Am in the process of trying to configure my ForgeRock AM with a legacy application (password based) to initiate login through SSO and make AD as my IDP.
So far, I managed to make my AD as the IDP but still cannot configure my AM with the legacy application.
Hint the application that Iam trying to make the SSO dose not support any of the federation protocols.
What integration options have you explored for your application? Could you install a web (User guide :: ForgeRock Web Policy Agents) or Java (User guide :: ForgeRock Java Policy Agents) agent on the application server and make some code changes to the application to receive authenticated user details via headers? Or could you do something similar via IG?
Well, I went with IG because it is the latest and recommended, I can integrate with legacy applications using IG using the password replay method, the dilemma is in case I have different usernames and passwords in this application, is there a method I can achieve this?
Note: I did not try Web agent or Java agent.
When users have different credentials across apps, there is only few options to orchestrate the integration:
- Consolidate all users within a single identity and use centralised authentication with AM. I recognise that is often not an option with legacy applications, but that’s the simplest solution in the longer term.
- Have in some way the legacy app recognise that a user have authenticated with some kind of proof against AM (the IDP), e.g a SAML2 assertion, or OIDC id_token? As @mwtech mentioned, this can’t escape some modifications at the legacy app level.
Alternatively, in order to replay a user’s credentials, IG would have to remember username and password, which would have to be captured once - and stored somewhere for IG to replay later (keyed with the AM authoritative identity). And of course, this solution would need to be aware of credential changes. Honestly, I have not seen this kind of integration done, and would not recommend to take that path. It’s a home grown, non standardised integration, one that most corporations are moving away from nowadays - so it can only be temporary. The only standard ways as far as I know, are the methods mentioned above.