This article has been archived and is no longer maintained by ForgeRock.
You can use Realm Alias Referrals if each sub-realm is already mapped or can be mapped to a different DNS alias. Realm Alias Referrals allow you to create policies in sub-realms without the need for referral policies from the top level or parent realm. You must then create policies to protect HTTP or HTTPS resources that have a fully qualified hostname that matches the DNS alias of the realm.
Realm DNS aliases are an alternative to using Fully Qualified Domain Names (FQDNs) in OpenAM as they implicitly add the realm to the request. For example, http://example.com:8080/openam/UI/Login is interpreted as http://example.com:8080/openam/UI/Login?realm=myrealm when realm DNS aliases are used.
Where you have the following configuration:
- Website URL (protected by a web policy agent): http://website.example.com:80/index.html
- OpenAM server URL: http://openam.example.com:8080/openam
- Realm name: myRealm
- Realm DNS alias: myrealm.example.com (which resolves to the same IP as openam.example.com)
The agent login URL would be: http://myrealm.example.com:8080/openam/UI/Login (the realm parameter is not required because the realm DNS alias is being used).
Enabling Realm Alias Referrals
You can enable Realm Alias Referrals using either the OpenAM console or ssoadm:
- OpenAM console: navigate to: Configuration > Global > Policy Configuration > Global Attributes > Realm Alias Referrals and select the Yes option.
- ssoadm: enter the following command: $ ./ssoadm set-attr-defs -s iPlanetAMPolicyConfigService -t global -u [adminID] -f [passwordfile] -a sun-am-policy-config-org-alias-mapped-resources-enabled=true replacing [adminID] and [passwordfile] with appropriate values.
You must restart the web application container in which OpenAM runs to apply these policy rule changes if you are using a pre-11.0.2 version of OpenAM. This is a known issue: OPENAM-3626 (Changes to policy rules only take effect after restarting OpenAM).
You must then set Realm/DNS Aliases for all sub-realms if you have not already done so. You can do this using either the OpenAM console or ssoadm:
- OpenAM console: navigate to: Access Control > [Realm Name] > Realm/DNS Aliases and ensure the appropriate DNS aliases are specified.
- ssoadm: enter the following command: $ ./ssoadm set-realm-attrs -s sunIdentityRepositoryService -e [realmname] -u [adminID] -f [passwordfile] -p -a sunOrganizationAliases=[DNSAlias] replacing [realmname], [adminID], [passwordfile] and [DNSAlias] with appropriate values.
You must restart the web application container in which OpenAM runs to apply these configuration changes.