A Sample OpenIG configuration showing Tomcat Login

ForgeRock's  Open Identity Gateway (OpenIG) is a "smart" reverse proxy interacts with the HTTP session to modify headers, cookies, and the body.

A common OpenIG  use case is to SSO enable legacy applications that can not be modified to use a policy agent.

The way this works is described in the gateway guide but the readers digest version is:
  • OpenIG itself is protected with an OpenAM policy agent
  • OpenAM's password capture post authentication handler is configured to capture the user's password on login, and provide it (encrypted) to OpenIG. 
  • OpenIG is configured to watch for an HTTP request to the legacy application's login page
  • When OpenIG sees the login page it injects the users credentials into the login flow. 
The guide has a few examples for Wordpress login - but I wanted to demonstrate login to Tomcat. 

This OpenIG config.json file is configured to SSO into the sample form login demo that included with tomcat (/examples/jsp/security/protected).

This config.json assumes:

  • A tomcat instance is running on port 48080 with the sample application. This is our "legacy" application.
  • tomat-users.xml has the sample user and password configured. The user must also have the roles "role1" and "tomcat" (this is the way the tomcat demo works - nothing to do with OpenIG...)
  • Before using the gateway make sure you can login directly to the sample application without going through the gateway (for this example: try logging in to http://openam.example.com:48080/examples/jsp/security/protected/)
  • OpenIG is running on another tomcat instance on port 28080 
  • You have followed the OpenIG guide to integrate OpenAM and OpenIG, and enable the password capture post auth handler. 

You now should be able to go to 


If all is well you will be redirected to OpenAM. Once you have authenticated, the gateway will inject your credentials into the flow and log you in to the sample application.


Popular posts from this blog

SAML Federation in OAM 11g R2

Apache reverse proxy with LDAP authentication

OAM R2 REST APIs for Policy Management