Alternate DNS Alias for Login

I have added a private internal name to our forgeops deployment (ingress and in am config for fqdnMap) but am getting the below error when trying to get an access token against the environment using the private / internal endpoint. This is in the root (/) realm and is configured in the server
fqdnMap so not sure why this is not mapping / finding the mapping.

this is the endpoint I am using to test / get the token (which works using the primary / main URL)

https://<PRIVATENAME>/am/oauth2/access_token?auth_chain=Login
{
    "code": 500,
    "reason": "Internal Server Error",
    "message": "No mapping organization found for organization identifier."
}

Anyone see this before or have any possible fixes?

Thanks

Have you added the private name to the realm’s aliases configuration? This has to be configured in the realm in addition to the global properties.

Yeah, have the names, cookie domains, and global properties all there. Interesting thing is if I remove the name from the realm config, then get an error saying it can’t find the name. So, know is finding the name, now trying to figure out why is throwing the error above.

Nick

I get the below consistent in the logs (with trace) when this is happening. Not sure where this cache is coming from or how to refresh it but seems to be the source of the problem.

{"timestamp":"2024-09-19T02:02:22.275Z","level":"DEBUG","thread":"http-nio-8081-exec-4","mdc":{"transactionId":"55d240bb-81dd-45cd-ae25-b9f2d8457fbb-3218"},"logger":"org.forgerock.openam.core.realms.impl.CachingRealmLookup","message":"RealmsCache.lookup: orgIdentifier <althosturl> found in unknown org lookup cache.","context":"default","transactionId":"55d240bb-81dd-45cd-ae25-b9f2d8457fbb-3218"}

Interesting. I’m going to assume the answer is yes, but have you tried restarting AM after updating the config?

Have you attempted to access the realm via this URL using other endpoints? Is it just the access_token endpoint causing issues?

1 Like