Platform end user ui authentication via a sub realm rather than top level realm

We have an IDM-AM integration where the top-level realm employs ForgeRock DS as the identity store for customers, and there’s another sub-realm, “Staff,” which is linked to AD for staff users. Currently, the Platform End User UI authenticates against the top-level realm’s Organization Authentication Configuration tree by default.

What configuration steps should be taken to ensure that the End User UI authenticates against the sub-level realm, specifically “Staff,” instead of the top-level realm? Additionally, we aim to extend this configuration to the IDM Admin UI and AM Admin UI, allowing staff identities in AD, which reside in a different sub-realm, to access these distinct UIs. How can this be achieved?

I had similar situation and didn’t find an solution. Ideally there should be config in enduser ui to configure the realms.

Firstly, it is not a best practice to use the Top Level realm as the Auth-N realm for end users.
Secondly, there are a few ways to accommodate what you are trying to do. My approach is to use IG in front of IdM and AM, acting as the reverse proxy.
Though there is a simpler approach in the IdM configuration. What I’m not clear about is do staff and customers have access to the Self Service UI?

@grpensa Yes the staff and customers have access to the self service ui. What is the simpler approach in IDM configuration for this?

@KaranNayyar1 I find that adding the realm to the enduser URL as a param directs you to the correct AM realm. EX:

That is correct.

Is there a way we can configure the platform’s end-user UI to redirect to the staff realm? By default, authentication redirects to the top-level realm.

For end users authenticating against the sub-realm, instead of the top level realm, you will need to add ‘realm’ property under `subjectMapping’ of rsFilter configuration in authentication.json

You can find more about this here: Authenticate through AM :: IDM 7.5.0

For access to IDM admin UI by users residing in a subrealm, you need to adjust the /oauth2/ references found within ui/admin/default/index.html file.

For example, if your realm is named “SUBREALM”, replace /oauth2/ with /oauth2/realms/root/realms/SUBREALM/

Checkout this blog which is very helpful for troubleshooting or customizing AM-IDM integration: Understanding and Troubleshooting ForgeRock Identity Platform Integration

Mohammed Tuhin

1 Like

Agreed. Or commonly a dns alias for the realm (keeps it cleaner).


1 Like