Unlock your full potential in IAM

This is Identitrain

Master Identity and Access Management with world-class training designed by experts who live it every day.

Led by practitioners, not theorists, our training gives you the skills to design, implement, and secure identity solutions that protect what matters most.

Choose Your Path to IAM Mastery

Whether you’re starting your IAM journey or advancing toward certification, our structured learning paths guide you every step of the way. Select from Identity Management, Access Management, Governance, or Best Practices tracks designed to match your role and goals.

Explore Our Learning Paths

Built for Every IAM Professional

From architects and developers to project managers and business leaders, Identitrain delivers training that fits your role. Whether you’re designing IAM strategies, building integrations, or leading transformation projects, we’ve got a path for you.

See Our Classes

Training Designed by Practitioners, Proven in the Field

Our instructors bring years of real-world IAM experience into the classroom. We blend vendor-agnostic fundamentals with deep expertise in leading platforms like Ping, SailPoint, Okta, and beyond. Every course is modular, lab-focused, and designed to give you actionable skills you can immediately put to use!

Meet Our Instructors

Join a Growing Community of IAM Experts

Training doesn’t end with the last session. Graduates join our global practitioner network, gaining access to peer discussions, expert webinars, alumni resources, and exclusive discounts. Learn, connect, and grow alongside IAM professionals worldwide.

Get Connected!

Upcoming
Courses

AM-410-BVP Rev B.1

PingAM Deep Dive

The aim of this course is to showcase the key features and capabilities of the versatile and powerful PingAM (AM), formerly known as ForgeRock® Access Management. It provides the student with the knowledge and confidence to manage their own environment. It is accepted that this course is not able to demonstrate all the features and capabilities of AM. Further information and guidance can be found in the documentation and knowledge base in the online repositories at: Backstage https://backstage.forgerock.com.

Note: This course revision is based on version 7 of AM.

Upon completion of this course, you should be able to:

Start with an unprotected website and end up with a fully functional access management solution where every user trying to access the website is redirected to AM for authentication
Improve access management security in AM with multi-factor authentication (MFA), context-based risk analysis, and continuous risk checking
Implement OAuth 2.0 (OAuth2) based protocols; namely, OAuth2 and OpenID Connect 1.0 (OIDC), to enable low-level devices and mobile applications to make requests that access resources belonging to a subscriber. AM can be configured to function as an OIDC client and delegate authentication to social media OIDC providers
Demonstrate federation across entities using SAML v2.0 (SAML2) with AM
Install a new AM instance configured with external directory server data stores as the foundation for an AM cluster

The following are the prerequisites for successfully completing this course:

Completion of the PingAM Essentials course available at: https://backstage.forgerock.com/university/forgerock/on-demand/path/TGVhcm5pbmdQYXRoOjI%3D/chapter/Q291cnNlOjE1NzIy
Knowledge of UNIX/Linux commands
An understanding of HTTP and web applications
A basic understanding of how directory servers function
A basic understanding of REST
A basic knowledge of Java based environments would be beneficial, but no programming experience is required

Chapter 1: Enhancing Intelligent Access

Start with an unprotected website and end up with a fully functional access management solution where every user trying to access the website is redirected to AM for authentication.

Lesson 1: Exploring Authentication Mechanisms
Explore the AM admin UI, view the role of cookies used during and after authentication, and describe authentication trees and nodes:

Introduce AM authentication
Understand realms
Describe authentication life cycle
Explain sessions
Examine session cookies
Access the lab environment
Examine an initial AM installation
Configure a realm and examine AM default authentication
Experiment with session cookies
Describe the authentication mechanisms of AM
Create and manage trees
Explore tree nodes
Create a login tree
Test the login tree

Lesson 2: Protecting a Website With PingGateway
Show how PingGateway, formerly known as ForgeRock® Identity Gateway, integrated with AM, can protect a website:

Present AM edge clients
Describe PingGateway functionality as an edge client
Review the FEC website protected by PingGateway
Integrate the FEC website with AM
Observe the PingGateway token cookie
(Optional) Review PingGateway configuration
Authenticate identities with AM
Create an authentication tree with an LDAP Decision node
Integrate identities in AM with an identity store
Integrate an identity store with AM

Lesson 3: Controlling Access
Create security policies to control which users can access specific areas of the website:

Describe entitlements with AM authorization
Define AM policy components
Define policy environment conditions and response attributes
Describe the process of policy evaluation
Implement access control on a website

Chapter 2: Improving Access Management Security

Improve access management security in AM with MFA, context-based risk analysis, and continuous risk checking.

Lesson 1: Increasing Authentication Security
Increase authentication security using MFA:

Describe MFA
Register a device
Include recovery codes
Examine OATH authentication
Implement time-based one-time password (TOTP) authentication
(Optional) Implement HMAC-based one-time password (HOTP) authentication
Examine Push notification authentication
(Optional) Implement Push notification authentication
Implement passwordless WebAuthn
(Optional) Implement passwordless WebAuthn
Examine HOTP authentication using email or SMS
(Optional) Implement HOTP authentication using email or SMS

Lesson 2: Modifying a User’s Authentication Experience Based on Context
Describe how AM can take into account the context of an authentication request in order to make access decisions:

Introduce context-based risk analysis
Describe device profile nodes
Determine the risk based on the context
Implement a browser context change script
Lock and unlock accounts
Implement account lockout

Lesson 3: Checking Risk Continuously
Review the AM tools used to check the risk level of requests continuously:

Introduce continuous contextual authorization
Describe step-up authentication
Implement step-up authentication flow
Describe transactional authorization
Implement transactional authorization
Prevent users from bypassing the default tree

Chapter 3: Extending Services Using OAuth2-Based Protocols

Implement OAuth2 based protocols; namely, OAuth2 and OIDC, to enable low-level devices and mobile applications to make requests that access resources belonging to a subscriber. AM can be configured to function as an OIDC client and delegate authentication to social media OIDC providers.

Lesson 1: Integrating Applications With OAuth2
Integrate clients using OAuth2 by demonstrating the use of the OAuth2 Device Code grant type flow with AM configured as the OAuth2 authorization server (AS):

Discuss OAuth2 concepts
Describe OAuth2 tokens and codes
Describe refresh tokens, macaroons, and token modification
Request OAuth2 access tokens with OAuth2 grant types
Explain OAuth2 scopes and consent
Configure OAuth2 in AM
Configure AM as an OAuth2 provider
Configure AM with an OAuth2 client
Test the OAuth2 Device Code grant type flow

Lesson 2: Integrating Applications With OIDC
Integrate an application using OIDC and the Authorization grant type flow with AM as an OIDC provider:

Introduce OIDC
Describe OIDC tokens
Explain OIDC scopes and claims
List OIDC grant types
Create and use an OIDC script
Create an OIDC claims script
Register an OIDC client and configure the OAuth2 Provider settings
Test the OIDC Authorization Code grant type flow

Lesson 3: Authenticating OAuth2 Clients and using mTLS in OAuth2 for PoP
Authenticate OAuth2 clients with AM using various approaches and obtain certificate-bound access tokens using mutual TLS (mTLS) to provide token proof-of-possession (PoP):

Examine OAuth2 client authentication
Examine OAuth2 client authentication using JWT profiles
Examine OAuth2 client authentication using mTLS
Authenticate an OAuth2 client using mTLS
Examine certificate-bound PoP when mTLS is configured
Obtain a certificate-bound access token

Lesson 4: Transforming OAuth2 Tokens
Request and obtain security tokens from an OAuth2 authorization server, including security tokens that employ impersonation and delegation semantics:

Describe OAuth2 token exchange
Explain token exchange types and purpose for exchange
Describe token scopes and claims
Implement a token exchange impersonation pattern
Implement a token exchange delegation pattern
Configure token exchange in AM
Configure AM for token exchange
Test token exchange flows

Lesson 5: (Optional) Implementing Social Authentication
Provide a way for users to register and authenticate to AM using a social account:

Delegate registration and authentication to social media providers
Implement social registration and authentication with Google

Chapter 4: Federating Across Entities Using SAML2

Demonstrate federation across entities using SAML2 with AM.

Lesson 1: Implementing SSO Using SAML2
Demonstrate single sign-on (SSO) functionality across organizational boundaries:

Discuss SAML2 entities and profiles
Explain the SAML2 flow from the identity provider (IdP) point of view
Examine SSO across SPs
Configure AM as an IdP and integrate with third-party service providers (SPs)
Examine SSO between an SP and IdP and across SPs

Lesson 2: Delegating Authentication Using SAML2
Delegate authentication to a third-party IdP using SAML2 and examine the metadata:

Explain the SSO flow from the SP point of view
Describe the metadata content and purpose
Configure AM as a SAML2 SP and integrate with a third-party IdP

Chapter 5: Installing and Deploying AM

Install a new AM instance configured with external directory server data stores as the foundation for an AM cluster, modify the AM configuration to harden security, upgrade an AM instance to a new version, and deploy the Ping Identity Platform, formerly known as the ForgeRock® Identity Platform, to the Google Cloud Platform (GCP).

Lesson 1: Installing and Upgrading AM
Install AM using interactive and command-line methods creating the foundations for a cluster topology, and upgrade an AM 7.0.1 instance to AM 7.3:

Plan deployment configurations
Prepare before installing AM
Deploy AM
Outline tasks and methods to install AM
Install AM with the web wizard
Install an AM instance with the web wizard
Install AM and manage configuration with Amster
Install Amster
Describe the AM bootstrap process
Upgrade an AM instance
Upgrade AM with the web wizard
(Optional) Upgrade AM with the configuration tool

Lesson 2: Hardening AM Security
Explore a few default configuration and security settings that need to be modified before migrating to a production-ready solution:

Harden AM security
Adjust default settings
Harden AM security
Describe secrets, certificates, and keys
Describe keystores and secret stores
Manage the AM keystore, aliases, and passwords
Configure and manage secret stores
Configure an HSM secret store to sign OIDC ID tokens
Describe the monitoring tools
Describe the audit logging
Describe debug logging
Capture troubleshooting information
Capture troubleshooting information

Lesson 3: Clustering AM
Create an AM cluster with a second AM instance added to the first AM instance that has already been installed:

Explore high availability solutions
Scale AM deployments
Describe AM cluster concepts
Create an AM cluster
Prepare the initial AM cluster
Install another AM server in the cluster
Test AM cluster failover scenarios
(Optional) Modify the cluster to use client-side sessions

Lesson 4: Deploying the Identity Platform to the Cloud
Deploy the Identity Platform into a cluster in a Google Kubernetes Environment (GKE):

Describe the Identity Platform
Prepare your deployment environment
Deploy and access the Identity Platform
Access and authenticate your GCP account
Prepare to deploy the Identity Platform
Deploy the Identity Platform with the Cloud Development Kit (CDK)
Remove the Identity Platform deployment

Apr 20

5 days

More information

AM-410-BVP Rev B.1

PingAM Deep Dive

Note: This course revision is based on version 7 of AM.

Upon completion of this course, you should be able to:

Start with an unprotected website and end up with a fully functional access management solution where every user trying to access the website is redirected to AM for authentication
Improve access management security in AM with multi-factor authentication (MFA), context-based risk analysis, and continuous risk checking
Implement OAuth 2.0 (OAuth2) based protocols; namely, OAuth2 and OpenID Connect 1.0 (OIDC), to enable low-level devices and mobile applications to make requests that access resources belonging to a subscriber. AM can be configured to function as an OIDC client and delegate authentication to social media OIDC providers
Demonstrate federation across entities using SAML v2.0 (SAML2) with AM
Install a new AM instance configured with external directory server data stores as the foundation for an AM cluster

The following are the prerequisites for successfully completing this course:

Completion of the PingAM Essentials course available at: https://backstage.forgerock.com/university/forgerock/on-demand/path/TGVhcm5pbmdQYXRoOjI%3D/chapter/Q291cnNlOjE1NzIy
Knowledge of UNIX/Linux commands
An understanding of HTTP and web applications
A basic understanding of how directory servers function
A basic understanding of REST
A basic knowledge of Java based environments would be beneficial, but no programming experience is required

Chapter 1: Enhancing Intelligent Access

Start with an unprotected website and end up with a fully functional access management solution where every user trying to access the website is redirected to AM for authentication.

Lesson 1: Exploring Authentication Mechanisms
Explore the AM admin UI, view the role of cookies used during and after authentication, and describe authentication trees and nodes:

Introduce AM authentication
Understand realms
Describe authentication life cycle
Explain sessions
Examine session cookies
Access the lab environment
Examine an initial AM installation
Configure a realm and examine AM default authentication
Experiment with session cookies
Describe the authentication mechanisms of AM
Create and manage trees
Explore tree nodes
Create a login tree
Test the login tree

Lesson 2: Protecting a Website With PingGateway
Show how PingGateway, formerly known as ForgeRock® Identity Gateway, integrated with AM, can protect a website:

Present AM edge clients
Describe PingGateway functionality as an edge client
Review the FEC website protected by PingGateway
Integrate the FEC website with AM
Observe the PingGateway token cookie
(Optional) Review PingGateway configuration
Authenticate identities with AM
Create an authentication tree with an LDAP Decision node
Integrate identities in AM with an identity store
Integrate an identity store with AM

Lesson 3: Controlling Access
Create security policies to control which users can access specific areas of the website:

Describe entitlements with AM authorization
Define AM policy components
Define policy environment conditions and response attributes
Describe the process of policy evaluation
Implement access control on a website

Chapter 2: Improving Access Management Security

Improve access management security in AM with MFA, context-based risk analysis, and continuous risk checking.

Lesson 1: Increasing Authentication Security
Increase authentication security using MFA:

Describe MFA
Register a device
Include recovery codes
Examine OATH authentication
Implement time-based one-time password (TOTP) authentication
(Optional) Implement HMAC-based one-time password (HOTP) authentication
Examine Push notification authentication
(Optional) Implement Push notification authentication
Implement passwordless WebAuthn
(Optional) Implement passwordless WebAuthn
Examine HOTP authentication using email or SMS
(Optional) Implement HOTP authentication using email or SMS

Lesson 2: Modifying a User’s Authentication Experience Based on Context
Describe how AM can take into account the context of an authentication request in order to make access decisions:

Introduce context-based risk analysis
Describe device profile nodes
Determine the risk based on the context
Implement a browser context change script
Lock and unlock accounts
Implement account lockout

Lesson 3: Checking Risk Continuously
Review the AM tools used to check the risk level of requests continuously:

Introduce continuous contextual authorization
Describe step-up authentication
Implement step-up authentication flow
Describe transactional authorization
Implement transactional authorization
Prevent users from bypassing the default tree

Chapter 3: Extending Services Using OAuth2-Based Protocols

Discuss OAuth2 concepts
Describe OAuth2 tokens and codes
Describe refresh tokens, macaroons, and token modification
Request OAuth2 access tokens with OAuth2 grant types
Explain OAuth2 scopes and consent
Configure OAuth2 in AM
Configure AM as an OAuth2 provider
Configure AM with an OAuth2 client
Test the OAuth2 Device Code grant type flow

Lesson 2: Integrating Applications With OIDC
Integrate an application using OIDC and the Authorization grant type flow with AM as an OIDC provider:

Introduce OIDC
Describe OIDC tokens
Explain OIDC scopes and claims
List OIDC grant types
Create and use an OIDC script
Create an OIDC claims script
Register an OIDC client and configure the OAuth2 Provider settings
Test the OIDC Authorization Code grant type flow

Examine OAuth2 client authentication
Examine OAuth2 client authentication using JWT profiles
Examine OAuth2 client authentication using mTLS
Authenticate an OAuth2 client using mTLS
Examine certificate-bound PoP when mTLS is configured
Obtain a certificate-bound access token

Lesson 4: Transforming OAuth2 Tokens
Request and obtain security tokens from an OAuth2 authorization server, including security tokens that employ impersonation and delegation semantics:

Describe OAuth2 token exchange
Explain token exchange types and purpose for exchange
Describe token scopes and claims
Implement a token exchange impersonation pattern
Implement a token exchange delegation pattern
Configure token exchange in AM
Configure AM for token exchange
Test token exchange flows

Lesson 5: (Optional) Implementing Social Authentication
Provide a way for users to register and authenticate to AM using a social account:

Delegate registration and authentication to social media providers
Implement social registration and authentication with Google

Chapter 4: Federating Across Entities Using SAML2

Demonstrate federation across entities using SAML2 with AM.

Lesson 1: Implementing SSO Using SAML2
Demonstrate single sign-on (SSO) functionality across organizational boundaries:

Discuss SAML2 entities and profiles
Explain the SAML2 flow from the identity provider (IdP) point of view
Examine SSO across SPs
Configure AM as an IdP and integrate with third-party service providers (SPs)
Examine SSO between an SP and IdP and across SPs

Lesson 2: Delegating Authentication Using SAML2
Delegate authentication to a third-party IdP using SAML2 and examine the metadata:

Explain the SSO flow from the SP point of view
Describe the metadata content and purpose
Configure AM as a SAML2 SP and integrate with a third-party IdP

Chapter 5: Installing and Deploying AM

Lesson 1: Installing and Upgrading AM
Install AM using interactive and command-line methods creating the foundations for a cluster topology, and upgrade an AM 7.0.1 instance to AM 7.3:

Plan deployment configurations
Prepare before installing AM
Deploy AM
Outline tasks and methods to install AM
Install AM with the web wizard
Install an AM instance with the web wizard
Install AM and manage configuration with Amster
Install Amster
Describe the AM bootstrap process
Upgrade an AM instance
Upgrade AM with the web wizard
(Optional) Upgrade AM with the configuration tool

Lesson 2: Hardening AM Security
Explore a few default configuration and security settings that need to be modified before migrating to a production-ready solution:

Harden AM security
Adjust default settings
Harden AM security
Describe secrets, certificates, and keys
Describe keystores and secret stores
Manage the AM keystore, aliases, and passwords
Configure and manage secret stores
Configure an HSM secret store to sign OIDC ID tokens
Describe the monitoring tools
Describe the audit logging
Describe debug logging
Capture troubleshooting information
Capture troubleshooting information

Lesson 3: Clustering AM
Create an AM cluster with a second AM instance added to the first AM instance that has already been installed:

Explore high availability solutions
Scale AM deployments
Describe AM cluster concepts
Create an AM cluster
Prepare the initial AM cluster
Install another AM server in the cluster
Test AM cluster failover scenarios
(Optional) Modify the cluster to use client-side sessions

Lesson 4: Deploying the Identity Platform to the Cloud
Deploy the Identity Platform into a cluster in a Google Kubernetes Environment (GKE):

Describe the Identity Platform
Prepare your deployment environment
Deploy and access the Identity Platform
Access and authenticate your GCP account
Prepare to deploy the Identity Platform
Deploy the Identity Platform with the Cloud Development Kit (CDK)
Remove the Identity Platform deployment

Apr 20

5 days

More information

AIC-CERT-PREP Rev A.1

Certified Professional - PingOne Advanced Identity Cloud Exam Preparation

This course helps prepare students to take the Certified Professional - PingOne Advanced Identity Cloud exam, formerly known as the ForgeRock® Identity Cloud Certified Professional exam. This is accomplished by presenting students with information concerning exam contents, logistics, tips for preparing to take the exam, lab exercises to cover exam contents, and a sample exam that is representative of the exam, itself.

Upon completion of this course, you should be able to:

Register to take the exam
Prepare for the exam using recommended study materials
Take the exam either remotely or at a Pearson Testing Center

The following are the prerequisites for successfully completing this course:

Successful completion of the AIC-300 Getting Started With PingOne Advanced Identity Cloud for Administrators course
Thorough understanding of all PingOne Advanced Identity Cloud documentation and Knowledge Base articles on Backstage
3-6 months of experience configuring and administering PingOne Identity tenants
Working knowledge of OAuth 2.0, OpenID Connect and SAML v2.0

Course Contents

Exam Overview

Explain exam metrics and passing scores
Provide an approach for responding to test questions
Identify options for registering and taking the exam
Describe testing center requirements
Describe requirements for taking the exam online
Show how to access exam results

Exam Details

Review the exam details and requirements
Explain exam topics and study areas
Present the objectives covered in the exam
Review important concepts associated with exam objectives
Review sample questions associated with objectives
Provide applicable materials for review

Lab Exercises

Research topics which will be covered in the exam
Navigate the PingOne Advanced Identity Cloud admin UI
Describe PingOne Advanced Identity Cloud configuration settings
Explain how to perform PingOne Advanced Identity Cloud related tasks
Configure PingOne Advanced Identity Cloud related services

Sample Exam

Test a student’s knowledge of PingOne Advanced Identity Cloud
Provide students with a representative exam experience

Apr 23

1 day

More information

IGA-400-BVP Rev A.1

PingOne Advanced Identity Cloud Identity Governance

This course provides a hands-on technical introduction to PingOne Advanced Identity Cloud Identity Governance (Identity Governance). Further information and guidance can be found in the documentation and knowledge base in the online repositories at: Backstage https://backstage.forgerock.com.

Note: This course is based on PingOne Advanced Identity Cloud (Advanced Identity Cloud) with the Identity Governance functionality added.

Upon completion of this course, you should be able to:

Discover how to access, manage, and work with Identity Governance capabilities
Create target applications and configure their mapping with Advanced Identity Cloud, reconcile entitlements from the applications, and provision accounts to the applications
Create and manage workflows, access requests for resources (entitlements, applications, roles), forms for access requests, and governance glossary items
Create and start scheduled and event-based certification campaigns to verify user access, and manage compliance by implementing Segregation of Duties (SoD) policies and rules

The following are the prerequisites for successfully completing this course:

Completion of the Getting Started With PingOne Advanced Identity Cloud for Administrators course.
Recommended completion of the PingOne Advanced Identity Cloud Administration course.
Knowledge of basic Windows/PowerShell commands
An understanding of HTTP and web applications
A basic understanding of how directory servers function
A basic understanding of REST
A familiarity with the Advanced Identity Cloud admin and end-user UIs

Chapter 1: Introducing Identity Governance

Discover how to access, manage, and work Identity Governance capabilities.

Lesson 1: Introducing Identity Governance

Describe Identity Governance and the related capabilities available in Advanced Identity Cloud:

Describe the purpose of Identity GovernanceIntroduce Identity Governance
Access Advanced Identity CloudDescribe the course environment and architecture
Access your CloudShare environment
Access your Advanced Identity Cloud tenant
Access and explore your PingOne tenant environment

Lesson 2: Onboarding Applications and Identities

Create applications for onboarding users:

Explain Identity Governance terminology
Describe application typesRegister and manage applications
Connect an application with an identity source
Configure application provisioning
Onboard and provision users, roles, and entitlements
Create a connector server in Advanced Identity Cloud
Connect the RCS with Advanced Identity Cloud
Customize the Advanced Identity Cloud user schema
Register an authoritative application and onboard identities

Chapter 2: Managing Identity Lifecycle and Entitlements

Create target applications and configure their mapping with Advanced Identity Cloud, reconcile entitlements from the applications, and provision accounts to the applications.

Lesson 1: Reconciling Entitlements

Load and manage entitlements from target applications in Advanced Identity Cloud:

Describe entitlements
Manage entitlements
Assign and revoke entitlements to/from users and roles
Request access for an entitlement
Reconcile entitlements from Active Directory (AD)
Reconcile entitlements from PingOne

Lesson 2: Synchronizing Identity Data

Describe synchronization as a foundation of identity lifecycle management in Identity Governance, and provision and manage application accounts:

Describe the need for synchronization
Explore synchronization in Identity Governance
Describe how changes are managed during synchronization
Provision and manage application accounts
Provision an account to AD
Provision an account and entitlement to PingOne

Chapter 3: Creating and Managing Workflows and Access Requests

Create and manage workflows, access requests for resources (entitlements, applications, roles), forms for access requests, and governance glossary items.

Lesson 1: Managing Access Requests for Resources

Create, review, and manage access requests for resources, such as applications, entitlements, and roles:

Explain access request conceptsAccess request administration
Request access to resources
Review and handle access requests
Request to provision an AD account with entitlements
Request to provision PingOne accounts with entitlements
Define a conditional provisioning role
Define and request a provisioning role

Lesson 2: Managing Glossary Items and Scopes

Create and manage governance glossary items and scopes to manage what can be requested:

Describe the governance glossary
Define and populate glossary attribute values
Use glossary attribute values as filters
Request access to entities for others
Create scopes to control what can be requested
Define glossary items for use in workflows and scopes
Create access requests for others and add scopes

Lesson 3: Creating Workflows, Request Types, and Forms

Manage workflows, request types, and forms for customizing access requests, and schedule a task scanner job:

Create and manage workflows
Build a workflow with nodes
Create and manage request types
Create and manage forms for customized user-interaction
Designing forms in the form editorCreate and manage a task scanner
Create new workflows and update default workflows
Create and manage forms to customize user interaction

Chapter 4: Managing Certifications and Compliance

Create and start scheduled and event-based certification campaigns to verify user access, and manage compliance by implementing SoD policies and rules.

Lesson 1: Configuring and Running Certifications

Prepare and perform certification of access to applications:

Certify access in Identity Governance
Create certification templates
Configure the certification templateManage certification templates
Create certification campaigns
Perform access reviews
Certify access based on events
Configure and initiate entitlement certifications
Certify entitlements for the certification campaign
Configure an event that triggers certification
Configure an event that initiates a workflow
Manage approvals for triggered events

Lesson 2: Managing Compliance With SoD

Manage compliance and implement SoD policies:

Describe SoDDefine policy rules
Configure compliance policies
Run compliance scans
Manage violations and exceptions
Create an SoD rule and policy
Run a compliance scan
Make a request that violates compliance

Apr 27

4 days

More information

P1-400-BVP Rev A.1

PingOne Administration

This course gives learners the tools to get started with PingOne administration. It covers initial setup tasks, including creating and managing PingOne environments, application integration, and customization. This course also provides information on most common administration tasks, including user and group management, managing access policies, best practices, and troubleshooting of common issues.

Upon completion of this course, you should be able to:

Summarize PingOne capabilities and key features, describe PingOne support resources, and create a new PingOne environment
Demonstrate administration of PingOne user populations, user roles, attributes, and groups
Demonstrate integration and troubleshooting of PingOne applications
Demonstrate how to use access control policies within PingOne
Describe how to manage the process of establishing a person’s identity and then using this identity in later transactions within PingOne
Demonstrate troubleshooting techniques and best practices within PingOne

The following are the prerequisites for successfully completing this course:

Completion of the following courses available at: https://backstage.forgerock.com/university/ping/on-demand/category/PING
PingOne Fundamentals
Introduction to PingOne MFA
Getting Started With PingOne MFA
Getting Started With PingOne SSO
(Optional) Introduction to PingOne DaVinci

Chapter 1: Introducing PingOne

Summarize PingOne capabilities and key features, describe PingOne support resources, and create a new PingOne environment.

Lesson 1: Providing an Overview of PingOne

Summarize PingOne capabilities and key features:

Describe PingOne as a cloud-based IDaaS solution
Describe PingOne environment solutions
Create a new environment

Lesson 2: Introducing Ping Identity Support Resources

Describe PingOne support resources:

Locate Ping Identity support resources

Chapter 2: Managing Users

Demonstrate administration of PingOne user populations, user roles, attributes, and groups.

Lesson 1: Managing Users and Populations
Describe how to manage users in PingOne, including how to create populations and add individual users:

Review default users
Edit default users
Create populations
Create a new population
Create new users
Create a new user

Lesson 2: Managing User Roles, Attributes, and Groups

Create a new population and new users:

Manage administrator roles
Assign roles to administrators
Understand user attributes
Manage user attributes
Manage user groups
Manage user group memberships

Chapter 3: Defining Application Integration

Demonstrate integration and troubleshooting of PingOne applications

Lesson 1: Describing the Supported Federation Protocols

Understand the various identity federation protocols used within PingOne:

Understand federation protocols
Add an application from the catalog
Understand SAML2
Add a custom SAML2 application
Understand OAuth2
Understand OIDC
Add a custom OIDC application
Administer the Application Portal

Lesson 2: Troubleshooting Common PingOne Issues

Describe common issues that occur in PingOne, troubleshooting steps, and best practices:

Describe authentication failures
Define SSO failures
Describe attribute mapping errors
Determine certificate issues
Define group membership issues
Describe application integration issues
Define gateway access issues
Describe best practices

Chapter 4: Configuring Access Control

Demonstrate how to use access control policies within PingOne.

Lesson 1: Managing Authentication Policies

Describe how to create and manage authentication policies in PingOne:

Describe authentication policies
Create an authentication policy

Lesson 2: Managing Password Policies

Describe how to manage password policies in PingOne:

Define password policies
Edit a password policy

Lesson 3: Using Additional Authentication Methods

Describe how to create and manage authentication methods used in PingOne policies:

Describe MFA and FIDO policies
Create an MFA policy
Create a FIDO policy

Chapter 5: Managing the Identity Lifecycle

Describe how to manage the process of establishing a person’s identity and then using this identity in later transactions within PingOne.

Lesson 1: Managing User Onboarding

Discuss the initial stages of the identity lifecycle within PingOne, and describe how new user accounts are created and made ready for access:

Onboard users
Create users manually

Lesson 2: Understanding User Provisioning

Explain how PingOne automates the management of user access to applications, building upon the user identities created during onboarding:

Provision users

Lesson 3: Understanding User Maintenance

Describe how to manage the user maintenance capabilities in PingOne:

Administer user accounts
Manage a user account

Lesson 4: Managing User Offboarding

Understand the critical process of user offboarding within PingOne:

Offboard users

Lesson 5: Monitoring and Reporting

Explain the importance of monitoring and reporting within PingOne:

Monitor activity and view reports

Chapter 6: Troubleshooting and Best Practices

Demonstrate troubleshooting techniques and best practices within PingOne.

Lesson 1: Managing the Troubleshooting Process

Summarize the troubleshooting process and common techniques within PingOne:

Introduce the troubleshooting process
Understand common troubleshooting techniques

Lesson 2: Reviewing Best Practices

Summarize PingOne administration best practices:

Maintain a healthy PingOne environment

Apr 27

2 days

More information

IG-430-BVP Rev A

PingGateway Deep Dive

The aim of this course is to showcase the key features and capabilities of the versatile and powerful edge security solution with the PingGateway environment, formerly known as ForgeRock® Identity Gateway. It provides the student with the knowledge and confidence to manage their own environment. It is accepted that this course is not able to demonstrate all the features and capabilities of PingGateway. Further information and guidance can be found in the documentation and knowledge base documents in the online repositories at: Backstage https://backstage.forgerock.com.

Note: Revision A of this course is based on version 7.2 of PingGateway.

Upon completion of this course, you should be able to:

Integrate and protect web applications, APIs, legacy applications, and microservices with the Ping Identity Platform (Identity Platform), formerly known as ForgeRock® Identity Platform, by using PingGateway
Add authentication to the ForgeRock Entertainment Company (FEC) solution using PingOne Advanced Identity Cloud (Advanced Identity Cloud), formerly known as ForgeRock® Identity Cloud, or PingAM (AM), formerly known as ForgeRock® Access Management, as the access manager, OpenID Connect (OIDC) provider, and Security Assertion Markup Language (SAML2) identity provider (IdP)
Demonstrate how to use PingGateway to manage access to a website using Advanced Identity Cloud (or AM) policies and policies with advice
Protect a REST API with PingGateway and extend PingGateway functionality with scripting
Highlight various areas that must be taken into account when preparing PingGateway for a production environment. Topics discussed include auditing, monitoring, tuning, security, and deployment

The following are the prerequisites for successfully completing this course:

Completion of the PingGateway Essentials course available at: https://backstage.forgerock.com/university/forgerock/on-demand/path/TGVhcm5pbmdQYXRoOjQ%3D/chapter/Q291cnNlOjE1NzI2

Chapter 1: Integrating Applications With PingGateway

Integrate and protect web applications, APIs, legacy applications, and microservices with Identity Platform by using PingGateway.

Lesson 1: Introducing PingGateway
Introduce PingGateway and discuss scenarios for protecting web applications, APIs, and legacy applications:

Introduce PingGateway
Describe PingGateway features
Compare PingGateway with policy agents
Explore PingGateway integration with web applications
Describe PingGateway integration with OIDC and SAML
Explore PingGateway policy enforcement and second-factor authentication (2FA)
Describe PingGateway protection of APIs
Access your CloudShare VM
Examine the lab environment
Access the FEC and DVD4U websites

Lesson 2: Fronting a Website With PingGateway
Configure PingGateway to listen for secure connections, operate in development mode, and be a reverse proxy in front of the FEC website:

Examine the PingGateway configuration structure
Describe required PingGateway configuration
Configure PingGateway for secure connections
Configure PingGateway routes
Creating and managing routes in PingGateway Studio
Protect a website by using PingGateway Studio
Upgrade a route to use WebSockets
Configure PingGateway for development mode and TLS connections
Protect the FEC website with PingGateway by using PingGateway Studio
Manage routes in PingGateway Studio and examine PingGateway log files

Lesson 3: Routing Requests and Responses
Configure PingGateway to route requests depending on external conditions, and use various filters and handlers to process requests and responses within a route:

Describe the PingGateway object model
Examine objects available in routes
Retrieve context data and configure sessions
Route requests depending on conditions
Describe route handlers
Manage requests and responses with a route handler
Process requests and responses with filters
Create a route to allow access to a public area of FEC
Add a page not found route
Create a route to access the legacy DVD4U application
Add password replay for the DVD4U application

Lesson 4: Configuring PingGateway Logging and Capturing Route Communication
Introduce decorators, capture information in the PingGateway logs information using the CaptureDecorator, and retrieve credentials from a file with a FileAttributesFilter:

Manage PingGateway logs
Introduce Decorators
Configure route activity logs
Capture inbound and outbound communication
Retrieve credentials from a file
Observe requests and responses in PingGateway logs
Test different capture configuration settings
Centralize PingGateway logging configuration
Modify the DVD4U route to get credentials from a file
Use Logback configuration for troubleshooting

Chapter 2: Configuring Agentless Single Sign-On

Add authentication to the FEC solution, using Advanced Identity Cloud or AM as the access manager, OIDC provider, and SAML2 identity provider.

Lesson 1: Implementing Authentication with the SSO Filter
Implement authentication for websites with the single sign-on (SSO) filter by using PingGateway to interact with Advanced Identity Cloud or AM as the authentication server, to ensure access to non-public content requires authentication:

Create a route by using the PingGateway Studio Freeform Designer
Configure Advanced Identity Cloud or AM as a service
Describe how to use the SSO Filter
Retrieve user data from the authentication provider
Configure PingGateway as an HTTPS client
Create a route with the PingGateway Studio Freeform Designer
Redirect requests to AM for authentication
Configure PingGateway for client-side HTTPS
Access properties in SSO token context
Retrieve user profile data for display in a web page
Store information in a PingGateway HTTP session
Configure capture decorators in Freeform Designer

Lesson 2: Configuring CDSSO for the Legacy Application
Configure cross-domain single sign-on (CDSSO) to support applications located in different domains, by using the CrossDomainSingleSignOnFilter:

Describe the CDSSO Filter
Configure the CDSSO Filter Solution
Configure CDSSO redirect endpoints
Integrate the legacy application with CDSSO
Create a new route to protect DVD4U with CDSSO and AM
Update the DVD4U route to automatically log in the authenticated user
Prepare the Advanced Identity Cloud tenant
Protect the DVD4U and FEC websites using CDSSO with Advanced Identity Cloud

Lesson 3: Performing SSO With PingGateway as an OIDC Relying Party
Configure PingGateway to operate as an OIDC client (relying party) to offer potential subscriber users access to the trial sections and immediate access to promotional content of the website by using their Gmail account:

Describe basic OIDC concepts
Configure PingGateway as an OIDC client
Examine the flow of OIDC redirects for authentication and consent
Explore the flow of OIDC callbacks and data injection
Configure an OIDC relying party route
Examine the OIDC relying party solution

Lesson 4: Providing SSO with PingGateway as a SAML2 SP
Configure PingGateway to act as a SAML2 service provider (SP), enabling an application to be SAML2-compliant:

Authenticate with a SAML2 identity provider (IdP)
Describe the use of the SAML federation handler
Describe the use of the dispatch handler
Describe the SAML2 implementation flow
Set up SAML2 configuration files for PingGateway
Configure a SAML2 route for the trial section
Examine the SAML2 solution (optional)

Chapter 3: Controlling Access with PingGateway as Policy Enforcement Point

Demonstrate how to use PingGateway to manage access to a website using Advanced Identity Cloud (or AM) policies and policies with advice.

Lesson 1: Implementing Authorization With a Policy Enforcement Filter
Configure PingGateway to manage access to a website by evaluating policies configured in Advanced Identity Cloud (or AM) and using a PolicyEnforcementFilter:

Describe the use of the Policy Enforcement Filter
Illustrate the use of the Policy Enforcement Filter
Configure a policy enforcement point (PEP) route for the premium section of FEC
Examine the PEP solution (optional)

Lesson 2: Providing Step-Up Authentication and Transactional Authorization
Illustrate how PingGateway handles step-up authentication and transactional authorization policy advices with Advanced Identity Cloud (or AM):

Describe step-up authentication
Illustrate how PingGateway handles step-up authentication
Describe transactional authorization
Illustrate how PingGateway handles transactional authorization
Configure a PEP route for the on demand and profile sections of FEC
Examine the profile solution (optional)
Examine the on-demand solution (optional)

Chapter 4: Protecting a REST API

Protect a REST API with PingGateway and extend PingGateway functionality with scripting.

Lesson 1: Configuring PingGateway as an OAuth2 Resource Server
Configure PingGateway to act as an OAuth2 resource server that protects a REST API:

Describe the use of the OAuth2 resource server filter
List access token resolvers
Validate certificate-bound access tokens
Observe the flow with the token introspection resolver
Prepare the OAuth2 solution to protect the FEC REST API
Configure PingGateway to protect the FEC REST APIs
Examine the REST API solution (optional)

Lesson 2: Extending Functionality With Scripts
Log information on context, implement dynamic scopes to manage access to resources, and refine allowed access using script-based objects in PingGateway:

Describe the scripting functionality for extending PingGateway
Explore scriptable objects
Examine dynamic scopes solution
Describe OAuth2 token swapping in PingGateway
Configure a scriptable filter to log the content of the OAuth2 context
Configure a dynamic scopes script
Configure a scriptable filter to retrieve the correct favorite list

Chapter 5: Preparing for Production with PingGateway

Highlight various areas that must be taken into account when preparing PingGateway for a production environment. Topics discussed include auditing, monitoring, tuning, security, and deployment.

Lesson 1: Auditing, Monitoring, and Tuning a PingGateway Solution
Prepare PingGateway for a production environment by considering auditing, monitoring, tuning, security, and deployment topics:

Describe the audit framework
Excluding sensitive data from audit logs
Accessing the Common REST API monitoring endpoint
Decreasing the number of requests through caching

Lesson 2: Developing an Awareness of Security Questions With PingGateway
Develop awareness of best practices, describe JwtSessions, examine common secrets, and manage request rates and throttling:

Discuss PingGateway best practices regarding security
Examine the common secrets
Explore secret store types
Describe throttling
Create common secret stores
Configure throttling

Lesson 3: Deploying PingGateway
Explore how to deploy PingGateway into a production context by using property value substitution and clustering:

Describe property value substitution
Set up multiple PingGateway instances
Integrate configuration tokens in the solution
Deploy a second PingGateway instance

Apr 27

5 days

More information

Unlock your full potential in IAM

This is Identitrain

Choose Your Path to IAM Mastery

Built for Every IAM Professional

Training Designed by Practitioners, Proven in the Field

Join a Growing Community of IAM Experts

Upcoming Courses

PingAM Deep Dive

PingAM Deep Dive

Certified Professional - PingOne Advanced Identity Cloud Exam Preparation

PingOne Advanced Identity Cloud Identity Governance

PingOne Administration

PingGateway Deep Dive

Unlock your full potential in IAM

This is Identitrain

Choose Your Path to IAM Mastery

Built for Every IAM Professional

Training Designed by Practitioners, Proven in the Field

Join a Growing Community of IAM Experts

Upcoming Courses

PingAM Deep Dive

PingAM Deep Dive

Certified Professional - PingOne Advanced Identity Cloud Exam Preparation

PingOne Advanced Identity Cloud Identity Governance

PingOne Administration

PingGateway Deep Dive

Upcoming
Courses

Upcoming
Courses