We have an IDM-AM integration where the top-level realm employs ForgeRock DS as the identity store for customers, and there’s another sub-realm, “Staff,” which is linked to AD for staff users. Currently, the Platform End User UI authenticates against the top-level realm’s Organization Authentication Configuration tree by default.
What configuration steps should be taken to ensure that the End User UI authenticates against the sub-level realm, specifically “Staff,” instead of the top-level realm? Additionally, we aim to extend this configuration to the IDM Admin UI and AM Admin UI, allowing staff identities in AD, which reside in a different sub-realm, to access these distinct UIs. How can this be achieved?
Firstly, it is not a best practice to use the Top Level realm as the Auth-N realm for end users.
Secondly, there are a few ways to accommodate what you are trying to do. My approach is to use IG in front of IdM and AM, acting as the reverse proxy.
Though there is a simpler approach in the IdM configuration. What I’m not clear about is do staff and customers have access to the Self Service UI?
Is there a way we can configure the platform’s end-user UI to redirect to the staff realm? By default, authentication redirects to the top-level realm.
For end users authenticating against the sub-realm, instead of the top level realm, you will need to add ‘realm’ property under `subjectMapping’ of rsFilter configuration in authentication.json