Multiple ADs and camNamespaces in instances.json

We are trying to set up two Active Directories (AD) connected to a single UX webapp. In instances.json, listing the two ADs after the “camNamespaces” parameter doesn’t seem to work. Even though both ADs show up in the dropdown on the login screen, selecting the second AD defaults back to the first namespace, and authentication occurs on first namespace.

Does anyone know if this parameter supports multiple ADs? If not, are there any alternative methods to link one webapp to multiple ADs for authentication? Thanks!

image

If you are using a Multiple Forests AD topology and at this time, authentication across multiple Active Directory forests is supported, but Single Sign-On is not possible. We had a similar situation with a customer and this was the feedback received from IBM.

Thanks for posting Wei.

To add additional context, we are utilizing multiple namespaces to authenticate users from the domain and also sub-domains - e.g. companyname.com and country.companyname.com. We are not spanning domain forests, nor are we utilizing SSO…just plain and simple CAM Mode 5 with AD, and native TM1 groups.

Prior to seeing this issue, I assumed that UX had the ability to authenticate against a user-selectable CAM Namespace, just like the other interfaces. If not, I would like to understand how best to proceed to minimize performance impacts.

As far as workarounds, we’ve tried a couple things:

  1. Setup a single AD namespace pointing to the root domain controller. Utilize “chaseReferrals” so users in the child domains can login. Testing thus far has shown significant performance impacts at login. It can take up to a minute to authenticate users. Performance is as expected without chaseReferrals, but then we face the problem of users in sub-domains unable to login.

  2. Setup multiple namespaces in CAM pointing to each domain controller within the domain and sub-domains. Duplicate the original webapp in UX, pointing to each namespace in the instances.json file. Performance is much better vs. option 1, but it is unnecessary overhead having multiple webapps and different links per user.

Long term we will move to Azure AD, but we’re not quite there yet.

@galvarez, thanks for your help! Since we do not need SSO at the moment, do you know the proper syntax in the Apliqo/Canvas instances.json to connect to multiple ADs? We had tried delimiting the two ADs with a comma in camNamespaces but that didn’t seem to work. Are there any other configuration options that need to be added?

Hello @wwang we have not used multiple namespaces before, our scenario was multiple AD. Anyway, I think the right to answer this is Apliqo UX team.