IG 2023.2

Prepare to install

Requirements

Make sure your installation meets the requirements in the release notes.

Create an IG service account

To limit the impact of a security breach, install and run IG from a dedicated service account. This is optional when you are evaluating IG, but essential in production installations.

A hacker is constrained by the rights granted to the user account where IG runs; therefore, never run IG as root user.

  1. In a terminal window, use a command similar to the following to create a service account:

    • Linux

    • Windows

    $ sudo /usr/sbin/useradd \
    --create-home \
    --comment "Account for running IG" \
    --shell /bin/bash IG
    > net user username password /add /comment:"Account for running IG"
  2. Apply the principle of least privilege to the account, for example:

    • Read/write permissions on the installation directory, /path/to/identity-gateway.

    • Execute permissions on the scripts in the installation bin directory, /path/to/identity-gateway/bin.

Prepare the network

Configure the network to include the hosts.

  1. Add the following additional entry to your host file:

    • Linux

    • Windows

    /etc/hosts
    %SystemRoot%\system32\drivers\etc\hosts
    127.0.0.1  localhost ig.example.com app.example.com am.example.com

    For more information about host files, refer to the Wikipedia entry, Hosts (file).

Set up Identity Cloud and AM for use with IG

This section contains procedures for setting up items in ForgeRock Identity Cloud and AM that you can use with IG. For more information about setting up Identity Cloud, refer to the ForgeRock Identity Cloud Docs. For more information about setting up AM, refer to the Access Management docs.

Set up an IG agent

Set up an IG agent in Identity Cloud

This procedure sets up an agent that acts on behalf of IG. After the agent is authenticated, the token can be used to get the user profile, evaluate policies, and connect to the AM notification endpoint.

  1. Log in to the Identity Cloud admin UI as an administrator.

  2. Click verified_user Gateways & Agents > New Gateway/Agent > Identity Gateway > Next, and add an agent profile:

    • ID: agent-name

    • Password: agent-password

      Use secure passwords in a production environment. Consider using a password manager to generate secure passwords.
  3. Click Save Profile > Done. The agent profile page is displayed.

  4. To add a redirect URL for CDSSO, go to the agent profile page and add the URL.

  5. To change the introspection scope, click open_in_new Native Consoles > Access Management, and update the agent in the AM admin UI. By default, the agent can introspect OAuth 2.0 tokens issued to any client, in the realm and subrealm where it is created.

Set up an IG agent in AM 7 and later

In AM 7 and later versions, follow these steps to set up an agent that acts on behalf of IG.

After the agent is authenticated, the token can be used to get the user profile, evaluate policies, and connect to the AM notification endpoint:

  1. In the AM admin UI, select the top-level realm, and then select Applications > Agents > Identity Gateway.

  2. Add an agent with the following values:

    • For SSO

    • For CDSSO

    • Agent ID : ig_agent

    • Password : password

Set up an IG agent in AM 6.5 and earlier

In AM 6.5 and earlier versions, follow these steps to set up an agent that acts on behalf of IG.

After the agent is authenticated, the token can be used to get the user profile, evaluate policies, and connect to the AM notification endpoint:

  1. In the AM admin UI, select the top-level realm, and then select Applications > Agents > Java (or J2EE ).

  2. Add an agent with the following values:

    • For SSO

    • For CDSSO

    • Agent ID : ig_agent

    • Agent URL : http://ig.example.com:8080/agentapp

    • Server URL : http://am.example.com:8088/openam

    • Password : password

    • Agent ID : ig_agent_cdsso

    • Agent URL : http://ig.ext.com:8080/agentapp

    • Server URL : http://am.example.com:8088/openam

    • Password : password

  3. On the Global tab, deselect Agent Configuration Change Notification.

    This option stops IG from being notified about agent configuration changes in AM. IG doesn’t need these notifications.

  4. (For CDSSO) On the SSO tab, select the following values:

    • Cross Domain SSO : Deselect this option

    • CDSSO Redirect URI : /home/cdsso/redirect

  5. (For CDSSO and policy enforcement) On the SSO tab, select the following values:

    • Cross Domain SSO : Deselect this option

    • CDSSO Redirect URI : /home/pep-cdsso/redirect

Set up a demo user

Set up a demo user in Identity Cloud

This procedure sets up a demo user in the alpha realm.

  1. Log in to the Identity Cloud admin UI as an administrator.

  2. Go to group Identities > Manage > settings_system_daydream Alpha realm - Users, and add a user with the following values:

    • Username: demo

    • First name: demo

    • Last name: user

    • Email Address: demo@example.com

    • Password: Ch4ng3!t

Set up a demo user in AM

AM is provided with a demo user in the top-level realm, with the following credentials:

  • ID/username: demo

  • Last name: user

  • Password: Ch4ng31t

  • Email address: demo@example.com

  • Employee number: 123

For information about how to manage identities in AM, refer to AM’s Identity stores.

Copyright © 2010-2023 ForgeRock, all rights reserved.