OpenIG – Identity Gateway

OpenIG Logo

Open Identity Gateway

OpenIG 4.5 – What’s new!

The Open Identity Gateway is a high-performance reverse proxy server with specialized session management and credential replay functionality. Feature overview.

OpenIG works together with OpenAM to integrate Web applications without the need to modify the target application or the container that it runs in. Read more.

Practical bits

Source code

OpenIG is open source. You can check out the source code here.

The code is licensed under CDDL.

Official project repository

Get involved!

Play with it and let us know how it’s working for you: blog about it, write an article on our wiki or post on our mailing list.

Contribute to the development of OpenIG by checking out the source code, add to our issue/bug tracker or comment on our documentation.


OpenIG feature overview

OpenIG is an independent policy enforcement point that reduces the proliferation of passwords and ensures consistent, secure access across multiple web apps and APIs. OpenIG can leverage any standards-compliant identity provider to integrate into your current architecture. Single sign-on and sign-off improves the user experience and will vastly improve adoption rates and consumption of services provided.

Using OpenIG, organizations can add a layer of identity security to applications and APIs without costly and time-consuming changes to each individual app. OpenIG is even able to look up usernames and passwords in a legacy database and replay them to the web app or API. By reducing the number of passwords end-users need to remember, IT can reduce the costs of maintaining legacy applications.

Prevent unwanted traffic from disrupting operations and uphold SLA’s with OpenIG’s throttling functionality, ensuring apps give the right access without having to worry about DDoS attacks. OpenIG can throttle traffic to increase the security of protected Web APIs and applications.

Set limits in terms of transactions over a specific period of time – per second, per minute, per hour, per day, per week etc. Specify per user, domain name, IP address or based on different classes of applications or users, for example throttle based on subscription level like gold, silver, or bronze. Monitor and Audit traffic passing through OpenIG to enable alerting and reporting of events.

In cases where policy agents are available for applications, there may be too many to easily deploy, especially if you have hundreds or thousands of web apps and limited resources to test and manage them. OpenIG is a centralized enforcement point without the policy agent overhead. Administrators can reduce the time required to manage web apps by leveraging a single gateway.

OpenIG can authenticate all traffic passing through the gateway, adding a valuable layer of security. OpenIG is often deployed in the DMZ, as it has traffic-routing capabilities that send web traffic to the correct internal resources.

OpenIG reverse proxy functionality enables an agentless architecture, eliminating the need for agents on each individual internal resource, and augmenting existing web access management (WAM) deployments. When all traffic goes through a gateway, administrators can ensure that all traffic identities are authenticated, providing an additional layer of security.

OpenIG can statefully transform messages passing through the gateway, adding and removing headers and other variables that would otherwise prevent one type of system from communicating with another in a standards-compliant manner.

This allows administrators to shape the traffic an app receives, or even to split the traffic between multiple web apps or APIs, virtualizing the endpoint and streamlining the integration capabilities of the current infrastructure.

OpenIG makes federation less complicated by including the OpenAM Fedlet—a small web application that can act as a Service Provider—in order to quickly and easily add a SAML end-point to your environment.

OpenIG supports JWT sessions, as well as SAML, OAuth 2.0, and OpenID Connect for easy integration between SaaS, cloud, and mobile services, in addition to on-premises infrastructure. This gives OpenIG a great deal of deployment flexibility, supporting any third-party WAM solution or existing web app environment. OpenIG is also designed for easy, step-by-step configuration–it’s simple to read the configuration files with inlining and decorators. In addition, OpenIG can quickly activate dynamic logging and debugging information. Administrators can leverage existing expertise to enhance and deploy Identity Gateway without the need for external services.

The Common Audit Framework provides a means to log data consistently across the ForgeRock Identity Platform, including OpenIG, and enables correlation of events and transactions. Audit topics, such as access and activity, can be configured independently delivering the data you want to the appropriate business services. In addition to the existing handlers for csv files, jdbc connections, and syslog, and Elasticsearch (part of the ELK stack).

An in depth description of the OpenIG features can be found in the documentation.

OpenIG Slides and video

Introduction to OpenIG

Identi-Tea Podcast: Episode 4 – The Rodeo of Things

OpenIG blog posts

©2017 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your username and password

Lost your password?

Forgot your details?