IG acting as just Gateway for AM

This topic has 3 replies, 3 voices, and was last updated 1 year, 8 months ago by [email protected].

  • Author
  • #28108

    Is it possible to use IG as just a gateway for routing traffic to an existing AM?

    For example, I have AM deployed at http://openam.example.com:8080/openam and IG is deployed at http://openig.example.com:9090. I want to add a route to IG so that that route can be used to interact with AM on various endpoints. In this case IG is acting as an extra layer on AM.

    Yet, if I simply add a route called openam and it’s pointing to http://openam.example.com:8080 for baseUrl and /openam as path, every time I visit http://openig.example.com:9090/openam, the URL will be redirected back to http://openam.example.com:8080/openam.



     Jatinder Singh

    Howdy! I did answer a similar question of yours around IG in the AM section. But it’s good to discuss IG under the IG section to get most traction on your question from the community.

    If you visit /openam, AM does a 302 redirect to /XUI/Login I believe. When a response is coming out of IG, you will need to ensure any AM domain referenced either in the GOTO parameter or Location Header is correctly replaced with that of IG domain. For Location Header, you can use LocationHeaderFilter and if you have goto in your use case, write a filter that does the swap.

    Also my suggestion is to target specific use cases of yours instead of proxying entire AM via IG. For instance, an RP or RO may not visit just /openam context directly. Since you are targeting OAuth2 and OIDC flows (from your earlier question), I suggest proxy endpoints that are involved in those flows. And you can deny access to all other endpoints if that fits your use case.

    Also, RP or RO will never (my assumption) visit your /openam context directly. There will be some URL that is constructed via AM or IG and presented in user’s browser but IMO it will not

    Hope this helps!

     Jatinder Singh

    Just realized there’s a typo in my above reply. The last paragraph is a repeat and can be ignored.


    Have you tried setting the “DNS Aliases” value of the Realm Properties to include “openig.example.com” – https://backstage.forgerock.com/docs/am/6.5/maintenance-guide/index.html#configure-realm-dns-alias

    You may also need to set up a Base URL Service to include the necessary details, as certain Naming configuration relies on that data – https://backstage.forgerock.com/docs/am/6.5/oidc1-guide/index.html#configure-base-url-source

Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?