July 25, 2020 at 3:20 am #28108ray.deng83Participant
Is it possible to use IG as just a gateway for routing traffic to an existing AM?
For example, I have AM deployed at http://openam.example.com:8080/openam and IG is deployed at http://openig.example.com:9090. I want to add a route to IG so that that route can be used to interact with AM on various endpoints. In this case IG is acting as an extra layer on AM.
Yet, if I simply add a route called openam and it’s pointing to http://openam.example.com:8080 for baseUrl and /openam as path, every time I visit http://openig.example.com:9090/openam, the URL will be redirected back to http://openam.example.com:8080/openam.
LeJuly 27, 2020 at 8:04 pm #28124Jatinder SinghParticipant
Howdy! I did answer a similar question of yours around IG in the AM section. But it’s good to discuss IG under the IG section to get most traction on your question from the community.
If you visit /openam, AM does a 302 redirect to /XUI/Login I believe. When a response is coming out of IG, you will need to ensure any AM domain referenced either in the
Location Headeris correctly replaced with that of IG domain. For Location Header, you can use
LocationHeaderFilterand if you have
gotoin your use case, write a filter that does the swap.
Also my suggestion is to target specific use cases of yours instead of proxying entire AM via IG. For instance, an RP or RO may not visit just
/openamcontext directly. Since you are targeting OAuth2 and OIDC flows (from your earlier question), I suggest proxy endpoints that are involved in those flows. And you can deny access to all other endpoints if that fits your use case.
Also, RP or RO will never (my assumption) visit your
/openamcontext directly. There will be some URL that is constructed via AM or IG and presented in user’s browser but IMO it will not
Hope this helps!July 27, 2020 at 8:28 pm #28127Jatinder SinghParticipant
Just realized there’s a typo in my above reply. The last paragraph is a repeat and can be ignored.November 4, 2020 at 4:34 am #28346[email protected]Participant
Have you tried setting the “DNS Aliases” value of the Realm Properties to include “openig.example.com” – https://backstage.forgerock.com/docs/am/6.5/maintenance-guide/index.html#configure-realm-dns-alias
You may also need to set up a Base URL Service to include the necessary details, as certain Naming configuration relies on that data – https://backstage.forgerock.com/docs/am/6.5/oidc1-guide/index.html#configure-base-url-source
You must be logged in to reply to this topic.