ForgeRock Identity Gateway


Limitations are inherent to the design, not bugs to be fixed.

Limitations introduced in IG 2023.2

No additional limitations were introduced in this release.

Limitations introduced in IG 7.2

No additional limitations were introduced in this release.

Limitations introduced in IG 7.1

Pre-existing fragment cookie overwrites the current fragment cookie during authentication

When a user has a pre-existing fragment cookie during authentication, for example, from a previous, incomplete authentication attempt, the pre-exisiting fragment overwrites the current fragment.

To minimize the impact of this limitation, the FragmentFilter cookie has a new property maxAge to configure the maximum duration for which it can remain valid.

IG must be configured for streaming to process files bigger than 2 GB

IG requires the following configuration to process files bigger than 2 GB and Server Sent Events:

admin.json property streamingEnabled set to true.

Limitations introduced in IG 7

Host information not forwarded for HTTP/2 requests

When IG is acting as a reverse proxy, and receives HTTP/2 requests, it does not forward the host information provided in the HTTP/2 pseudo-header :authority: to the protected application.

If the protected application is using the HTTP/1 Host header or HTTP/2 :authority: pseudo-header to route requests, an error occurs.

Multiple spaces in unquoted cookie values are changed to a single space in JBoss

In JBoss, multiple spaces in unquoted cookie values are reduced to one space. For example:


is changed to

testCookieName=cookie value

Limitations introduced in IG 6.5.1

No access to common time related functions in expressions

The value of System.currentTimeMillis() cannot currently be used in filters, such as JwtBuilderFilter, for claims such as exp and iat.

Limitations introduced in IG 6.1

Proxy WebSocket traffic when running in Jetty

When IG is running in the Jetty application container, it cannot proxy WebSocket traffic.

JwtBuilderFilter to pass identity or other runtime info downstream

The JWT created by JwtBuilderFilter is not encrypted. Carefully consider the security of your configuration when using this filter.

Limitations introduced in IG 6

PasswordReplayFilter does not work with authentication trees in AM

The PasswordReplayFilter filter uses the AM Post Authentication Plugin com.sun.identity.authentication.spi.JwtReplayPassword. The plugin is triggered for AM authentication chains, but not for AM authentication trees.

Do not use the PasswordReplayFilter with AM authentication trees.

systemProxy can’t be used with proxy requiring username and password

The ClientHandler and ReverseProxyHandler property systemProxy can’t be used with a proxy that requires a username and password. Use the handler’s proxy property instead.

Fail to receive AM websocket notifications with Jetty

When IG runs on versions of Jetty from 9.3.x to 9.4.8, WebSocket notifications are not received correctly. To work around this issue, comment out the entry -module=websocket in Jetty’s start.ini file.

For $Studio, custom config.json must contain main router named router

Studio deploys and undeploys routes through a main router named _router, which is the name of the main router in the default configuration. If you use a custom config.json, make sure that it contains a main router named _router.

Blocked ClientHandler with asynchronous HTTP clients

IG processes responses from asynchronous HTTP clients by using two thread pools of the same size:

  • The first thread pool receive the response headers.

  • The second thread pool completes the promise by executing the callback and writing the response content to the stream. Reading and writing to the stream are synchronous, blocking operations.

Synchronous operation can cause routes to declare a blocked ClientHandler.

To recover from blocking, restart the route, or, if the route is config.json, restart the server. To prevent blocking, increase the number of worker threads.

Limitations introduced in IG 5.5 or earlier versions

SamlFederationHandler doesn’t support filtering
This limitation is mitigated by the following new feature in IG 7.1: SAML 2.0 requests processed with original URI value.

The SamlFederationHandler does not support filtering. Do not use a SamlFederationHandler as the handler for a Chain.

More generally, do not use this handler when its use depends on something in the response. The response can be handled independently of IG, and can be null when control returns to IG. For example, do not use this handler in a SequenceHandler where the post-condition depends on the response.

IG scripts can access anything in their environment

IG scripts are not sandboxed, but instead have access to anything in their environment. You must make sure that the scripts that IG loads are safe.

Persist UMA shares

Shared resources cannot be persisted when IG restarts. They must be shared each time that IG restarts.

Cannot use custom config.json in Studio

When a customized config.json is configured in Studio, Studio cannot deploy routes.

Log file of audit events can be overwritten

The log file of audit events can be overwritten when the log file is rotated.

When CsvAuditEventHandler is used to log audit events, the log file is overwritten if it is rotated before the file suffix, rotationFileSuffix, changes. By default, rotationFileSuffix is defined as a date in the format _yyyy-MM-dd.

Log files are rotated when one of the following limits is reached: maxFileSize, rotationInterval, or rotationTimes.

Set the log rotation parameters so that the log is not likely to rotate before rotationFileSuffix changes.

CookieFilter is not JwtSession compatible

CookieFilter is not JwtSession compatible

Cannot use SAML with AM policy agent

When SAML is used with an AM policy agent, class cast exceptions occur.

SAML fails with incorrect user-defined mapping

When the user defined mapping is incorrectly set, missing SAML assertions produce an infinite loop during authentication attempts.

For mutual authentication, client certificate must be first in KeyStore

For HTTPS, IG can check server certificates. However, mutual authentication, where IG presents its client certificate, is not supported if the client certificate is not the first certificate in the ClientHandler or ReverseProxyHandler keystore.

Copyright © 2010-2023 ForgeRock, all rights reserved.