Prepare to install

Requirements

Make sure your installation meets the requirements in the release notes.

Create an IG service account

To limit the impact of a security breach, install and run IG from a dedicated service account. This is optional when you are evaluating IG, but essential in production installations.

A hacker is constrained by the rights granted to the user account where IG runs; therefore, never run IG as root user.

In a terminal window, use a command similar to the following to create a service account:

Linux
Windows

$ sudo /usr/sbin/useradd \
--create-home \
--comment "Account for running IG" \
--shell /bin/bash IG

> net user username password /add /comment:"Account for running IG"

Apply the principle of least privilege to the account, for example:
- Read/write permissions on the installation directory, /path/to/identity-gateway.
- Execute permissions on the scripts in the installation bin directory, /path/to/identity-gateway/bin.

Prepare the network

Configure the network to include the hosts.

Add the following additional entry to your host file:
- Linux
- Windows
/etc/hosts
%SystemRoot%\system32\drivers\etc\hosts
```
127.0.0.1  localhost ig.example.com app.example.com am.example.com
```
For more information about host files, refer to the Wikipedia entry, Hosts (file).

Set up Identity Cloud and AM for use with IG

This section contains procedures for setting up items in ForgeRock Identity Cloud and AM that you can use with IG. For more information about setting up Identity Cloud, refer to the ForgeRock Identity Cloud Docs. For more information about setting up AM, refer to the Access Management docs.

Set up an IG agent

Set up an IG agent in Identity Cloud

This procedure sets up an agent that acts on behalf of IG. After the agent is authenticated, the token can be used to get the user profile, evaluate policies, and connect to the AM notification endpoint.

Log in to the Identity Cloud admin UI as an administrator.
Click Gateways & Agents > New Gateway/Agent > Identity Gateway > Next, and add an agent profile:
- ID: agent-name
- Password: agent-password
  
  Use secure passwords in a production environment. Consider using a password manager to generate secure passwords.
Click Save Profile > Done. The agent profile page is displayed.
To add a redirect URL for CDSSO, go to the agent profile page and add the URL.
To change the introspection scope, click Native Consoles > Access Management, and update the agent in the AM admin UI. By default, the agent can introspect OAuth 2.0 tokens issued to any client, in the realm and subrealm where it is created.

Set up an IG agent in AM 7 and later

In AM 7 and later versions, follow these steps to set up an agent that acts on behalf of IG.

After the agent is authenticated, the token can be used to get the user profile, evaluate policies, and connect to the AM notification endpoint:

In the AM admin UI, select the top-level realm, and then select Applications > Agents > Identity Gateway.
Add an agent with the following values:
- For SSO
- For CDSSO
Agent ID : ig_agent

Password : password
Agent ID : ig_agent

Password : password

Redirect URL for CDSSO : https://ig.ext.com:8443/home/cdsso/redirect

Set up an IG agent in AM 6.5 and earlier

In AM 6.5 and earlier versions, follow these steps to set up an agent that acts on behalf of IG.

After the agent is authenticated, the token can be used to get the user profile, evaluate policies, and connect to the AM notification endpoint:

In the AM admin UI, select the top-level realm, and then select Applications > Agents > Java (or J2EE ).
Add an agent with the following values:
- For SSO
- For CDSSO
Agent ID : ig_agent

Agent URL : http://ig.example.com:8080/agentapp

Server URL : http://am.example.com:8088/openam

Password : password
Agent ID : ig_agent_cdsso

Agent URL : http://ig.ext.com:8080/agentapp

Server URL : http://am.example.com:8088/openam

Password : password
On the Global tab, deselect Agent Configuration Change Notification.

This option stops IG from being notified about agent configuration changes in AM. IG doesn’t need these notifications.
(For CDSSO) On the SSO tab, select the following values:
- Cross Domain SSO : Deselect this option
- CDSSO Redirect URI : /home/cdsso/redirect
(For CDSSO and policy enforcement) On the SSO tab, select the following values:
- Cross Domain SSO : Deselect this option
- CDSSO Redirect URI : /home/pep-cdsso/redirect

Set up a demo user

Set up a demo user in Identity Cloud

This procedure sets up a demo user in the alpha realm.

Log in to the Identity Cloud admin UI as an administrator.
Go to Identities > Manage > Alpha realm - Users, and add a user with the following values:
- Username: demo
- First name: demo
- Last name: user
- Email Address: demo@example.com
- Password: Ch4ng3!t

Set up a demo user in AM

AM is provided with a demo user in the top-level realm, with the following credentials:

ID/username: demo
Last name: user
Password: Ch4ng31t
Email address: demo@example.com
Employee number: 123

For information about how to manage identities in AM, refer to AM’s Identity stores.

IG 2023.2