Cross-Domain Single Sign-On With the ForgeRock Identity Cloud
For organizations relying on AM's session and policy services with SSO, consider cross-Domain Single Sign-On (CDSSO) as an alternative to SSO through OpenID Connect.
This example sets up ForgeRock Identity Cloud as an SSO authentication server for requests processed by Identity Gateway. For more information about about Identity Gateway and CDSSO, see "Authenticating With CDSSO".
Before you start, prepare Identity Cloud, Identity Gateway, and the sample application as described in "Example Installation for This Guide".
Set up Identity Cloud:
Log in to the ForgeRock Identity Cloud as an administrator.
In the platform console, go to Identities > Manage > Alpha realm - Users, and add a new user with the following values:
Username:
demoFirst name:
demoLast name:
userEmail Address:
demo@example.comPassword:
Ch4ng3!t
Make sure that you are managing the
alpharealm. If not, click the current realm at the top of the screen, and switch realm.Add an Identity Gateway agent:
Click Gateways & Agents, and add an agent profile with the following values:
ID:
ig_agent_cdssoPassword:
passwordRedirect URLs:
http://openig.ext.com:8080/home/cdsso/redirect
By default, the agent can introspect OAuth 2.0 tokens issued to any client, in the realm and subrealm where it is created. To change the introspection, click Native Consoles > Access Management, and update the agent in the AM console.
Set up Identity Gateway:
Set an environment variable for the IG agent password, and then restart IG:
$
export AGENT_SECRET_ID='cGFzc3dvcmQ='The password is retrieved by a SystemAndEnvSecretStore, and must be base64-encoded.
Add the following route to IG, to serve .css and other static resources for the sample application:
$HOME/.openig/config/routes/static-resources.json
%appdata%\OpenIG\config\routes\static-resources.json
{ "name" : "sampleapp_resources", "baseURI" : "http://app.example.com:8081", "condition": "${matches(request.uri.path,'^/css')}", "handler": "ReverseProxyHandler" }Add the following route to Identity Gateway, replacing the value for the property
amInstanceUrl:$HOME/.openig/config/routes/cdsso-idc.json
%appdata%\OpenIG\config\routes\cdsso-idc.json
{ "name": "cdsso-idc", "baseURI": "http://app.example.com:8081", "condition": "${matches(request.uri.path, '^/home/cdsso')}", "properties": { "amInstanceUrl": "<myIdentityCloudUrl/am>" }, "heap": [ { "name": "SystemAndEnvSecretStore-1", "type": "SystemAndEnvSecretStore" }, { "name": "AmService-1", "type": "AmService", "config": { "url": "&{amInstanceUrl}", "realm": "/alpha", "version": "7", "agent": { "username": "ig_agent_cdsso", "passwordSecretId": "agent.secret.id" }, "secretsProvider": "SystemAndEnvSecretStore-1", "sessionCache": { "enabled": false } } } ], "handler": { "type": "Chain", "config": { "filters": [ { "name": "CrossDomainSingleSignOnFilter-1", "type": "CrossDomainSingleSignOnFilter", "config": { "redirectEndpoint": "/home/cdsso/redirect", "authCookie": { "path": "/home", "name": "ig-token-cookie" }, "amService": "AmService-1", "verificationSecretId": "verify", "secretsProvider": { "type": "JwkSetSecretStore", "config": { "jwkUrl": "&{amInstanceUrl}/oauth2/realms/alpha/connect/jwk_uri" } } } } ], "handler": "ReverseProxyHandler" } } }Notice the following features of the route compared to
cdsso.jsonin "Set Up CDSSO", where Access Management is running locally:The AmService
URLpoints to Access Management in the Identity Cloud.The AmService
realmpoints to the realm where you configure your IG agent.
Test the setup:
Go to http://openig.ext.com:8080/home/cdsso. The Identity Cloud login page is displayed.
Log in to Identity Cloud as user
demo, passwordCh4ng3!t.Access Management calls
/home/cdsso/redirect, and includes the CDSSO token. The CrossDomainSingleSignOnFilter passes the request to sample app.