Unlock your full potential in IAM

The aim of this course is to showcase the key features and capabilities of the versatile and powerful PingAM (AM), formerly known as ForgeRock® Access Management. It provides the student with the knowledge and confidence to manage their own environment. It is accepted that this course is not able to demonstrate all the features and capabilities of AM. Further information and guidance can be found in the documentation and knowledge base in the online repositories at: Backstage https://backstage.forgerock.com.

Note: This course revision is based on version 7 of AM.

Upon completion of this course, you should be able to:

• Start with an unprotected website and end up with a fully functional access management solution where every user trying to access the website is redirected to AM for authentication
• Improve access management security in AM with multi-factor authentication (MFA), context-based risk analysis, and continuous risk checking
• Implement OAuth 2.0 (OAuth2) based protocols; namely, OAuth2 and OpenID Connect 1.0 (OIDC), to enable low-level devices and mobile applications to make requests that access resources belonging to a subscriber. AM can be configured to function as an OIDC client and delegate authentication to social media OIDC providers
• Demonstrate federation across entities using SAML v2.0 (SAML2) with AM
• Install a new AM instance configured with external directory server data stores as the foundation for an AM cluster

The following are the prerequisites for successfully completing this course:

• Completion of the PingAM Essentials course available at: https://backstage.forgerock.com/university/forgerock/on-demand/path/TGVhcm5pbmdQYXRoOjI%3D/chapter/Q291cnNlOjE1NzIy
• Knowledge of UNIX/Linux commands
• An understanding of HTTP and web applications
• A basic understanding of how directory servers function
• A basic understanding of REST
• A basic knowledge of Java based environments would be beneficial, but no programming experience is required

• Introduce AM authentication
• Understand realms
• Describe authentication life cycle
• Explain sessions
• Examine session cookies
• Access the lab environment
• Examine an initial AM installation
• Configure a realm and examine AM default authentication
• Experiment with session cookies
• Describe the authentication mechanisms of AM
• Create and manage trees
• Explore tree nodes
• Create a login tree
• Test the login tree

• Present AM edge clients
• Describe PingGateway functionality as an edge client
• Review the FEC website protected by PingGateway
• Integrate the FEC website with AM
• Observe the PingGateway token cookie
• (Optional) Review PingGateway configuration
• Authenticate identities with AM
• Create an authentication tree with an LDAP Decision node
• Integrate identities in AM with an identity store
• Integrate an identity store with AM

• Describe entitlements with AM authorization
• Define AM policy components
• Define policy environment conditions and response attributes
• Describe the process of policy evaluation
• Implement access control on a website

• Describe MFA
• Register a device
• Include recovery codes
• Examine OATH authentication
• Implement time-based one-time password (TOTP) authentication
• (Optional) Implement HMAC-based one-time password (HOTP) authentication
• Examine Push notification authentication
• (Optional) Implement Push notification authentication
• Implement passwordless WebAuthn
• (Optional) Implement passwordless WebAuthn
• Examine HOTP authentication using email or SMS
• (Optional) Implement HOTP authentication using email or SMS

• Introduce context-based risk analysis
• Describe device profile nodes
• Determine the risk based on the context
• Implement a browser context change script
• Lock and unlock accounts
• Implement account lockout

• Introduce continuous contextual authorization
• Describe step-up authentication
• Implement step-up authentication flow
• Describe transactional authorization
• Implement transactional authorization
• Prevent users from bypassing the default tree

• Discuss OAuth2 concepts
• Describe OAuth2 tokens and codes
• Describe refresh tokens, macaroons, and token modification
• Request OAuth2 access tokens with OAuth2 grant types
• Explain OAuth2 scopes and consent
• Configure OAuth2 in AM
• Configure AM as an OAuth2 provider
• Configure AM with an OAuth2 client
• Test the OAuth2 Device Code grant type flow

• Introduce OIDC
• Describe OIDC tokens
• Explain OIDC scopes and claims
• List OIDC grant types
• Create and use an OIDC script
• Create an OIDC claims script
• Register an OIDC client and configure the OAuth2 Provider settings
• Test the OIDC Authorization Code grant type flow

• Examine OAuth2 client authentication
• Examine OAuth2 client authentication using JWT profiles
• Examine OAuth2 client authentication using mTLS
• Authenticate an OAuth2 client using mTLS
• Examine certificate-bound PoP when mTLS is configured
• Obtain a certificate-bound access token

• Describe OAuth2 token exchange
• Explain token exchange types and purpose for exchange
• Describe token scopes and claims
• Implement a token exchange impersonation pattern
• Implement a token exchange delegation pattern
• Configure token exchange in AM
• Configure AM for token exchange
• Test token exchange flows

• Delegate registration and authentication to social media providers
• Implement social registration and authentication with Google

• Discuss SAML2 entities and profiles
• Explain the SAML2 flow from the identity provider (IdP) point of view
• Examine SSO across SPs
• Configure AM as an IdP and integrate with third-party service providers (SPs)
• Examine SSO between an SP and IdP and across SPs

• Explain the SSO flow from the SP point of view
• Describe the metadata content and purpose
• Configure AM as a SAML2 SP and integrate with a third-party IdP

• Plan deployment configurations
• Prepare before installing AM
• Deploy AM
• Outline tasks and methods to install AM
• Install AM with the web wizard
• Install an AM instance with the web wizard
• Install AM and manage configuration with Amster
• Install Amster
• Describe the AM bootstrap process
• Upgrade an AM instance
• Upgrade AM with the web wizard
• (Optional) Upgrade AM with the configuration tool

• Harden AM security
• Adjust default settings
• Harden AM security
• Describe secrets, certificates, and keys
• Describe keystores and secret stores
• Manage the AM keystore, aliases, and passwords
• Configure and manage secret stores
• Configure an HSM secret store to sign OIDC ID tokens
• Describe the monitoring tools
• Describe the audit logging
• Describe debug logging
• Capture troubleshooting information
• Capture troubleshooting information

• Explore high availability solutions
• Scale AM deployments
• Describe AM cluster concepts
• Create an AM cluster
• Prepare the initial AM cluster
• Install another AM server in the cluster
• Test AM cluster failover scenarios
• (Optional) Modify the cluster to use client-side sessions

• Describe the Identity Platform
• Prepare your deployment environment
• Deploy and access the Identity Platform
• Access and authenticate your GCP account
• Prepare to deploy the Identity Platform
• Deploy the Identity Platform with the Cloud Development Kit (CDK)
• Remove the Identity Platform deployment

This course provides the foundation to design, build, and integrate identity orchestration flows using PingOne DaVinci (DaVinci). You will create user interactions, extend flows with APIs, and integrate these solutions into applications. You will also leverage core PingOne services like SSO, identity management, and analytics. Through hands-on labs and instruction, you will gain the skills to deploy real-world orchestration solutions with confidence.

Upon completion of this course, you should be able to:

• Build basic user interactions with DaVinci flows
• Integrate a DaVinci flow into an application
• Integrate PingOne single sign-on (SSO) and identities in DaVinci flows
• Build an authentication flow in DaVinci
• Provide custom analytics in a DaVinci flow

The following are the prerequisites for successfully completing this course:

• Basic understanding of JavaScript, HTML, CSS, and the PingOne Platform
• Completion of the Introduction to PingOne DaVinci course available at:
  • https://backstage.forgerock.com/university/ping/on-demand/category/PING

Chapter 1: Building Basic User Interactions With DaVinci Flows

Build basic user interactions with DaVinci flows.

Lesson 1: Defining the Basic Flow and Interaction Steps

Define the basic flow and provide an introduction to the foundational concepts of DaVinci:

• Introduce the PingOne Platform and DaVinci
• Access and launch the DaVinci admin console
• Understand Flows
• Build basic user interaction in a flow

Lesson 2: Using Functions and API Calls
Define the basic flow and provide an introduction to the foundational concepts of DaVinci:

• Extend DaVinci flows
• Verify the age of the user
• Make an API callCollect the user’s email and password
• Implement a robot check
• Document the flow

Lesson 3: Improving the User Experience
Use more advanced concepts in DaVinci to implement your flows:

• Improve the UI
• Convert user interactions to use HTML templates

Lesson 4: Using Variables and Form Validation
Expand further the functionality of your existing flow by using flow variables and improving interaction with the user:

• Incorporate variables
• Understand localizing flows
  
• Use flow variables and form validation
  
• Incorporate form validation
  
• Improve form validation inputs
  
• Troubleshoot issues

Lesson 5: Using Subflows to Manage Complexity
Externalize functionality that is often reused or complex to its own flow; for example, if the flow needed to connect to an API that isn’t available as a native connector, CRUD operations could be built in a new flow that could be leveraged by many:

• Create and use subflows
  
• Implement the subflow
  
• Replace the API call with the subflow

Chapter 2: Integrating a DaVinci Flow Into an Application

Integrate a DaVinci flow into an application.

Lesson 1: Integrating an Application to Launch a Flow
Integrate the flow into a web application which allows the application to provide the CSS (look and feel). Other flows can also be integrated to enable a richer user experience:

• Add a flow to a web application
  
• Create and customize the application

Lesson 2: Using a CSS in Flows vs Applications
Review how CSS is leveraged in a flow vs an application, and determine the advantages of leaving the presentation layer controlled by your application rather than using a CSS in your flow:

• Leverage a CSS
  
• Determine how a custom CSS in a flow is embedded with a web application

Lesson 3: Adding a Flow to an Existing Applicatio
Take the flow and integrate it into a web application:

• Embed flows using the widget method
  
• Import the DaVinci JavaScript library
  
• Create a JavaScript method to call the flow

Lesson 4: Integrating Non-UI Flows
Explore how DaVinci can accelerate development when integrating with backend services and APIs, enriching the overall user experience:

• Integrate a non-UI flow
  
• Build out your flow
  
• Integrate the flow

Lesson 5: Passing Data Into a Flow From an Application
Run through the process of passing data into a flow, whether it has user interaction or not:

• Enable dynamic flows
• Create and integrate a DaVinci subflow

Lesson 6: Performing A/B Testing
Define a flow that deals with age first, instead of name, during registration:

• Understand A/B testing
  
• Define a new flow
  
• Incorporate flow policies
  
• Build out a flow policy

Chapter 3: Integrating PingOne SSO and Identities in DaVinci Flows

Integrate PingOne SSO and identities in DaVinci flows.

Lesson 1: Setting Up Parallel Processing

Set up a flow that has two paths that execute in parallel and then come to their own conclusion:

• Implement parallel processing
  
• Leverage the PingOne Notification service

Lesson 2: Automating Flows With DaVinci Admin APIs

Learn how to manage DaVinci programmatically using the DaVinci Admin APIs:

• Understand DaVinci Admin APIs
  
• Explain administrator roles

Lesson 3: Creating Registered Accounts
Take the information collected during the registration process and create a user account in PingOne, which is the first step to expanding the capabilities of the application to support authentication:

• Create registered accounts
  
• Review your PingOne setup
  
• Build out a new registration flow
  
• Verify if an account already exists

Lesson 4: Verifying an Email Address

Establish a process to verify the email address of the user:

• Configure email verification
  
• Create an email verification subflow
  
• Complete the subflow

Chapter 4: Building an Authentication Flow in DaVinci

Build an authentication flow in DaVinci.

Lesson 1: Handling Authentication

Handle authentication for the application:

• Design and implement the authentication flow
  
• Design the flow logic
  
• Implement teleports for flow efficiency
  
• Authenticate and validate user identity

Lesson 2: Handling Forgotten Passwords

Handle forgotten password in the authentication flow:

• Manage password recovery flows
  
• Develop the end-to-end forgot password flow

Lesson 3: Adding an Authentication Method

Add another method of authentication, an email magic link, for the users of the application:

• Implement magic link authentication
  
• Add a magic link authentication method

Chapter 5: Providing Custom Analytics in a DaVinci Flow

Provide custom analytics in a DaVinci flow.

Lesson 1: Leveraging analytics to monitor flow usage

Implement custom analytics to track key business milestones and user behavior across DaVinci flows:

• Understand and apply flow analytics
  
• Configure authentication analysis