Unlock your full potential in IAM

The aim of this course is to showcase the key features and capabilities of the versatile and powerful edge security solution with the PingGateway environment, formerly known as ForgeRock® Identity Gateway. It provides the student with the knowledge and confidence to manage their own environment. It is accepted that this course is not able to demonstrate all the features and capabilities of PingGateway. Further information and guidance can be found in the documentation and knowledge base documents in the online repositories at: Backstage https://backstage.forgerock.com.

Note: Revision A of this course is based on version 7.2 of PingGateway.

Upon completion of this course, you should be able to:

• Integrate and protect web applications, APIs, legacy applications, and microservices with the Ping Identity Platform (Identity Platform), formerly known as ForgeRock® Identity Platform, by using PingGateway
• Add authentication to the ForgeRock Entertainment Company (FEC) solution using PingOne Advanced Identity Cloud (Advanced Identity Cloud), formerly known as ForgeRock® Identity Cloud, or PingAM (AM), formerly known as ForgeRock® Access Management, as the access manager, OpenID Connect (OIDC) provider, and Security Assertion Markup Language (SAML2) identity provider (IdP)
• Demonstrate how to use PingGateway to manage access to a website using Advanced Identity Cloud (or AM) policies and policies with advice
• Protect a REST API with PingGateway and extend PingGateway functionality with scripting
• Highlight various areas that must be taken into account when preparing PingGateway for a production environment. Topics discussed include auditing, monitoring, tuning, security, and deployment

The following are the prerequisites for successfully completing this course:

• Completion of the PingGateway Essentials course available at: https://backstage.forgerock.com/university/forgerock/on-demand/path/TGVhcm5pbmdQYXRoOjQ%3D/chapter/Q291cnNlOjE1NzI2

Chapter 1: Integrating Applications With PingGateway

• Introduce PingGateway
• Describe PingGateway features
• Compare PingGateway with policy agents
• Explore PingGateway integration with web applications
• Describe PingGateway integration with OIDC and SAML
• Explore PingGateway policy enforcement and second-factor authentication (2FA)
• Describe PingGateway protection of APIs
• Access your CloudShare VM
• Examine the lab environment
• Access the FEC and DVD4U websites

• Examine the PingGateway configuration structure
• Describe required PingGateway configuration
• Configure PingGateway for secure connections
• Configure PingGateway routes
• Creating and managing routes in PingGateway Studio
• Protect a website by using PingGateway Studio
• Upgrade a route to use WebSockets
• Configure PingGateway for development mode and TLS connections
• Protect the FEC website with PingGateway by using PingGateway Studio
• Manage routes in PingGateway Studio and examine PingGateway log files

• Describe the PingGateway object model
• Examine objects available in routes
• Retrieve context data and configure sessions
• Route requests depending on conditions
• Describe route handlers
• Manage requests and responses with a route handler
• Process requests and responses with filters
• Create a route to allow access to a public area of FEC
• Add a page not found route
• Create a route to access the legacy DVD4U application
• Add password replay for the DVD4U application

• Manage PingGateway logs
• Introduce Decorators
• Configure route activity logs
• Capture inbound and outbound communication
• Retrieve credentials from a file
• Observe requests and responses in PingGateway logs
• Test different capture configuration settings
• Centralize PingGateway logging configuration
• Modify the DVD4U route to get credentials from a file
• Use Logback configuration for troubleshooting

• Create a route by using the PingGateway Studio Freeform Designer
• Configure Advanced Identity Cloud or AM as a service
• Describe how to use the SSO Filter
• Retrieve user data from the authentication provider
• Configure PingGateway as an HTTPS client
• Create a route with the PingGateway Studio Freeform Designer
• Redirect requests to AM for authentication
• Configure PingGateway for client-side HTTPS
• Access properties in SSO token context
• Retrieve user profile data for display in a web page
• Store information in a PingGateway HTTP session
• Configure capture decorators in Freeform Designer

• Describe the CDSSO Filter
• Configure the CDSSO Filter Solution
• Configure CDSSO redirect endpoints
• Integrate the legacy application with CDSSO
• Create a new route to protect DVD4U with CDSSO and AM
• Update the DVD4U route to automatically log in the authenticated user
• Prepare the Advanced Identity Cloud tenant
• Protect the DVD4U and FEC websites using CDSSO with Advanced Identity Cloud

• Describe basic OIDC concepts
• Configure PingGateway as an OIDC client
• Examine the flow of OIDC redirects for authentication and consent
• Explore the flow of OIDC callbacks and data injection
• Configure an OIDC relying party route
• Examine the OIDC relying party solution

• Authenticate with a SAML2 identity provider (IdP)
• Describe the use of the SAML federation handler
• Describe the use of the dispatch handler
• Describe the SAML2 implementation flow
• Set up SAML2 configuration files for PingGateway
• Configure a SAML2 route for the trial section
• Examine the SAML2 solution (optional)

• Describe the use of the Policy Enforcement Filter
• Illustrate the use of the Policy Enforcement Filter
• Configure a policy enforcement point (PEP) route for the premium section of FEC
• Examine the PEP solution (optional)

• Describe step-up authentication
• Illustrate how PingGateway handles step-up authentication
• Describe transactional authorization
• Illustrate how PingGateway handles transactional authorization
• Configure a PEP route for the on demand and profile sections of FEC
• Examine the profile solution (optional)
• Examine the on-demand solution (optional)

Lesson 1: Configuring PingGateway as an OAuth2 Resource Server
Configure PingGateway to act as an OAuth2 resource server that protects a REST API:

• Describe the use of the OAuth2 resource server filter
• List access token resolvers
• Validate certificate-bound access tokens
• Observe the flow with the token introspection resolver
• Prepare the OAuth2 solution to protect the FEC REST API
• Configure PingGateway to protect the FEC REST APIs
• Examine the REST API solution (optional)

• Describe the scripting functionality for extending PingGateway
• Explore scriptable objects
• Examine dynamic scopes solution
• Describe OAuth2 token swapping in PingGateway
• Configure a scriptable filter to log the content of the OAuth2 context
• Configure a dynamic scopes script
• Configure a scriptable filter to retrieve the correct favorite list

• Describe the audit framework
• Excluding sensitive data from audit logs
• Accessing the Common REST API monitoring endpoint
• Decreasing the number of requests through caching

• Discuss PingGateway best practices regarding security
• Examine the common secrets
• Explore secret store types
• Describe throttling
• Create common secret stores
• Configure throttling

• Describe property value substitution
• Set up multiple PingGateway instances
• Integrate configuration tokens in the solution
• Deploy a second PingGateway instance

This course provides a hands-on technical introduction to PingAM (AM), formerly known as ForgeRock® Access Management, APIs and customization use cases. Students examine AM extension points and gain the skills required to extend and integrate an AM deployment in a real-world context. Additionally, students learn to implement various clients that communicate with AM. Further information and guidance can be found in the documentation and knowledge base in the online repositories at: Backstage https://backstage.forgerock.com.

Note: This course revision is based on version 7.3 of PingAM

Upon completion of this course, you should be able to:

• This chapter provides a high-level overview of the PingAM (AM) configuration architecture
• Extend and customize PingAM (AM) authentication processing by using authentication trees and a custom authentication node
• Explore how to use the PingAM (AM) authorization policy sets, polices, and policy evaluation, and create custom policy conditions with Java and scripts
• Explore how to use the PingAM (AM) REST API, in the context of a web client application, for authenticating users with AM and AM authentication trees
• Describe how to extend a web client application with the ability to authenticate and authorize a user by using OAuth 2.0 (OAuth2) for authentication, and implement Open Identity Connect (OIDC) claims by using the scripting API

The following are the prerequisites for successfully completing this course:

• Completion of the PingAM Essentials course available at: https://backstage.forgerock.com/university/forgerock/on-demand/path/TGVhcm5pbmdQYXRoOjI%3D/chapter/Q291cnNlOjE1NzIy
• Knowledge of UNIX/Linix commands
• An understanding of HTTP and web applications
• A basic understanding of how directory servers function
• A basic understanding of REST
• A basic knowledge of Java based environments would be beneficial, but no programming experience is required.

• List extension (customization) points of AM
• List customizable AM components
• Quiz questions
• Access the lab environment
• Manage the course application components

• Understand how AM performs authentication
• Describe AM authentication trees and nodes
• Compare tree and chain mechanisms
• Quiz questions
• Create an authentication tree with default nodes
• Test the authentication tree

• Describe custom authentication nodes
• Prepare a build environment
• Generate a custom node with a Maven archetype
• List custom node classes
• Customize node outcomes
• Deploy the custom node
• Modify custom node configuration and logic
• Post-authentication hooks for trees
• Quiz questions
• Create initial custom authentication node source files
• Modify the custom node’s implementation to be dynamic
• Deploy and test the custom authentication node
• Test the authentication tree with the custom node

• Understand the basic concepts of scripting
• Understand the scripting environment and the scripting API
• Use the AM admin UI to manage scripts
• Use the REST API to manage scripts
• Develop client and server scripts
• Use decision scripted authentication nodes in trees
• Quiz questions
• Explore client-side scripting with authentication nodes
• Create an authentication tree with client-side and server-side scripts
• Write a server-side script that uses a REST API request

• Describe design principles for trees and nodes
• List design and implementation steps
• Choose node types
• Map files from modules to nodes
• Authentication modules as nodes
• Migrate an LDAP chain to a tree
• Migrate post-authentication plugins
• Handle logout notifications
• Configure redirection URLs
• Implement account lockout
• Link a chain to a tree and return custom failure messages
• Quiz questions
• Reference an article about migrating chains to trees

• Understand the policy concepts in AM
• Identify the situation when a custom condition is needed
• Customize policy evaluation with a plugin and an Entitlement Condition class
• Implement a scripted condition
• Quiz Questions
• Explore the ContactList REST APIs and policy design
• Create resource types and a policy set
• Write a policy condition checking for maintenance mode
• Modify the policy condition script to provide additional information

• Describe AM REST API services and the Common REST API
• Understand the Common REST API
• Explore REST API sorting, versioning, and status codes
• Use AM services from a browser-based application
• Enable CORS
• Quiz questions
• Study the ContactList application architecture
• Configure the CORS filter in AM
• Create a login service that uses AM authentication

• Review authentication and introduce RESTful authentication
• Implement authentication with the simple REST API
• Implement authentication with the full REST API
• Describe callback types available in AM
• Handle session upgrade and logout with the REST API
• Implement RESTful token and session management
• Use REST to manage identities
• Manage realms with the REST API
• Lesson Quiz
• Implement a fully functional AM-based authentication in ContactList
• Modify the login service to use the authentication tree

• Describe the self-service REST API
• Configure AM for self-service
• Implement password reset with REST
• Self-register a user via REST
• Lesson quiz
• Prepare AM for the password reset functionality
• Examine the password reset protocol
• Extend ContactList with a password reset feature

• Understand how to use the policy engine to protect resources other than URLs
• Describe the policy management REST API
• Describe the policy evaluator REST API
• Implement fine-grained authorization using policies and the REST API
• Lesson quiz
• Prepare AM for ContactList authorization
• Extend the backend to use the authorization REST API
• Extend the front-end application to use AM

• Understand OAuth2 and use its HTTP endpoints
• Examine the flow of the OAuth2 Authorization Code grant type
• Understand OIDC and use its HTTP endpoints
• Examine the flow of the OIDC Authorization Code grant type
• Understand the scope validation mechanism and customize its default behavior
• Use the Scripting API to customize the handling of OIDC claims
• Set up the OAuth2/OIDC service in AM
• Study and complete the ContactListTokenResponseTypeHandler code
• Enable OAuth2 federation in the ContactList front-end
• Turn ContactList RESTful backend into an OAuth2 resource server