Featured
What downloadable components are compatible with Identity Cloud?
The purpose of this article is to provide compatibility information between ForgeRock Identity Cloud and downloadable components such as Identity Gateway, Agents and Identity Connectors.
How do I troubleshoot the Java Remote Connector Service (RCS)?
The purpose of this article is to provide advice on troubleshooting the Java® RCS for ForgeRock Identity Cloud and IDM.
How do I acquire an access token for Identity Cloud API calls in a Scripted Decision node?
The purpose of this article is to provide information on getting an access token for API calls in a Scripted Decision node in ForgeRock Identity Cloud using a service account. A service account lets you request access tokens for most Identity Cloud REST API endpoints. This example focuses on the /openidm/* API endpoints using the fr:idm:* scope, but can easily be adapted to other endpoints/scopes. This article does not apply if you require an access token for third-party APIs.
Latest
What logging sources are available in Identity Cloud?
The purpose of this article is to describe the sources available for audit and debug logging in ForgeRock Identity Cloud. These logs can be useful for troubleshooting.
How do I set the persistAssociations parameter to true when triggering a reconciliation in Identity Cloud or IDM 7.2.x?
The purpose of this article is to provide information on how to set the persistAssociations parameter to true when triggering a reconciliation in ForgeRock Identity Cloud or IDM. The default value for this parameter is false.
FAQ: Journeys in Identity Cloud
The purpose of this FAQ is to provide answers to commonly asked questions regarding end user journeys in ForgeRock Identity Cloud.
Existing route fails to load after upgrading to IG 2023.x
The purpose of this article is to provide assistance if you find an existing route fails to load after upgrading IG. You will notice messages such as "An error occurred while reading the route defined in the file" and "Expecting a value" in the logs.
Self-service promotion gets stuck in Identity Cloud with a login loop
The purpose of this article is to provide assistance if your self-service promotion gets stuck in ForgeRock Identity Cloud and does not proceed. You will also notice you are repeatedly prompted to sign in even after you have authenticated.
How do I redirect to a specific page after a successful IdP or SP initiated login in Identity Cloud or AM (All versions)?
The purpose of this article is to provide information on redirecting the user to a specific page after a successful Single Sign On (SSO) in ForgeRock Identity Cloud or AM. The SSO can be either IdP or SP initiated. This information only applies to standalone mode (where JSPs are invoked to initiate SSO) and when Identity Cloud or AM is the hosted entity provider.
How do I redirect to a specific page after a successful IdP or SP initiated logout in Identity Cloud or AM (All versions)?
The purpose of this article is to provide information on redirecting the user to a specific page after a successful Single Logout (SLO) in ForgeRock Identity Cloud or AM. The SLO can be either IdP or SP initiated. If you do not specify a page, the default.jsp page is shown, which just informs you of a successful single logout. This information only applies to standalone mode (where JSPs are invoked to initiate SLO) and when Identity Cloud or AM is the hosted entity provider.
How do I include additional profile attributes in the OAuth 2.0 Access token in Identity Cloud?
The purpose of this article is to provide information on including additional profile attribute values in the OAuth 2.0 Access token. This can be achieved by adding profile fields to the Access Token Modification script in ForgeRock Identity Cloud. This article uses the extension attributes provided in Identity Cloud (such as frIndexedString1 or frIndexedMultivalued1) to add the profile fields to the Access token.
How do I override claims in the OIDC ID token in Identity Cloud, AM 7.1.x and 7.2.x?
The purpose of this article is to provide assistance if you want to override claims (such as aud, acr or iss) in the OpenID Connect (OIDC) ID token issued by ForgeRock Identity Cloud or AM.
How do I include additional profile attributes in the OIDC ID token in Identity Cloud?
The purpose of this article is to provide information on including additional profile attributes in the OpenID Connect (OIDC) ID token. This can be achieved by adding profile claims to the OIDC Claims script in ForgeRock Identity Cloud. This article uses the extension attributes provided in Identity Cloud (such as frIndexedString1 or frIndexedMultivalued1) to add profile claims to the JWT ID token.
Integrations
ADFS SSO integration with Identity Cloud as SAML service provider
The purpose of this article is to provide information on how to configure ForgeRock Identity Cloud to integrate with Active Directory Federation Services (ADFS) using SAML2 federation for Single Sign-On (SSO). It assumes Identity Cloud is acting as the service provider (SP) and ADFS as the identity provider (IdP).
Does the ForgeRock solution support social authentication?
ForgeRock's social authentication lets your users log in once with their preferred social media account, then gain access to all their applications and services. ForgeRock makes this easy by providing pre-configured social identity integrations that can be included in your user journeys.
Azure SSO integration with Identity Cloud as SAML service provider
The purpose of this article is to provide information on how to configure ForgeRock Identity Cloud to integrate with Microsoft® Azure® Active Directory® (AD) using SAML2 federation for Single Sign-On (SSO). It assumes Identity Cloud is acting as the service provider (SP) and Azure as the identity provider (IdP).
How do I create end user journeys for social registration and login in Identity Cloud?
The purpose of this article is to provide information on creating end user journeys for social registration and login in ForgeRock Identity Cloud. These journeys are required when you integrate Identity Cloud with a third-party social provider, such as Google®, using OpenID Connect (OIDC) or OAuth 2.0 for Single Sign-On (SSO).
Does Identity Cloud support Single Sign-On (SSO) with Salesforce?
You can set up your Salesforce® organization to trust ForgeRock Identity Cloud to authenticate your users. With this SSO integration, Identity Cloud is the identity provider (IdP) and Salesforce is the service provider (SP).
Google SSO integration with Identity Cloud for social authentication/registration
The purpose of this article is to provide information on configuring ForgeRock Identity Cloud to integrate with Google® as a social provider using OpenID Connect (OIDC) for Single Sign-On (SSO).
ServiceNow SSO integration with Identity Cloud as SAML identity provider
The purpose of this article is to provide information on how to configure ForgeRock Identity Cloud to integrate with ServiceNow® using SAML2 federation for Single Sign-On (SSO). It assumes Identity Cloud is acting as the identity provider (IdP) and ServiceNow as the service provider (SP).
Zendesk SSO integration with Identity Cloud as SAML identity provider
The purpose of this article is to provide information on how to configure ForgeRock Identity Cloud to integrate with Zendesk® using SAML2 federation for Single Sign-On (SSO). It assumes Identity Cloud is acting as the identity provider (IdP) and Zendesk as the service provider (SP).
Salesforce SSO integration with Identity Cloud as SAML identity provider
The purpose of this article is to provide information on how to configure ForgeRock Identity Cloud to integrate with Salesforce® using SAML2 federation for Single Sign-On (SSO). It assumes Identity Cloud is acting as the identity provider (IdP) and Salesforce as the service provider (SP).
Salesforce SSO integration with Identity Cloud as OIDC identity provider
The purpose of this article is to provide information on configuring ForgeRock Identity Cloud to integrate with Salesforce® using OpenID Connect (OIDC) federation for Single Sign-On (SSO). It assumes Identity Cloud is acting as the identity provider (IdP) and Salesforce as the service provider (SP).
Books
Sync Identities in Identity Cloud
This book provides information on syncing identities in ForgeRock Identity Cloud, including information on implementing and upgrading the Remote Connector Server (RCS).
Installing and configuring IG
This book provides information on installing and configuring IG including frequently asked questions.
Single Sign-On Integrations for Identity Cloud
This book provides information on Single Sign-on (SSO) Integrations for ForgeRock Identity Cloud.
SAML 2.0 federation in Identity Cloud
This book provides information on SAML 2.0 federation in Identity Cloud and includes common Single Sign-On (SSO) integrations.
Push Services in Identity Cloud and AM
This book provides information on push services in ForgeRock Identity Cloud and AM.
Product Q&As - ForgeRock Identity Cloud
This book provides answers to questions when evaluating ForgeRock Identity Cloud.
ForgeRock CIAM evaluation
This book provides answers to questions when evaluating ForgeRock for Customer Identity and Access Management (CIAM) capabilities.
ESVs in Identity Cloud
This book provides information on the use of Environment secrets and variables (ESVs) in Identity Cloud.
Identity Gateway
Existing route fails to load after upgrading to IG 2023.x
The purpose of this article is to provide assistance if you find an existing route fails to load after upgrading IG. You will notice messages such as "An error occurred while reading the route defined in the file" and "Expecting a value" in the logs.
How do I configure proxy settings in IG (All versions)?
The purpose of this article is to provide information on configuring proxy settings in IG if requests need to go via a proxy server.
How do I check if IG (All versions) is up and running?
The purpose of this article is to provide information on ways you can check if IG is up and running when it is behind a load balancer.
How do I use the baseURI and originalURI in IG (All versions)?
The purpose of this article is to provide more detailed information on the baseURI and originalURI, and their relationship to the Request URI in IG routes and downstream applications.
How do I generate more detailed debug logs to diagnose an issue in IG (All versions)?
The purpose of this article is to provide strategies for increasing the information contained in the logs and collecting debug logs when troubleshooting IG issues. This includes collecting message level SAML2 logs if you are using IG for SAML 2.0 federation.
How do I configure IG (All versions) to access unprotected static content and resources?
The purpose of this article is to provide information on configuring IG to not enforce authorization when accessing unprotected static content and resources (such as graphics, images and CSS files). This is effectively the same as a Not-Enforced URL list.
FAQ: IG performance and tuning
The purpose of this FAQ is to provide answers to commonly asked questions regarding performance and tuning for IG.
config.json not readable error in IG (All versions)
The purpose of this article is to provide assistance if you encounter a "/root/.openig/config/config.json" not readable error in IG.
FAQ: Installing and configuring IG
The purpose of this FAQ is to provide answers to commonly asked questions regarding installing and configuring IG.
How do I change the algorithm used to sign SAML2 requests in IG (All versions)?
The purpose of this article is to provide information on changing the signature algorithm used to sign SAML requests in IG.
Web Agents
FAQ: Installing Agents in Identity Cloud and AM
The purpose of this FAQ is to provide answers to commonly asked questions regarding installing Agents (Web or Java) in ForgeRock Identity Cloud and AM.
FAQ: Configuring Agents in Identity Cloud and AM
The purpose of this FAQ is to provide answers to commonly asked questions regarding configuring Agents in ForgeRock Identity Cloud and AM.
Installing a Web Agent (All versions) fails with a no ssl/library support error
The purpose of this article is to provide assistance if you receive a "no ssl/library support" error when trying to install a Web Agent.
Apache Web Agent (All versions) does not start after installing it on RHEL or CentOS configured with SELinux
The purpose of this article is to provide assistance if the Apache web agent does not start after installing it on a Red Hat® Enterprise Linux® (RHEL) or CentOS system configured with SELinux in Enforcing mode. You will see messages about the "httpd.service failed" and "Failed to start The Apache HTTP Server".
How does Post Data Preservation work for Web Agents (All versions)?
The purpose of this article is to provide information on Post Data Preservation (PDP) and how it affects the Web Agent.
Unable to find the "User" entry in the httpd.conf file error when installing the Apache Web Agent (All versions)
The purpose of this article is to provide assistance if you receive errors about users and groups when installing the Apache™ Web agent. You will see "Unable to find the "User" entry in the httpd.conf file, will try APACHE_RUN_USER environment variable" and/or "Unable to find the "Group" entry in the httpd.conf file, will try APACHE_RUN_GROUP environment variable" errors.
Apache and IIS Web Agent (All versions) repeatedly reports failed to load SSL errors
The purpose of this article is to provide assistance if the Apache™ or IIS Web Agent repeatedly reports SSL errors such as "failed to load OPENSSL_init_ssl" (Apache) or "failed to load SSL_library_init" (IIS).
Best practice for installing IIS Web Agents (All versions)
The purpose of this article is to provide best practice advice on installing IIS Web Agents.
Does the ForgeRock solution offer single and same sign-on (SSO) capabilities?
The ForgeRock solution includes a wide range of integration patterns and platform components that enable single and same sign-on (SSO) for both modern and legacy applications.
What types of authorization methods and access controls are offered by the ForgeRock solution?
The ForgeRock solution supports authorization policies from simple, coarse-grained rules to highly advanced, fine-grained entitlements. Organizations can ensure that just the right amount of access control is given to each consumer, workforce or thing in your organization.
Java Agents
Web and Java Agents Security Advisory #202302
A security vulnerability has been discovered in supported versions of Web and Java Agents. This vulnerability affects versions 5.10.1 and earlier, and could be present in older unsupported versions. You should secure your deployments at the earliest opportunity as outlined in this security advisory. This advisory does not apply to Identity Gateway (IG), which is not impacted.
What downloadable components are compatible with Identity Cloud?
The purpose of this article is to provide compatibility information between ForgeRock Identity Cloud and downloadable components such as Identity Gateway, Agents and Identity Connectors.
What types of authorization methods and access controls are offered by the ForgeRock solution?
The ForgeRock solution supports authorization policies from simple, coarse-grained rules to highly advanced, fine-grained entitlements. Organizations can ensure that just the right amount of access control is given to each consumer, workforce or thing in your organization.
Does the ForgeRock solution offer single and same sign-on (SSO) capabilities?
The ForgeRock solution includes a wide range of integration patterns and platform components that enable single and same sign-on (SSO) for both modern and legacy applications.
NoSuchMethodError or Failed to decrypt application password error after installing a Java Agent (All versions)
The purpose of this article is to provide assistance if you encounter a "java.lang.NoSuchMethodError: com.sun.identity.shared.configuration.SystemPropertiesManager.getAsInt(Ljava/lang/String;I)" after installing the WebLogic Java Agent or a "Failed to decrypt application password" after installing other Java Agents such as Apache Tomcat™. These errors can be seen after starting the application server, or trying to access the agent configuration or application protected by the agent.
FAQ: Configuring Agents in Identity Cloud and AM
The purpose of this FAQ is to provide answers to commonly asked questions regarding configuring Agents in ForgeRock Identity Cloud and AM.
FAQ: Installing Agents in Identity Cloud and AM
The purpose of this FAQ is to provide answers to commonly asked questions regarding installing Agents (Web or Java) in ForgeRock Identity Cloud and AM.