November 3, 2015 at 2:36 am #6150kburkhardtParticipant
We are starting to evaluate the Forgerock suite of applications.
I am confused at the relationship between these two products. I had thought that they were two standalone products. The OpenAM Admin guide has the statement below, which reads that OpenIG is included with OpenAM.
5.1. Open Identity Gateway or Policy Agent? OpenAM includes both the Open Identity Gateway (OpenIG) and also a variety of policy agents.
Now on the https://forgerock.org/openig/ project page it says
OpenIG works together with OpenAM to integrate Web applications without the need to modify the target application or the container that it runs in. Read more.
To me, the statements are contradictory. Can someone clear this up for me?November 3, 2015 at 5:17 am #6151Rajesh RParticipant
@kburkhardt OpenAM and OpenIG exist as separate components. OpenAM is for Authentication, Authorisation, SSO and Federation. One way of protecting Applications using OpenAM is by installing Agents (Web Agents and J2EE agents). Agents intercept the request from the client to application and redirect the request to OpenAM for Authentication and Authorisation. In situations where we cannot modify applications or install agents on application, we could use OpenIG as an alternative, in which case the requests from clients go to OpenIG, OpenIG will redirect the request to OpenAM, OpenAM will ask user for credentials and then the control is passed to OpenIG to redirect the user request to application. The following link has a video demonstration which explains how OpenIG and OpenAM operate together to achieve the flow as mentioned above:
Video tutorials on additional use cases on OpenIG is below:
0. ForgeRock OpenIG: Installation & Configuration
1. ForgeRock OpenIG: Getting Credentials from a File Data Source
2. ForgeRock OpenIG: Getting Credentials from JDBC Data Source
3. ForgeRock OpenIG as SAML 2.0 Service Provider
4. ForgeRock OpenIG as OAuth 2.0 Resource Server
Hope this helps.
RajeshNovember 3, 2015 at 6:24 am #6152kburkhardtParticipant
Thanks for clearing that up. I had originally figured that IG was a standalone reverse proxy (Read: Costs more money to license). The statement in the OpenAM docs is just kinda confusing and I was holding on to the hope that I didn’t have to ask for more money. Here’s to adding yet another service to the quote.
Thanks!November 3, 2015 at 4:39 pm #6163Scott HegerParticipant
Originally OpenIG was included with OpenAM, but with advances in the product it was broken out to its own, thus the confusion of older documentation references of it being include.December 19, 2016 at 11:08 am #14883[email protected]Participant
I need to setup my website login process using openam, so , try to install openam follw this document.https://backstage.forgerock.com/docs/openam/13/getting-started#software-setup and its working fine.
But, I have used nginx has a web server in production. But, no web policy agent have nginx
webserver in official. only for apache and microsoft lls. so, i follow this link to setup nginx webagent, but i got issue.
As Per Your Suggestion, we could use OpenIG as an alternative, in which case the requests from clients go to OpenIG, OpenIG will redirect the request to OpenAM, OpenAM will ask user for credentials and then the control is passed to OpenIG to redirect the user request to application.
I follow your video tutorials, https://forgerock.org/2015/08/forgerock-openig-getting-credentials-from-forgerock-openam/, But You use J2EE Policy web-agent. J2EE policy agent not suitable for web application reference: https://docs.oracle.com/cd/E19575-01/820-5816/gakwi/index.html
I follow @Rogerio Rondini answer, https://forgerock.org/topic/can-i-use-nginx-instead-of-apache-webserver-in-openam/#post-14841 , they suggest to use openIG but, openIG way also used policy agent. https://backstage.forgerock.com/docs/openig/4.5/gateway-guide#capture-replay-flow
my questions are:
1. without web policy agent, can i authenticate a website using openam?
2. policy agent vs openIG?
3. can i use only openIG + openAm to website authenticate without using web policy agent?
You must be logged in to reply to this topic.