Latest
Access to Java class is prohibited error with scripts running in Identity Cloud and AM (All versions)
The purpose of this article is to provide assistance if you encounter a "java.lang.SecurityException: Access to Java class "class.name" is prohibited" error when using functionality that is based on a script in ForgeRock Identity Cloud or AM. This issue might occur when validating or processing a script such as an OIDC claims script, a script used by the Scripted Decision node or a policy condition script.
How do I get Java classes added to the allowlist in Identity Cloud for scripting purposes?
The purpose of this article is to provide information on getting Java® classes added to the allowlist in ForgeRock Identity Cloud for scripting purposes. This includes scripts such as the OIDC claims script or a script used by the Scripted Decision node.
Azure Active Directory B2C SSO integration with Identity Cloud as OIDC identity provider
The purpose of this article is to provide information on configuring ForgeRock Identity Cloud to integrate with Microsoft® Azure Active Directory (AD) B2C using OpenID Connect (OIDC) federation for Single Sign-On (SSO). It assumes Identity Cloud is acting as the identity provider (IdP) and Azure AD B2C as the service provider (SP).
FAQ: OAuth 2.0 in Identity Cloud and AM
The purpose of this FAQ is to provide answers to commonly asked questions regarding OAuth 2.0 and OpenID Connect 1.0 (OIDC) in ForgeRock Identity Cloud and AM.
URLDecoder: Illegal hex characters in escape (%) pattern or Client authentication failed error when requesting an OAuth2 access token in Identity Cloud or AM (All versions)
The purpose of this article is to provide assistance if you receive a "URLDecoder: Illegal hex characters in escape (%) pattern" or "Client authentication failed" response when making a call to the OAuth2 access_token endpoint in ForgeRock Identity Cloud or AM using a basic authorization header. You may see this in Identity Cloud; AM 6.5 and later when the client ID and secret are not URL encoded, or in earlier versions when one or both of them are URL encoded.
RelayState is missing or not persisted after single logout when HTTP Redirect binding is used with an external SP in Identity Cloud or AM (All versions)
The purpose of this article is to provide assistance if the RelayState parameter is missing or not persisted after Single Logout (SLO) when the HTTP Redirect binding is used. This issue can occur when ForgeRock Identity Cloud or AM is the Identity Provider (IdP) with an external Service Provider (SP).
How do I understand the underlying REST call being used in web requests in Identity Cloud or AM (All versions)?
The purpose of this article is to provide information on finding out what is included in REST calls being made in ForgeRock Identity Cloud or AM. This technique can be useful to help you formulate REST calls based on an existing web request or to troubleshoot why a REST call is not working as expected.
How do I know which binding to use for SAML2 federation in Identity Cloud or AM (All versions)?
The purpose of this article is to provide information on using bindings for SAML2 federation in ForgeRock Identity Cloud or AM. There are two different types of bindings in SAML2; the request binding, which is used to send the authentication request and the response binding, which is used when returning the response message.
SP initiated logout fails in Identity Cloud or AM (All versions) with Identity Provider ID is null error
The purpose of this article is to provide assistance if a SP initiated logout fails in ForgeRock Identity Cloud or AM with an "Identity Provider ID is null" error. For example, your logout URL is similar to: https://sp.example.com:8443/am/saml2/jsp/spSingleLogoutInit.jsp?binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
SP initiated login fails in Identity Cloud or AM (All versions) with Service Provider ID is null error
The purpose of this article is to provide assistance if a SP initiated login fails in ForgeRock Identity Cloud or AM with an error, "Service Provider ID is null". The request sent by the client was syntactically incorrect. For example, your login URL is similar to: https://sp.example.com:8443/am/saml2/jsp/spSSOInit.jsp
Integrations
Azure Active Directory B2C SSO integration with Identity Cloud as OIDC identity provider
The purpose of this article is to provide information on configuring ForgeRock Identity Cloud to integrate with Microsoft® Azure Active Directory (AD) B2C using OpenID Connect (OIDC) federation for Single Sign-On (SSO). It assumes Identity Cloud is acting as the identity provider (IdP) and Azure AD B2C as the service provider (SP).
Zendesk SSO integration with Identity Cloud as SAML identity provider
The purpose of this article is to provide information on how to configure ForgeRock Identity Cloud to integrate with Zendesk® using SAML2 federation for Single Sign-On (SSO). It assumes Identity Cloud is acting as the identity provider (IdP) and Zendesk as the service provider (SP).
Salesforce SSO integration with Identity Cloud as OIDC identity provider
The purpose of this article is to provide information on configuring ForgeRock Identity Cloud to integrate with Salesforce® using OpenID Connect (OIDC) federation for Single Sign-On (SSO). It assumes Identity Cloud is acting as the identity provider (IdP) and Salesforce as the service provider (SP).
Salesforce SSO integration with Identity Cloud as SAML identity provider
The purpose of this article is to provide information on how to configure ForgeRock Identity Cloud to integrate with Salesforce® using SAML2 federation for Single Sign-On (SSO). It assumes Identity Cloud is acting as the identity provider (IdP) and Salesforce as the service provider (SP).
ServiceNow SSO integration with Identity Cloud as SAML identity provider
The purpose of this article is to provide information on how to configure ForgeRock Identity Cloud to integrate with ServiceNow® using SAML2 federation for Single Sign-On (SSO). It assumes Identity Cloud is acting as the identity provider (IdP) and ServiceNow as the service provider (SP).
Yahoo SSO integration with Identity Cloud for social authentication/registration
The purpose of this article is to provide information on configuring ForgeRock Identity Cloud to integrate with Yahoo® as a social provider using OpenID Connect (OIDC) for Single Sign-On (SSO).
Azure SSO integration with Identity Cloud as SAML service provider
The purpose of this article is to provide information on how to configure ForgeRock Identity Cloud to integrate with Microsoft® Azure® Active Directory® (AD) using SAML2 federation for Single Sign-On (SSO). It assumes Identity Cloud is acting as the service provider (SP) and Azure as the identity provider (IdP).
Does Identity Cloud support Single Sign-On (SSO) with Salesforce?
You can set up your Salesforce® organization to trust ForgeRock Identity Cloud to authenticate your users. With this SSO integration, Identity Cloud is the identity provider (IdP) and Salesforce is the service provider (SP).
Does Identity Cloud support social authentication?
Social authentication in ForgeRock Identity Cloud lets your users log in once with their preferred social media account, then gain access to all their applications and services. ForgeRock makes this easy by providing pre-configured social identity integrations that can be included in your user journeys.
Google SSO integration with Identity Cloud for social authentication/registration
The purpose of this article is to provide information on configuring ForgeRock Identity Cloud to integrate with Google® as a social provider using OpenID Connect (OIDC) for Single Sign-On (SSO).
Books
OAuth 2.0 and OIDC in Identity Cloud
This book provides information on OAuth 2.0 and OpenID Connect (OIDC) in Identity Cloud including known issues (with solutions).
Single Sign-On Integrations for Identity Cloud
This book provides information on Single Sign-on (SSO) Integrations for ForgeRock Identity Cloud.
SAML2 Federation in Identity Cloud
This book provides information on SAML2 federation in Identity Cloud and includes common Single Sign-On (SSO) integrations.
Product Q&As - ForgeRock Identity Cloud
This book provides answers to questions when evaluating ForgeRock Identity Cloud.
Sync Identities in Identity Cloud
This book provides information on syncing identities in ForgeRock Identity Cloud, including information on implementing and upgrading the Remote Connector Server (RCS).
ForgeRock Authenticator App 3.x
The purpose of this book is to provide information on the ForgeRock Authenticator App 3.x.
SAML federation in IG
This book provides information on SAML federation in IG and includes help on configuring federation and debug logging.
Troubleshooting IG
This book provides information on troubleshooting various issues in IG including collecting useful troubleshooting information such as logs, heap dumps and stack traces.
Installing and configuring IG
This book provides information on installing and configuring IG including frequently asked questions.
Identity Gateway
Does the ForgeRock solution offer single and same sign-on (SSO) capabilities?
The ForgeRock solution includes a wide range of integration patterns and platform components that enable single and same sign-on (SSO) for both modern and legacy applications.
FAQ: The AmService in IG routes
The purpose of this FAQ is to provide answers to commonly asked questions regarding the AmService in IG routes.
FAQ: IG in Standalone Mode
The purpose of this FAQ is to provide answers to commonly asked questions regarding IG in standalone mode. This is a non-Web container dependent release of IG, which is delivered as a standalone Java® executable.
How do I set up signing and encryption for IG 6.x and 7 when it is acting as the SAML 2.0 SP?
The purpose of this article is to provide information on configuring signing and encryption in IG when it is acting as the Service Provider (SP) for SAML federation. You can either do this via the fedletEncode.jsp or scripting.
How do I enable Garbage Collector (GC) Logging for IG?
The purpose of this article is to provide information on enabling GC Logging for IG. It assumes you already have a working IG server installed.
How do I use the baseURI and originalURI in IG?
The purpose of this article is to provide more detailed information on the baseURI and originalURI, and their relationship to the Request URI in IG routes and downstream applications.
How do I configure IG to access unprotected static content and resources?
The purpose of this article is to provide information on configuring IG to not enforce authorization when accessing unprotected static content and resources (such as graphics, images and CSS files). This is effectively the same as a Not-Enforced URL list.
How do I use IG (All versions) to proxy a set of applications that all have the same context?
The purpose of this article is to provide a solution in IG for proxying a set of applications that share the same context without having to manipulate the request path.
How do I find which thread is consuming CPU in a Java process in IG (All versions)?
The purpose of this article is to provide assistance on identifying which thread is consuming CPU in a Java® process in IG when it is running in a web container. This is a useful troubleshooting technique when you are experiencing high CPU under load.
How do I collect data for troubleshooting high CPU utilization or Out of Memory errors on IG (All versions) servers?
The purpose of this article is to provide troubleshooting guidance if you are experiencing consistently high CPU utilization on the IG server or seeing Out of Memory errors. If CPU utilization is in the range 70-80% under load, you should definitely investigate what is causing it as performance is likely to be impacted.
Agents
Web Agents Security Advisory #202105
Security vulnerabilities have been discovered in supported versions of Web Agents. These vulnerabilities affect versions 5.6.3, 5.7.0, 5.8.0, 5.8.1 and 5.8.2. You should secure your deployments at the earliest opportunity as outlined in this security advisory.
Web Agents Security Advisory #202107
A security vulnerability has been discovered in supported versions of Web Agents. This vulnerability affects versions 5.7.0, 5.7.1, 5.7.2, 5.8.0, 5.8.1, 5.8.2, and 5.8.2.1. You should secure your deployments at the earliest opportunity as outlined in this security advisory.
Apache and IIS Web Agent (All versions) repeatedly reports failed to load SSL errors
The purpose of this article is to provide assistance if the Apache™ or IIS Web Agent repeatedly reports SSL errors such as "failed to load OPENSSL_init_ssl" (Apache) or "failed to load SSL_library_init" (IIS).
Unable to find the "User" entry in the httpd.conf file error when installing the Apache Web Agent (All versions)
The purpose of this article is to provide assistance if you receive errors about users and groups when installing the Apache™ Web agent. You will see "Unable to find the "User" entry in the httpd.conf file, will try APACHE_RUN_USER environment variable" and/or "Unable to find the "Group" entry in the httpd.conf file, will try APACHE_RUN_GROUP environment variable" errors.
Best practice for installing IIS Web Agents (All versions)
The purpose of this article is to provide best practice advice on installing IIS Web Agents.
How does Post Data Preservation work for Web Agents (All versions)?
The purpose of this article is to provide information on Post Data Preservation (PDP) and how it affects the Web Agent.
Apache Web Agent (All versions) does not start after installing it on RHEL or CentOS configured with SELinux
The purpose of this article is to provide assistance if the Apache web agent does not start after installing it on a Red Hat® Enterprise Linux® (RHEL) or CentOS system configured with SELinux in Enforcing mode. You will see messages about the "httpd.service failed" and "Failed to start The Apache HTTP Server".
Web and Java Agents Security Advisory #202201
A security vulnerability has been discovered in supported versions of Web and Java Agents when using specific configurations. This vulnerability affects versions: Web Agent 5.6.1.0 - 5.9.0, and Java Agent 5.7.1, 5.8.0, 5.8.1 and 5.9.0. It could be present in older unsupported versions. You should secure your deployments at the earliest opportunity as outlined in this security advisory.
NoSuchMethodError or Failed to decrypt application password error after installing a Java Agent (All versions)
The purpose of this article is to provide assistance if you encounter a "java.lang.NoSuchMethodError: com.sun.identity.shared.configuration.SystemPropertiesManager.getAsInt(Ljava/lang/String;I)" after installing the WebLogic Java Agent or a "Failed to decrypt application password" after installing other Java Agents such as Apache Tomcat™. These errors can be seen after starting the application server, or trying to access the agent configuration or application protected by the agent.
Installing a Web Agent (All versions) fails with a no ssl/library support error
The purpose of this article is to provide assistance if you receive a "no ssl/library support" error when trying to install a Web Agent.