Gateway guide
ForgeRock® Identity Platform serves as the basis for our simple and comprehensive Identity and Access Management solution. We help our customers deepen their relationships with their customers, and improve the productivity and connectivity of their employees and partners. For more information about ForgeRock and about the platform, see https://www.forgerock.com.
IG integrates web applications, APIs, and microservices with the ForgeRock Identity Platform. Based on reverse proxy architecture, IG enforces security and access control in conjunction with Access Management modules.
This guide is for access management designers and administrators who develop, build, deploy, and maintain IG for their organizations. It helps you to get started quickly, and learn more as you progress through the guide.
This guide assumes basic familiarity with the following topics:
-
Hypertext Transfer Protocol (HTTP), including how clients and servers exchange messages, and the role that a reverse proxy (gateway) plays
-
JavaScript Object Notation (JSON), which is the format for IG configuration files
-
Managing services on operating systems and application servers
-
Configuring network connections on operating systems
-
Managing Public Key Infrastructure (PKI) used to establish HTTPS connections
-
Access management for web applications
Depending on the features you use, you should also have basic familiarity with the following topics:
-
Lightweight Directory Access Protocol (LDAP) if you use IG with LDAP directory services
-
Structured Query Language (SQL) if you use IG with relational databases
-
Configuring AM if you use password capture and replay, or if you plan to follow the OAuth 2.0 or SAML 2.0 tutorials
-
The Groovy programming language if you plan to extend IG with scripts
-
The Java programming language if you plan to extend IG with plugins, and Apache Maven for building plugins
Example installation for this guide
Unless otherwise stated, the examples in this guide assume the following installation:
-
IG accessible on
http://ig.example.com:8080andhttps://ig.example.com:8443, as described in Downloading, starting, and stopping IG. -
Sample application installed on http://app.example.com:8081, as described in Using the sample application.
-
AM installed on http://am.example.com:8088/openam, with the default configuration.
If you use a different configuration, substitute in the procedures accordingly.
Set up Identity Cloud and AM for use with IG
This section contains procedures for setting up items in ForgeRock Identity Cloud and AM that you can use with IG. For more information about setting up Identity Cloud, refer to the ForgeRock Identity Cloud Docs. For more information about setting up AM, refer to the Access Management docs.
Set up an IG agent
Set up an IG agent in Identity Cloud
This procedure sets up an agent that acts on behalf of IG. After the agent is authenticated, the token can be used to get the user profile, evaluate policies, and connect to the AM notification endpoint.
-
Log in to the Identity Cloud admin UI as an administrator.
-
Click verified_user Gateways & Agents > New Gateway/Agent > Identity Gateway > Next, and add an agent profile:
-
ID: agent-name
-
Password: agent-password
Use secure passwords in a production environment. Consider using a password manager to generate secure passwords.
-
-
Click Save Profile > Done. The agent profile page is displayed.
-
To add a redirect URL for CDSSO, go to the agent profile page and add the URL.
-
To change the introspection scope, click open_in_new Native Consoles > Access Management, and update the agent in the AM admin UI. By default, the agent can introspect OAuth 2.0 tokens issued to any client, in the realm and subrealm where it is created.
Set up an IG agent in AM 7 and later
In AM 7 and later versions, follow these steps to set up an agent that acts on behalf of IG.
After the agent is authenticated, the token can be used to get the user profile, evaluate policies, and connect to the AM notification endpoint:
-
In the AM admin UI, select the top-level realm, and then select Applications > Agents > Identity Gateway.
-
Add an agent with the following values:
-
Agent ID :
ig_agent -
Password :
password
-
Agent ID :
ig_agent -
Password :
password -
Redirect URL for CDSSO :
https://ig.ext.com:8443/home/cdsso/redirect
-
Set up an IG agent in AM 6.5 and earlier
In AM 6.5 and earlier versions, follow these steps to set up an agent that acts on behalf of IG.
After the agent is authenticated, the token can be used to get the user profile, evaluate policies, and connect to the AM notification endpoint:
-
In the AM admin UI, select the top-level realm, and then select Applications > Agents > Java (or J2EE ).
-
Add an agent with the following values:
-
On the Global tab, deselect Agent Configuration Change Notification.
This option stops IG from being notified about agent configuration changes in AM. IG doesn’t need these notifications.
-
(For CDSSO) On the SSO tab, select the following values:
-
Cross Domain SSO : Deselect this option
-
CDSSO Redirect URI :
/home/cdsso/redirect
-
-
(For CDSSO and policy enforcement) On the SSO tab, select the following values:
-
Cross Domain SSO : Deselect this option
-
CDSSO Redirect URI :
/home/pep-cdsso/redirect
-
Set up a demo user
Set up a demo user in Identity Cloud
This procedure sets up a demo user in the alpha realm.
-
Log in to the Identity Cloud admin UI as an administrator.
-
Go to group Identities > Manage > settings_system_daydream Alpha realm - Users, and add a user with the following values:
-
Username:
demo -
First name:
demo -
Last name:
user -
Email Address:
demo@example.com -
Password:
Ch4ng3!t
-
Set up a demo user in AM
AM is provided with a demo user in the top-level realm, with the following credentials:
-
ID/username:
demo -
Last name:
user -
Password:
Ch4ng31t -
Email address:
demo@example.com -
Employee number:
123
For information about how to manage identities in AM, refer to AM’s Identity stores.