OpenIG is the way to go

My colleague, Greg Cranz, repeated this point this morning. OpenIG is ForgeRock’s answer to the “web agents will only take you so far, assuming you want to go there” conundrum many of us in identity management have struggled with over the years. More follows.

OpenIG, or “Open Identity Gateway”, was originally introduced to the world by ForgeRock in 2011. At the time a lot of us had been in a decades long struggle with various flavors of web agent for SSO products like SiteMinder, and later, ForgeRock’s own OpenAM.

The basic problem was simple. A web agent is basically a plugin for a web server (e.g. Apache’s HTTP Server) that allows identity system policies to be applied at the point where web content is being published to users. The problem has always been that general purpose web servers are not designed for this, and that has caused suffering to many sysadmins along the way.

OpenIG is different. It’s a purpose-built reverse proxy that was designed from the ground up to work with identity service providers while publishing web content to users. In most cases OpenIG will run on your application servers (e.g. Apache Tomcat) just like any other Java web service.

In addition to flat files, SQL databases and OpenAM, the OpenIG server can be configured to as SAML v2 service provider or an OAuth v2 resource server or client. This makes it much more flexible than any “web agent” I can think of, and positions it as a kind of “Swiss Army Knife” for identity service managers.

On June 23, ForgeRock is giving a webinar on OpenIG appropriately entitled, “OpenIG: Your Swiss Army Knife.


Guide to OpenIG 3.1.0
A Contemplation of OpenIG: Deep Thoughts (video)

This entry was posted in System Administration on by .

About phil

My name is Phil Lembo. In my day job I’m an enterprise IT architect for a leading distribution and services company. The rest of my time I try to maintain a semi-normal family life in the suburbs of Raleigh, NC. E-mail me at philipATlembobrothersDOTcom. The opinions expressed here are entirely my own and not those of my employers, past, present or future (except where I quote others, who will need to accept responsibility for their own rants).