Open Identity Gateway
The Open Identity Gateway is a high-performance reverse proxy server with specialized session management and credential replay functionality. Feature overview.
On this page:
OpenIG feature overview
OpenIG is an independent policy enforcement point that reduces the proliferation of passwords and ensures consistent, secure access across multiple web apps and APIs. OpenIG can leverage any standards-compliant identity provider to integrate into your current architecture. Single sign-on and sign-off improves the user experience and will vastly improve adoption rates and consumption of services provided.
Using OpenIG, organizations can add a layer of identity security to applications and APIs without costly and time-consuming changes to each individual app. OpenIG is even able to look up usernames and passwords in a legacy database and replay them to the web app or API. By reducing the number of passwords end-users need to remember, IT can reduce the costs of maintaining legacy applications.
Prevent unwanted traffic from disrupting operations and uphold SLA’s with OpenIG’s throttling functionality, ensuring apps give the right access without having to worry about DDoS attacks. OpenIG can throttle traffic to increase the security of protected Web APIs and applications.
Set limits in terms of transactions over a specific period of time – per second, per minute, per hour, per day, per week etc. Specify per user, domain name, IP address or based on different classes of applications or users, for example throttle based on subscription level like gold, silver, or bronze. Monitor and Audit traffic passing through OpenIG to enable alerting and reporting of events.
In cases where policy agents are available for applications, there may be too many to easily deploy, especially if you have hundreds or thousands of web apps and limited resources to test and manage them. OpenIG is a centralized enforcement point without the policy agent overhead. Administrators can reduce the time required to manage web apps by leveraging a single gateway.
OpenIG can authenticate all traffic passing through the gateway, adding a valuable layer of security. OpenIG is often deployed in the DMZ, as it has traffic-routing capabilities that send web traffic to the correct internal resources.
OpenIG reverse proxy functionality enables an agentless architecture, eliminating the need for agents on each individual internal resource, and augmenting existing web access management (WAM) deployments. When all traffic goes through a gateway, administrators can ensure that all traffic identities are authenticated, providing an additional layer of security.
OpenIG can statefully transform messages passing through the gateway, adding and removing headers and other variables that would otherwise prevent one type of system from communicating with another in a standards-compliant manner.
This allows administrators to shape the traffic an app receives, or even to split the traffic between multiple web apps or APIs, virtualizing the endpoint and streamlining the integration capabilities of the current infrastructure.
OpenIG makes federation less complicated by including the OpenAM Fedlet—a small web application that can act as a Service Provider—in order to quickly and easily add a SAML end-point to your environment.
OpenIG supports JWT sessions, as well as SAML, OAuth 2.0, and OpenID Connect for easy integration between SaaS, cloud, and mobile services, in addition to on-premises infrastructure. This gives OpenIG a great deal of deployment flexibility, supporting any third-party WAM solution or existing web app environment. OpenIG is also designed for easy, step-by-step configuration–it’s simple to read the configuration files with inlining and decorators. In addition, OpenIG can quickly activate dynamic logging and debugging information. Administrators can leverage existing expertise to enhance and deploy Identity Gateway without the need for external services.
The Common Audit Framework provides a means to log data consistently across the ForgeRock Identity Platform, including OpenIG, and enables correlation of events and transactions. Audit topics, such as access and activity, can be configured independently delivering the data you want to the appropriate business services. In addition to the existing handlers for csv files, jdbc connections, and syslog, and Elasticsearch (part of the ELK stack).
An in depth description of the OpenIG features can be found in the documentation.