealm
- Realm DNS alias: myrealm.example.com (which resolves to the same IP as openam.example.com)
The agent login URL would be: http://myrealm.example.com:8080/openam/UI/Login (the realm parameter is not required because the realm DNS alias is being used).
Enabling Realm Alias Referrals
You can enable Realm Alias Referrals using either the OpenAM console or ssoadm:
- OpenAM console: navigate to: Configuration > Global > Policy Configuration > Global Attributes > Realm Alias Referrals and select the Yes option.
- ssoadm: enter the following command: $ ./ssoadm set-attr-defs -s iPlanetAMPolicyConfigService -t global -u [adminID] -f [passwordfile] -a sun-am-policy-config-org-alias-mapped-resources-enabled=true replacing [adminID] and [passwordfile] with appropriate values.
Note
You must restart the web application container in which OpenAM runs to apply these policy rule changes if you are using a pre-11.0.2 version of OpenAM. This is a known issue: OPENAM-3626 (Changes to policy rules only take effect after restarting OpenAM).
You must then set Realm/DNS Aliases for all sub-realms if you have not already done so. You can do this using either the OpenAM console or ssoadm:
- OpenAM console: navigate to: Access Control > [Realm Name] > Realm/DNS Aliases and ensure the appropriate DNS aliases are specified.
- ssoadm: enter the following command: $ ./ssoadm set-realm-attrs -s sunIdentityRepositoryService -e [realmname] -u [adminID] -f [passwordfile] -p -a sunOrganizationAliases=[DNSAlias] replacing [realmname], [adminID], [passwordfile] and [DNSAlias] with appropriate values.
Note
You must restart the web application container in which OpenAM runs to apply these configuration changes.
See Also
How do I reduce the number of policy matches in Identity Cloud or AM (All versions)?
Best practice for creating and testing policies in OpenAM 11.x
Best practice for creating and testing policies in AM (All versions)
Best practice for migrating policies when upgrading to OpenAM 12.x or 13.x
OpenAM Administration Guide › Configuring Realms
OpenAM Administration Guide › Defining Authorization Policies
OpenAM Reference › Configuration Reference › Global Configuration
Related Training
N/A
Related Issue Tracker IDs
OPENAM-2460 (Policy evaluation may hang with large number of matching referral privileges)
OPENAM-3626 (Changes to policy rules only take effect after restarting OpenAM)
OPENAM-4031 ("Realm Alias Referrals" doesn't work with 11.0.1)