Requirements
Important
ForgeRock supports customers using the versions specified here. Other versions and alternative environments might work as well. When opening a support ticket for an issue, however, make sure you can also reproduce the problem on a combination covered here.
Downloads
Download the following product software from the ForgeRock BackStage download site:
IG-7.0.2.zip
: For deployment in standalone modeIG-7.0.2.war
: For deployment in web container modeIG-sample-application-7.0.2.jar
: Web application for testing IG configurations
For information about using the Docker image provided with the product software, see the Deployment Guide.
Operating Systems
IG is tested on Windows and Linux operating systems.
Web Application Containers
In web container mode, IG runs in the following containers:
Apache Tomcat 9
Jetty 9
JBoss EAP 7.3
Deploy IG to the root context of a container. Deployment in other contexts causes unexpected results, and is not supported.
Java
IG supports the following Java environments:
Vendor | Versions |
---|---|
OpenJDK, including OpenJDK-based distributions:
ForgeRock tests most extensively with AdoptOpenJDK/Eclipse Adoptium. | 11 |
Oracle Java | 11 |
ForgeRock recommends that you keep your Java installation up-to-date with the latest security fixes.
FQDNs
IG replication requires use of fully qualified domain names (FQDNs), such as openig.example.com
.
Hostnames like example.com
are acceptable for evaluation. In production, and when using replication across systems, you must either ensure DNS is set up correctly to provide FQDNs, or update the hosts file (/etc/hosts
or C:\Windows\System32\drivers\etc\hosts
) to supply unique, FQDNs.
Certificates
For secure network communications with client applications that you do not control, install a properly signed digital certificate that your client applications recognize, such as one that works with your organization's PKI, or one signed by a recognized CA.
To use the certificate during installation, the certificate must be located in a file-based keystore supported by the JVM (JKS, JCEKS, PKCS#12), or on a PKCS#11 token. To import a signed certificate into the server keystore, use the Java keytool command.
Third-Party Software for Encryption
Bouncy Castle is required for signature encryption with RSASSA-PSS or Deterministic ECDSA. For information, see The Legion of the Bouncy Castle.
Third-Party Software
ForgeRock provides support for using the following third-party software when logging ForgeRock Common Audit events:
Software | Version |
---|---|
Java Message Service (JMS) | 2.0 API |
MySQL JDBC Driver Connector/J | 8 (at least 8.0.19) |
Splunk | 8.0 (at least 8.0.2) |
Tip
Elasticsearch and Splunk have native or third-party tools to collect, transform, and route logs. Examples include Logstash and Fluentd.
ForgeRock recommends that you consider these alternatives. These tools have advanced, specialized features focused on getting log data into the target system. They decouple the solution from the ForgeRock Identity Platform systems and version, and provide inherent persistence and reliability. You can configure the tools to avoid losing audit messages if a ForgeRock Identity Platform service goes offline, or delivery issues occur.
These tools can work with ForgeRock Common Audit logging:
Configure the server to log messages to standard output, and route from there.
Configure the server to log to files, and use log collection and routing for the log files.
ForgeRock provides support for using the following third-party software when monitoring ForgeRock servers:
Software | Version |
---|---|
Grafana | 5 (at least 5.0.2) |
Graphite | 1 |
Prometheus | 2.0 |
For hardware security module (HSM) support, ForgeRock software requires a client library that conforms to the PKCS#11 standard v2.20 or later.
Studio Browser
ForgeRock has tested many browsers with Studio, including:
Chrome, latest stable version
Firefox, latest stable version
Features Using ForgeRock Access Management
Feature | Supported in AM Version |
---|---|
Support for refresh of idle sessions when the SingleSignOnFilter is used for authentication with AM. For more information, see the | AM 6.5.3 and later versions. |
Eviction of revoked OAuth 2.0 access_tokens from the cache. For more information, see "CacheAccessTokenResolver", and the | AM 6.5.3 and later versions. |
Support for OAuth 2.0 Mutual TLS (mTLS). For more information, see "ConfirmationKeyVerifierAccessTokenResolver", and "Validating Certificate-Bound Access Tokens". | AM 6.5.1 and later versions. |
Eviction of entries from the AmService | AM 5.5 when the user manually whitelists the |
AM password capture and replay, as described in Getting Login Credentials From AM. | AM 5 and later versions, and AM 6 and later versions when the |
AM policy enforcement, as described in Enforcing Policy Decisions From AM. | AM 5 and later versions |
OpenID Connect dynamic registration and discovery, as described in "Discovering and Dynamically Registering With OpenID Connect Providers". | OpenAM 13.5, and AM 5 and later versions |
Token transformation, as described in Transforming OpenID Connect ID Tokens Into SAML Assertions. | OpenAM 13.5, and AM 5 and later versions |
User Managed Access 2.x, for IG 5.5, as described in Supporting UMA Resource Servers. | AM 5.5 and later versions |
User Managed Access 1.x, for IG 5 and earlier versions. | AM 5.1 and earlier versions |
Single sign-on, as described in Single Sign-On and Cross-Domain Single Sign-On. | AM 5 and later versions |
Cross-domain single sign-on, as described in "Authenticating With CDSSO". | AM 5.5 and later versions |
Capture and storage of AM session information, as described in "SessionInfoFilter". | AM 6 and later versions |
Capture and storage of AM user profile attributes, as described in "UserProfileFilter". | AM 5 and later |
Support for transactional authorization, as described in Hardening Authorization With Advice From AM. | AM 5.5 and later versions |
Validation of stateless access_tokens, as described in "Validating Stateless Access_Tokens With the StatelessAccessTokenResolver". | OpenAM 13.5, and AM 5 and later versions |
Retrieval of specified session properties or all session properties from AM, without relying on AM's Session Properties Whitelist. Described in "AmService". | AM 5.1.2 and later versions |