IG 7.1.2

Cross-Domain Single Sign-On With the ForgeRock Identity Cloud

For organizations relying on AM’s session and policy services with SSO, consider cross-Domain Single Sign-On (CDSSO) as an alternative to SSO through OpenID Connect.

This example sets up ForgeRock Identity Cloud as an SSO authentication server for requests processed by Identity Gateway. For more information about about Identity Gateway and CDSSO, see Authenticate With CDSSO.

Before you start, prepare AM, IG, and the sample application, as described in Download and Start IG in Standalone Mode.

  1. Set up Identity Cloud:

    1. Log in to the ForgeRock Identity Cloud as an administrator.

    2. In the platform console, go to Identities > Manage > Alpha realm - Users, and add a new user with the following values:

      • Username : demo

      • First name : demo

      • Last name : user

      • Email Address : demo@example.com

      • Password : Ch4ng3!t

    3. Make sure that you are managing the alpha realm. If not, click the current realm at the top of the screen, and switch realm.

    4. Select Applications > Agents > Identity Gateway, add an agent with the following values:

      • Agent ID: ig_agent_cdsso

      • Password: password

      • Redirect URL for CDSSO: https://openig.ext.com:8443/home/cdsso/redirect

  2. Set up Identity Gateway:

    1. Set up IG for HTTPS, as described in Configure IG For HTTPS (Server-Side) in Standalone Mode.

    2. Add the following session configuration to admin.json, to ensure that the browser passes the session cookie in the form-POST to the redirect endpoint (step 6 of Information Flow During CDSSO):

        "connectors": […​],
        "session": {
          "cookie": {
            "sameSite": "none",
            "secure": true
        "heap": […​]

      This step is required for the following reasons:

      • When sameSite is strict or lax, the browser rejects the session cookie, which contains the nonce used in validation. If IG doesn’t find the nonce, it assumes that it didn’t originate the authorization request.

      • When secure is false, the browser is likely to reject the session cookie.

        For more information, see admin.json.

    3. Set an environment variable for the IG agent password, and then restart IG:

      $ export AGENT_SECRET_ID='cGFzc3dvcmQ='

      The password is retrieved by a SystemAndEnvSecretStore, and must be base64-encoded.

    4. Add the following route to IG, to serve .css and other static resources for the sample application:

      • Linux

      • Windows

        "name" : "sampleapp-resources",
        "baseURI" : "http://app.example.com:8081",
        "condition": "${find(request.uri.path,'^/css')}",
        "handler": "ReverseProxyHandler"
    5. Add the following route to Identity Gateway, replacing the value for the property amInstanceUrl:

      • Linux

      • Windows

        "name": "cdsso-idc",
        "baseURI": "http://app.example.com:8081",
        "condition": "${find(request.uri.path, '^/home/cdsso')}",
        "properties": {
          "amInstanceUrl": "<myIdentityCloudUrl/am>"
        "heap": [
            "name": "SystemAndEnvSecretStore-1",
            "type": "SystemAndEnvSecretStore"
            "name": "AmService-1",
            "type": "AmService",
            "config": {
              "url": "&{amInstanceUrl}",
              "realm": "/alpha",
              "version": "7.1",
              "agent": {
                "username": "ig_agent_cdsso",
                "passwordSecretId": "agent.secret.id"
              "secretsProvider": "SystemAndEnvSecretStore-1",
              "sessionCache": {
                "enabled": false
        "handler": {
          "type": "Chain",
          "config": {
            "filters": [
                "name": "CrossDomainSingleSignOnFilter-1",
                "type": "CrossDomainSingleSignOnFilter",
                "config": {
                  "redirectEndpoint": "/home/cdsso/redirect",
                  "authCookie": {
                    "path": "/home",
                    "name": "ig-token-cookie"
                  "amService": "AmService-1",
                  "verificationSecretId": "verify",
                  "secretsProvider": {
                    "type": "JwkSetSecretStore",
                    "config": {
                      "jwkUrl": "&{amInstanceUrl}/oauth2/realms/alpha/connect/jwk_uri"
            "handler": "ReverseProxyHandler"

      Notice the following features of the route compared to cdsso.json in gateway-guide:sso.adoc#proc-cdsso, where Access Management is running locally:

      • The AmService URL points to Access Management in the Identity Cloud.

      • The AmService realm points to the realm where you configure your IG agent.

  3. Test the setup:

    1. Go to https://openig.ext.com:8443/home/cdsso. The Identity Cloud login page is displayed.

      If you see warnings that the site is not secure, respond to the warnings to access the site.

    2. Log in to Identity Cloud as user demo, password Ch4ng3!t.

      Access Management calls /home/cdsso/redirect, and includes the CDSSO token. The CrossDomainSingleSignOnFilter passes the request to sample app.

Copyright © 2010-2023 ForgeRock, all rights reserved.