Lately I worked on a really interesting identity management project. The customer involved in this project is developing some complex search engine. He is planning to sell it to companies and organizations having already their own enterprise infrastructure. The search engine would be mostly installed on a different DNS domain from existing applications. Employees should authenticate to their potentially federated intranet, before being able to access the external search engine.
After considering several solutions, we decided to use OpenIG, a ForgeRock product which is a web application gateway based on a reverse proxy architecture. It is able to intercept, transform and filter HTTP requests. This makes it easy
to intercept requests that would normally require the user to authenticate, obtain the user’s login credentials, and send the necessary HTTP request to the target application, thereby logging in the user without modifying or installing anything on the application.. And last but not least, by activating the concerned service, OpenIG become an SAML2 end point.
Adopting the less intrusive approach, we chose to deploy an SAML2 federated OpenIG, which makes end users log on their local enterprise network before being redirected and automatically authenticated on the search engine.
- Browser : the end user
- IDP : the company Identity Provider
- Gateway : OpenIG configured as a federation gateway (could be OpenAM if none is installed beforehand)
- Portal : the search engine