Configuring ForgeRock AM Active/Active Deployment Routing Using IG

Introduction

The standard deployment pattern for ForgeRock Identity Platform is to deploy the entire platform in multiple data centers/cloud regions. This is ensures the availability of services in case of an outage in one data center. This approach also provides performance benefits, as the load can be distributed among multiple data centers. Below is the example diagram for Active/Active deployment:

image933×1024 84.1 KB

Problem Statement

AM provides both stateful/CTS-based and stateless/client-based sessions. Global deployment use cases require a seamless, single sign-on (SSO) experience among all applications with following constraints:

• Certain deployments have distributed applications, such as App-A, deployed only in Data Center-A, and App-B, deployed only in Data Center-B.
• The end user may travel to different locations, such as from the East coast to the West coast in the U.S. This means that application access requests will be handled by different data centers.

To achieve these use cases, CTS replication has to be enabled across multiple data centers/cloud regions.

In some situations, a user may try to access an application hosted in a specific data center before their corresponding sessions have been replicated. This can result in the user being prompted to re-authenticate, thereby degrading the user experience:

image904×628 83.2 KB

Note: This problem may be avoided if client-based sessions are leveraged, but many deployments have to use CTS-based sessions due to current limitations in client-based sessions. Also, when CTS-based sessions are used, the impact of CTS replication is much more than in client-based sessions.

In this article, we leverage IG to intelligently route session validation requests to a single data center, irrespective of the application being accessed.

Solution

IG can route session validation requests to a specific data center/region, depending on an additional site cookie generated during user’s authentication.

This approach ensures that the AM data center that issued the user’s session is used for corresponding session validation calls. This also means that CTS replication is not required across multiple data centers/ cloud regions:

1024×755 265 KB

Configure AM

• Install AM 6.5.x and corresponding DS stores, Amster, and others. Following is a sample Amster install command:

install-openam — serverUrl http://am-A.example.com:8094/am — adminPwd cangetinam — acceptLicense — userStoreDirMgr “cn=Directory Manager” — userStoreDirMgrPwd “cangetindj” — userStoreHost uds1.example.com — userStoreType LDAPv3ForOpenDS — userStorePort 1389 — userStoreRootSuffix dc=example,dc=com — cfgStoreAdminPort 18092 — cfgStorePort 28092 — cfgStoreJmxPort 38092 — cfgStoreSsl SIMPLE — cfgStoreHost am-A.example.com — cfgDir /home/forgerock/am11 — cookieDomain example.com

• Deploy the Cookie setter node from ForgeRock Marketplace, and restart the AM server.
• Import the Amster export to create the AM configs below. Refer to the sample Amster export:

am> connect http://am-A.example.com:8094/am -i
Sign in
User Name: amadmin
Password: **********
amster am-A.example.com:8094> import-config — path /home/forgerock/work/amster
Importing directory /home/forgerock/work/amster
Imported /home/forgerock/work/amster/global/Realms/root-employees.json
Imported /home/forgerock/work/amster/realms/root-employees/CoookieSetterNode/e4c11a8e-6c3b-455d-a875–4a1c29547716.json
Imported /home/forgerock/work/amster/realms/root-employees/DataStoreDecision/6bc90a3d-d54d-4857-a226-fb99df08ff8c.json
Imported /home/forgerock/work/amster/realms/root-employees/PasswordCollector/013d8761–2267–43cf-9e5e-01a794bd6d8d.json
Imported /home/forgerock/work/amster/realms/root-employees/UsernameCollector/31ce613e-a630–4c64–84ee-20662fb4e15e.json
Imported /home/forgerock/work/amster/realms/root-employees/PageNode/55f2d83b-724b-4e3a-87cc-247570c7020e.json
Imported /home/forgerock/work/amster/realms/root-employees/AuthTree/LDAPTree.json
Imported /home/forgerock/work/amster/realms/root/J2eeAgents/IG.json
Import completed successfully
- Creates /root realm aliases: am-A.example.com and am-B.example.com- AM Agent to be used by IG in /root realm- LDAPTree to create cookie after authentication. Update Cookie value as DC-A or DC-B, dependending on datacenter being used

• Repeat the previous steps for configuring AM in all data centers:

1024×575 291 KB

Configure IG

• Install IG 6.5.x.
• Refer to the sample IG configs:

- frProps.json to specify AM primary and secondary DC endpoints. Refer frProps-DC-A for DC-A and frProps-DC-B for DC-B.- config.json to declare primary and secondary AmService objects- 01-pep-dc-igApp.json to route session validation to specific datacenter, depending on “DataCenterCookie” value.

• Repeat the previous steps for deploying IG in all data centers.

Test the use cases

The user accesses an application deployed in DC-A first

1. The user accesses app1.example.com, deployed in DC-A.
2. IG, deployed in DC-A, redirects the request to AM, deployed in DC-A for authentication.
3. A DataCenterCookie is issued with a DC-A value.
4. The user accesses app2.example.com, deployed in DC-B.
5. IG, deployed in DC-B, redirects the request to AM, deployed in DC-A, for session validation.

The user accesses an application deployed in DC-B first

1. The user accesses app2.example.com deployed in DC-B.
2. IG, deployed in DC-B, redirects the request to AM deployed in DC-B, for authentication.
3. A DataCenterCookie is issued with a DC-B value.
4. The user accesses app1.example.com, deployed in DC-A.
5. IG, deployed in DC-A, redirects request to AM, deployed in DC-B, for session validation.

Extend AM to OAuth/OIDC use cases

OAuth: AM 6.5.2 provides option to modify Access tokens using scripts. This allows additional metadata in stateless OAuth tokens, such as dataCenter. This information can be leveraged by IG OAuth RS to invoke the appropriate data center’s AmService objects for tokenInfo/ introspection endpoints:

{
 “sub”: “user.88”,
 “cts”: “OAUTH2_STATELESS_GRANT”,
 “auth_level”: 0,
 “iss”: “http://am6521.example.com:8092/am/oauth2/employees",
 …
 “dataCenter”: “DC-A”
}

OIDC: AM allows additional claims in OIDC tokens using scripts. This information can be leveraged by IG to invoke appropriate dataceter’s AmService objects

References

• Code repository for sample AM and IG configs
• Current limitations in Client-based sessions
• How do I know what token types are stored in the CTS in AM ?
• Core Token Service (CTS) and sessions in AM/OpenAM

Other Articles by This Author