2.3 Subdomain and TLS
Outcome
The customer's tenant subdomain (e.g. acme.rcm.medsuite.com) resolves and serves the
RCM tenant UI over HTTPS.
Prerequisites
- 2.2 Provision tenant complete.
- Phase 1.6 wildcard
*.rcm.medsuite.comconfigured.
How tenant subdomains work
If you set up a wildcard *.rcm.medsuite.com in Phase 1.6, no DNS changes are
required per tenant — the wildcard handles it automatically. The frontend reads
window.location.host, splits the slug from the host, and resolves the tenant via
/api/v1/auth/tenant?slug=<slug> on first paint.
If you opted for per-tenant DNS records (e.g. enterprise customers wanting their own host certs), follow the steps below.
Steps (per-tenant DNS path)
Add a CNAME (in your DNS provider):
Hostname Type Target acme.rcm.medsuite.comCNAME Front Door endpoint Bind the custom hostname:
az afd custom-domain create \--resource-group rg-rcm-prod-eastus2 \--profile-name fd-rcm-prod \--custom-domain-name acme-rcm \--host-name acme.rcm.medsuite.com \--certificate-type ManagedCertificate \--minimum-tls-version TLS12Wait for cert validation (5–30 min):
az afd custom-domain show \--resource-group rg-rcm-prod-eastus2 \--profile-name fd-rcm-prod \--custom-domain-name acme-rcm \--query "{state:provisioningState, status:domainValidationState}"Both should be
Succeeded/Approved.
Validation
| Check | Expected |
|---|---|
dig acme.rcm.medsuite.com | Resolves |
curl -fsSL https://acme.rcm.medsuite.com | 200 (login page) |
| Cert valid | openssl s_client … shows non-expired chain |
| Login redirects to tenant context | URL contains ?tenantSlug=acme post-login |
Troubleshooting
| Symptom | Likely cause | Fix |
|---|---|---|
| Cert never validates | DNS still propagating | Allow up to 4 hours. |
| 404 on subdomain | Front Door route not matching | Confirm the wildcard route from Phase 1.6 step 4 is in place. |
| App loads but says "Tenant not found" | Slug mismatch | SELECT slug FROM identity.tenant WHERE slug = 'acme';. |