Resolution: Won't Fix
Affects Version/s: 10.0.0, 10.0.1, 10.1.0-Xpress, 10.0.2, 11.0.0, 11.0.1, 11.0.2, 11.0.3, 12.0.0, 12.0.1, 12.0.2, 13.0.0
Fix Version/s: None
Environment:OpenAM 12.0.2, Apache Tomcat, Loadalancer in front of OpenAM
Support Ticket IDs:
Here are the steps to reproduce the issue consistently
Create 2 HAProxy configs, pointing to each OpenAM instance individually,
Configure 2 OpenAM instance
Config OpenAM site
Create sub-realm and specify LDAP-auth-module as realm-authenticator, choose 'mail' as the search attribute (to distinguish it from the root realm).
Move the FQDN used for the primary site URL from the default realm to the sub-realm.
1) Start Haproxy with profile pointing to OpenAM 1
2) Start authentication in sub-realm with PRIMARY_SITE_URL/UI/Login
3) Stop Haproxy and restart it with profile pointing to OpenAM 2
4) Restart authentication in sub-realm with PRIMARY_SITE_URL/UI/Login
5) Submit credentials (email address and password) for LDAP authentication
--> Authentication fails
Due to steps 3 and 4, crosstalk happens
Access log of Tomcat from OpenAM 2:
cross-talk happens to OpenAM 1:
Submit of credentials to OpenAM 2:
results in cross-talk to OpenAM 1:
the root cause for the failing authentication is that the cross-talk request does neither send over the original HTTP host-header, which is needed if DNS alias is used, nor does it append the realm-parameter.
Result: Authentication happens in default-realm and not in sub-realm