Gateway Guide

ForgeRock® Identity Platform serves as the basis for our simple and comprehensive Identity and Access Management solution. We help our customers deepen their relationships with their customers, and improve the productivity and connectivity of their employees and partners. For more information about ForgeRock and about the platform, see https://www.forgerock.com.

IG integrates web applications, APIs, and microservices with the ForgeRock Identity Platform, without modifying the application or the container where they run. Based on reverse proxy architecture, IG enforces security and access control in conjunction with Access Management modules.

This guide is for access management designers and administrators who develop, build, deploy, and maintain IG for their organizations. It helps you to get started quickly, and learn more as you progress through the guide.

This guide assumes basic familiarity with the following topics:

Hypertext Transfer Protocol (HTTP), including how clients and servers exchange messages, and the role that a reverse proxy (gateway) plays
JavaScript Object Notation (JSON), which is the format for IG configuration files
Managing services on operating systems and application servers
Configuring network connections on operating systems
Managing Public Key Infrastructure (PKI) used to establish HTTPS connections
Access management for web applications

Depending on the features you use, you should also have basic familiarity with the following topics:

Lightweight Directory Access Protocol (LDAP) if you use IG with LDAP directory services
Structured Query Language (SQL) if you use IG with relational databases
Configuring AM if you use password capture and replay, or if you plan to follow the OAuth 2.0 or SAML 2.0 tutorials
The Groovy programming language if you plan to extend IG with scripts
The Java programming language if you plan to extend IG with plugins, and Apache Maven for building plugins

Example Installation for This Guide

Unless otherwise stated, the examples in this guide assume the following installation:

IG installed on http://openig.example.com:8080, as described in Downloading and Starting IG.
Sample application installed on http://openig.example.com:8081, as described in Downloading and Starting the Sample Application.
AM installed on http://openam.example.com:8088/openam, with the default configuration.

If you use a different configuration, substitute in the procedures accordingly.

Setting Up AM for the Examples

This section contains procedures for setting up items in AM that you can use in many of the tutorials in this guide. For more information about setting up AM, see the Access Management Docs.

Set Up an IG Agent in AM

In AM 7, follow these steps to set up an agent that acts on behalf of IG in the same domain. In AM 6.5 or earlier, follow the steps in Set Up an IG Agent in AM 6.5 and Earlier. After the agent is authenticated, the token can be used to get the user profile, evaluate policies, and to connect to the AM notification endpoint:

In the AM console, select the top-level realm, and then select Applications > Agents > Identity Gateway.
Add an agent with the following values:
- Agent ID : ig_agent
- Password : password

Set Up an IG Agent in AM 6.5 and Earlier

In AM 6.5 and earlier versions, follow these steps to set up an agent that acts on behalf of IG. After the agent is authenticated, the token can be used to get the user profile, evaluate policies, and to connect to the AM notification endpoint:

In the AM console, select the top-level realm, and then select Applications > Agents > Java (or J2EE ).
Add an agent with the following values:
- Agent ID : ig_agent for SSO, ig_agent_cdsso for CDSSO
- Agent URL : http://openig.example.com:8080/agentapp for SSO, http://openig.ext.com:8080/agentapp for CDSSO
- Server URL : http://openam.example.com:8088/openam
- Password : password
On the Global tab, deselect Agent Configuration Change Notification.

This option stops IG from being notified about agent configuration changes in AM, because they are not required by IG.
(For SSO in different domains) On the SSO tab, select the following values:
- Cross Domain SSO : Deselect this option
- CDSSO Redirect URI : /home/cdsso/redirect
(For enforcing AM policy decisions in different domains) On the SSO tab, select the following values:
- Cross Domain SSO : Deselect this option
- CDSSO Redirect URI : /home/pep-cdsso/redirect

Find the Name of Your AM Session Cookie

The procedures in this guide assume you are using the default AM session cookie, iPlanetDirectoryPro. If not, find your session cookie name, and substitute its value in the procedures.

In a terminal, access the AM serverinfo endpoint to find the session cookie name:

$ curl http://openam.example.com:8088/openam/json/serverinfo/*

...
"cookieName": "iPlanetDirectoryPro"

External Tools Used In This Guide

The examples in this guide use some of the following third-party tools:

curl: https://curl.haxx.se
HTTPie: https://httpie.org
jq: https://stedolan.github.io/jq/
keytool: https://docs.oracle.com/en/java/javase/11/tools/keytool.html

IG 7.1.2

Gateway Guide

Example Installation for This Guide

Setting Up AM for the Examples

External Tools Used In This Guide