Unlock your full potential in IAM
This is Identitrain
Master Identity and Access Management with world-class training designed by experts who live it every day.
Led by practitioners, not theorists, our training gives you the skills to design, implement, and secure identity solutions that protect what matters most.
Choose Your Path to IAM Mastery
Whether you’re starting your IAM journey or advancing toward certification, our structured
learning paths guide you every step of the way. Select from Identity Management, Access Management,
Governance, or Best Practices tracks designed to match your role and goals.
Built for Every IAM Professional
From architects and developers to project managers and business leaders, Identitrain delivers
training that fits your role. Whether you’re designing IAM strategies, building integrations, or
leading transformation projects, we’ve got a path for you.
Training Designed by Practitioners, Proven in the Field
Our instructors bring years of real-world IAM experience into the classroom. We blend
vendor-agnostic fundamentals with deep expertise in leading platforms like Ping, SailPoint, Okta, and
beyond. Every course is modular, lab-focused, and designed to give you actionable skills you can
immediately put to use!
Join a Growing Community of IAM Experts
Training doesn’t end with the last session. Graduates join our global practitioner network,
gaining access to peer discussions, expert webinars, alumni resources, and exclusive discounts.
Learn, connect, and grow alongside IAM professionals worldwide.
Upcoming
Courses
AIC-400-BVP Rev A
PingOne Advanced Identity Cloud Administration
This course builds upon the Getting Started With PingOne Advanced Identity Cloud for Administrators training to provide advanced techniques for managing and configuring PingOne Advanced Identity Cloud (Advanced Identity Cloud). Students will master advanced authentication journeys with multi-factor authentication (MFA), implement context-based authorization policies, and learn to model complex identity objects with relationships between managed objects. The course covers essential synchronization techniques, including connector configuration, reconciliation, LiveSync, and role-based provisioning to manage identity flow between Advanced Identity Cloud and external resources. Participants will gain hands-on experience with the REST API for programmatic access to identity management features, enabling automation and integration with external systems. Through practical exercises, students will learn to deploy and configure PingGateway to protect websites, implement continuous contextual authorization, and create comprehensive identity management solutions.
Upon completion of this course, you should be able to:
- Recap authentication with Advanced Identity Cloud. Increase security by introducing MFA as well as context-based user journeys. Protect a website using PingGateway
- Implement and manage comprehensive authorization policies in Advanced Identity Cloud to control resource access and enable continuous contextual authorization
- Understand and configure Advanced Identity Cloud managed objects, their properties, and relationships to effectively model your identity data structures and implement delegated administration
- Configure and manage connections between Advanced Identity Cloud and external resources to enable identity synchronization, reconciliation, and role-based provisioning
- Master the Advanced Identity Cloud REST interfaces to authenticate, query, and manage identity objects programmatically
The following are the prerequisites for successfully completing this course:
- Completion of the Getting Started With PingOne Advanced Identity Cloud for Administrators course available at: https://backstage.pingidentity.com/university/
- Experience with Identity and Access Management
- Working knowledge of REST communication
Chapter 1: Administering Authentication Journeys
Recap authentication with Advanced Identity Cloud. Increase security by introducing MFA as well as context-based user journeys. Protect a website using PingGateway.
Lesson 1: (Recap) Exploring Authentication in Advanced Identity Cloud
- Provide a recap of authentication in Advanced Identity Cloud:
- Introduce the basic concepts of authentication
- Prepare the lab environment
- Describe the authentication mechanisms of Advanced Identity Cloud
- Examine Advanced Identity Cloud default authentication
- Create and manage journeys
- Explore journey nodes
- Create a login journey
- Test the login journey
Lesson 2: Increasing Authentication Security
Increase authentication security using MFA:
- Describe MFA
- Register a device
- Include recovery codes
- Examine OATH authentication
- Implement TOTP authentication
- Examine Push notification authentication
- Implement passwordless WebAuthn
- (Optional) Implement passwordless WebAuthn
Lesson 3: Modifying a User’s Journey Based on Context
Describe how Advanced Identity Cloud can take into account the context of an authentication request in order to take access decisions:
- Introduce context-based risk analysis
- Describe device profile nodes
- Determine the risk based on the context
- Implement a browser context change script
- Lock and unlock accounts
- (Optional) Implement account lockout
Lesson 4: Protecting a Website With PingGateway
Show how PingGateway, integrated with Advanced Identity Cloud, can protect a website:
- Present Advanced Identity Cloud edge clients
- Describe PingGateway functionality as an edge client
- Review the BXE website protected by PingGateway
- Integrate the BXE website with Advanced Identity Cloud
- Observe the PingGateway token cookie
- (Optional) Review PingGateway configuration
Chapter 2: Administering Authorization Policies
Implement and manage comprehensive authorization policies in Advanced Identity Cloud to control resource access and enable continuous contextual authorization.
Lesson 1: Controlling Access
Create security policies to control which users can access specific areas of the website:
- Describe entitlements with Advanced Identity Cloud authorization
- Define Advanced Identity Cloud policy components
- Define policy environment conditions and response attributes
- Process of Advanced Identity Cloud policy evaluation
- Implement access control on a website
Lesson 2: Checking Risk Continuously
Review the Advanced Identity Cloud tools used to check the risk level of requests continuously:
- Introduce continuous contextual authorization
- Describe step-up authentication
- Implement step-up authentication flow
- Describe transactional authorization
- Implement transactional authorization
- (Optional) Prevent users from bypassing the default journey
Chapter 3: Administering Managed Objects
Understand and configure Advanced Identity Cloud managed objects, their properties, and relationships to effectively model your identity data structures and implement delegated administration.
Lesson 1: Modeling an Identity Profile
Learn about the different object types in Advanced Identity Cloud, and how you can model a custom user profile onto an existing managed user object type in Advanced Identity Cloud:
- Review the Advanced Identity Cloud documentation
- Describe the different object types in Advanced Identity Cloud
- Map an identity object to a managed object
- Describe how to use placeholder attributes
- Model a managed user object in Advanced Identity Cloud
Lesson 2: Introducing Relationships
Describe relationships between managed objects:
- Describe the purpose of relationships
- Describe how relationships are stored in the schema
- Query an object relationship using the REST interface
Lesson 3: Managing Organizations
Set up managed organizations to delegate user administration based on the owner of hierarchical trees:
- Describe the roles and privileges within an organization
- Implement the organization example
Chapter 4: Administering Connectors, Synchronization, and Provisioning
Configure and manage connections between Advanced Identity Cloud and external resources to enable identity synchronization, reconciliation, and role-based provisioning.
Lesson 1: Connecting to External Resources Using Connectors
Describe the connectors supported in Advanced Identity Cloud, and how to create connector configurations to communicate with external resources:
- Describe how to connect external resources to Advanced Identity Cloud
- Configure communication between Advanced Identity Cloud and a remote connector server (RCS)
- Describe how to connect to external resources using ICF connectors
Lesson 2: Configuring Connectors Over the Identity Management Admin UI
- Describe the process for creating a connector configuration using the Identity Management admin UI
- Describe the object types and property mappings
- Add a connector configuration for an external LDAP resource
Lesson 3: Performing Basic Synchronization
Describe how to use the Identity Management admin UI to create synchronization mappings (sync mappings) to reconcile identities between Advanced Identity Cloud and an external resource:
- Describe how to create mappings to synchronize identity objects and properties
- Describe how to create a sync mapping from Advanced Identity Cloud to an external resource
- Describe how to add source and target properties to the sync mapping
- Describe how to add a correlation query and a situational event script
- Describe how to set the situational behaviors and run reconciliation
- Add a sync mapping from Advanced Identity Cloud to an LDAP server
- Describe the sync mapping from an LDAP server to Advanced Identity Cloud
- Add a sync mapping from an LDAP server to Advanced Identity Cloud
Lesson 4: Running Selective Synchronization and LiveSync
Filter objects that are synchronized and automate synchronization using LiveSync:
- Describe the different methods that you can use to filter entries
- Run selective synchronization using filters
- Describe how to use LiveSync to synchronize changes
- Trigger LiveSync on a connector
- Describe how to schedule LiveSync
- Schedule LiveSync with an external resource
Lesson 5: Configuring Role-Based Provisioning
Automatically provision users to a set of LDAP groups based on role membership:
- Describe how to provision attributes to a target system based on static role assignments
- Describe the steps to enable role-based provisioning
- Query the role assignment properties using the REST interface
- Provision attributes to a target resource based on static role assignments
- Describe how to provision attributes to a target system based on dynamic role assignments
- Provision attributes to a target resource based on dynamic role assignments
- Describe how to add temporal constraints to a role
- Add temporal constraints to a role
Chapter 5: Access Advanced Identity Cloud Over REST
Master the Advanced Identity Cloud REST interfaces to authenticate, query, and manage identity objects programmatically.
Lesson 1: Authenticating Over REST
Use Postman to access the Advanced Identity Cloud REST API and authenticate either using a simple (header-based) approach or a more complex approach, where the server may request additional information from the client using callback:
- Understand the REST authentication protocol
- Authenticate with REST
- Authenticate using header-based simple authentication
- Authenticate using callback-based complex authentication
Lesson 2: Querying Advanced Identity Cloud Objects Over REST
- Create security policies to control which users can access specific areas of the website:
- Describe how to query objects using the REST interface
- Describe how to use the Advanced Identity Cloud Postman collection
- Query Advanced Identity Cloud Identity objects using Postman
AM-421-BVP Rev B.3
PingAM: Customization and APIs
This course provides a hands-on technical introduction to PingAM (AM), formerly known as ForgeRock® Access Management, APIs and customization use cases. Students examine AM extension points and gain the skills required to extend and integrate an AM deployment in a real-world context. Additionally, students learn to implement various clients that communicate with AM. Further information and guidance can be found in the documentation and knowledge base in the online repositories at: Backstage https://backstage.forgerock.com.
Note: This course revision is based on version 7.3 of PingAM
Upon completion of this course, you should be able to:
- This chapter provides a high-level overview of the PingAM (AM) configuration architecture
- Extend and customize PingAM (AM) authentication processing by using authentication trees and a custom authentication node
- Explore how to use the PingAM (AM) authorization policy sets, polices, and policy evaluation, and create custom policy conditions with Java and scripts
- Explore how to use the PingAM (AM) REST API, in the context of a web client application, for authenticating users with AM and AM authentication trees
- Describe how to extend a web client application with the ability to authenticate and authorize a user by using OAuth 2.0 (OAuth2) for authentication, and implement Open Identity Connect (OIDC) claims by using the scripting API
The following are the prerequisites for successfully completing this course:
- Completion of the PingAM Essentials course available at: https://backstage.forgerock.com/university/forgerock/on-demand/path/TGVhcm5pbmdQYXRoOjI%3D/chapter/Q291cnNlOjE1NzIy
- Knowledge of UNIX/Linix commands
- An understanding of HTTP and web applications
- A basic understanding of how directory servers function
- A basic understanding of REST
- A basic knowledge of Java based environments would be beneficial, but no programming experience is required.
Chapter 1: Introducing Customization in PingAM
This chapter provides a high-level overview of the PingAM (AM) configuration architecture, the interfaces through which its functionality can be accessed, and the way its behavior can be customized or extended.
Lesson 1: Using Extension (Customization) Points
Describe a high-level overview of the AM architecture, the interfaces through which its functionality can be accessed, and the way its behavior can be customized or extended:
Describe a high-level overview of the AM architecture, the interfaces through which its functionality can be accessed, and the way its behavior can be customized or extended:
- List extension (customization) points of AM
- List customizable AM components
- Quiz questions
- Access the lab environment
- Manage the course application components
Chapter 2: Customizing Authentication
Extend and customize PingAM (AM) authentication processing by using authentication trees and a custom authentication node.
Extend and customize PingAM (AM) authentication processing by using authentication trees and a custom authentication node.
Lesson 1: Authentication With Trees and Nodes: An Introduction
Introduce authentication trees and nodes and how to configure an authentication tree:
Introduce authentication trees and nodes and how to configure an authentication tree:
- Understand how AM performs authentication
- Describe AM authentication trees and nodes
- Compare tree and chain mechanisms
- Quiz questions
- Create an authentication tree with default nodes
- Test the authentication tree
Lesson 2: Customizing Authentication Trees and Nodes
Prepare a coding build environment and generate a custom authentication node using a Maven archetype:
Prepare a coding build environment and generate a custom authentication node using a Maven archetype:
- Describe custom authentication nodes
- Prepare a build environment
- Generate a custom node with a Maven archetype
- List custom node classes
- Customize node outcomes
- Deploy the custom node
- Modify custom node configuration and logic
- Post-authentication hooks for trees
- Quiz questions
- Create initial custom authentication node source files
- Modify the custom node’s implementation to be dynamic
- Deploy and test the custom authentication node
- Test the authentication tree with the custom node
Lesson 3: Developing Scripts With the Scripting API
Introduce scripting, how scripts work, what they can be used for, and how they can be managed through the AM admin UI:
Introduce scripting, how scripts work, what they can be used for, and how they can be managed through the AM admin UI:
- Understand the basic concepts of scripting
- Understand the scripting environment and the scripting API
- Use the AM admin UI to manage scripts
- Use the REST API to manage scripts
- Develop client and server scripts
- Use decision scripted authentication nodes in trees
- Quiz questions
- Explore client-side scripting with authentication nodes
- Create an authentication tree with client-side and server-side scripts
- Write a server-side script that uses a REST API request
Lesson 4: Migrating Authentication Modules to Trees and Nodes
Describe the design and implementation issues when migrating authentication modules to trees and nodes:
Describe the design and implementation issues when migrating authentication modules to trees and nodes:
- Describe design principles for trees and nodes
- List design and implementation steps
- Choose node types
- Map files from modules to nodes
- Authentication modules as nodes
- Migrate an LDAP chain to a tree
- Migrate post-authentication plugins
- Handle logout notifications
- Configure redirection URLs
- Implement account lockout
- Link a chain to a tree and return custom failure messages
- Quiz questions
- Reference an article about migrating chains to trees
Chapter 3: Customizing Authorization
Explore how to use the PingAM (AM) authorization policy sets, polices, and policy evaluation, and create custom policy conditions with Java and scripts.
Lesson 1: Customizing Authorization
Explore the AM authorization framework and the concepts central to it, such as policy sets (applications), policies, and the policy evaluation flow:
Explore the AM authorization framework and the concepts central to it, such as policy sets (applications), policies, and the policy evaluation flow:
- Understand the policy concepts in AM
- Identify the situation when a custom condition is needed
- Customize policy evaluation with a plugin and an Entitlement Condition class
- Implement a scripted condition
- Quiz Questions
- Explore the ContactList REST APIs and policy design
- Create resource types and a policy set
- Write a policy condition checking for maintenance mode
- Modify the policy condition script to provide additional information
Chapter 4: Customizing With REST Clients
Explore how to use the PingAM (AM) REST API, in the context of a web client application, for authenticating users with AM and AM authentication trees.
Lesson 1: Using the REST API
Introduce the AM REST services and the Common REST API, how to invoke REST services from a JavaScript application, and how to configure CORS in AM:
Introduce the AM REST services and the Common REST API, how to invoke REST services from a JavaScript application, and how to configure CORS in AM:
- Describe AM REST API services and the Common REST API
- Understand the Common REST API
- Explore REST API sorting, versioning, and status codes
- Use AM services from a browser-based application
- Enable CORS
- Quiz questions
- Study the ContactList application architecture
- Configure the CORS filter in AM
- Create a login service that uses AM authentication
Lesson 2: Authenticating With REST
Implement authentication and logout in a client application with the AM REST API either using a simple (header-based) approach or a more complex approach, where the server may request additional information from the client using callbacks:
Implement authentication and logout in a client application with the AM REST API either using a simple (header-based) approach or a more complex approach, where the server may request additional information from the client using callbacks:
- Review authentication and introduce RESTful authentication
- Implement authentication with the simple REST API
- Implement authentication with the full REST API
- Describe callback types available in AM
- Handle session upgrade and logout with the REST API
- Implement RESTful token and session management
- Use REST to manage identities
- Manage realms with the REST API
- Lesson Quiz
- Implement a fully functional AM-based authentication in ContactList
- Modify the login service to use the authentication tree
Lesson 3: Working With RESTful User Self-Service APIs
Discuss how a browser-based application can use the self-service API to perform operations on behalf of the user such as registration, password reset, and displaying the user dashboard:
Discuss how a browser-based application can use the self-service API to perform operations on behalf of the user such as registration, password reset, and displaying the user dashboard:
- Describe the self-service REST API
- Configure AM for self-service
- Implement password reset with REST
- Self-register a user via REST
- Lesson quiz
- Prepare AM for the password reset functionality
- Examine the password reset protocol
- Extend ContactList with a password reset feature
Lesson 4: Authorizing With REST
Demonstrate how the AM REST API policy management and evaluation works, and how it can be utilized to protect resources that are either actual URLs or other entities like actions:
Demonstrate how the AM REST API policy management and evaluation works, and how it can be utilized to protect resources that are either actual URLs or other entities like actions:
- Understand how to use the policy engine to protect resources other than URLs
- Describe the policy management REST API
- Describe the policy evaluator REST API
- Implement fine-grained authorization using policies and the REST API
- Lesson quiz
- Prepare AM for ContactList authorization
- Extend the backend to use the authorization REST API
- Extend the front-end application to use AM
Chapter 5: Federating With OAuth2
Describe how to extend a web client application with the ability to authenticate and authorize a user by using OAuth 2.0 (OAuth2) for authentication, and implement Open Identity Connect (OIDC) claims by using the scripting API.
Lesson 1: Implementing OAuth2 Custom Scopes
Discuss how PingAM (AM) supports the standard OAuth2 and OIDC protocols, including JSON Web Tokens (JWT):
Discuss how PingAM (AM) supports the standard OAuth2 and OIDC protocols, including JSON Web Tokens (JWT):
- Understand OAuth2 and use its HTTP endpoints
- Examine the flow of the OAuth2 Authorization Code grant type
- Understand OIDC and use its HTTP endpoints
- Examine the flow of the OIDC Authorization Code grant type
- Understand the scope validation mechanism and customize its default behavior
- Use the Scripting API to customize the handling of OIDC claims
- Set up the OAuth2/OIDC service in AM
- Study and complete the ContactListTokenResponseTypeHandler code
- Enable OAuth2 federation in the ContactList front-end
- Turn ContactList RESTful backend into an OAuth2 resource server
AIC-330-BVP Rev A
Getting Started With PingOne Advanced Identity Cloud for Administrators
This course shows students how to administer PingOne Advanced Identity Cloud (Advanced Identity Cloud), formerly known as ForgeRock® Identity Cloud. This is achieved through the various online resources available to them, to a fully functional hands-on development environment, where they learn how to administer Advanced Identity Cloud in a training environment. Students are provided with a live Advanced Identity Cloud environment, where they learn the concepts and tasks necessary to successfully manage identities, applications, user journeys, and tenant configuration in their own Advanced Identity Cloud.
Upon completion of this course, you should be able to:
- Describe how to access an Advanced Identity Cloud tenant as an administrator and understand UI integration options
- Manage identities with the Advanced Identity Cloud admin UI and implement delegated administration to manage organizations and reset user passwords
- Manage journeys, email templates used in journeys, and authentication sessions as an Advanced Identity Cloud administrator
- Understand the use of Applications, synchronize identities between Advanced Identity Cloud and external applications, and explore how Identity Gateway can protect web applications when it is integrated with Advanced Identity Cloud
- Manage the configuration, monitor tenant activities, and perform common administration tasks for Advanced Identity Cloud tenants
The following are the prerequisites for successfully completing this course:
- Completion of the Product Essentials courses available at: https://backstage.forgerock.com/university/cloud-learning
- Introduction to PingAM
- PingIDM Essentials
- PingGateway Essentials
- Introduction to PingDS
Chapter 1: Accessing Advanced Identity Cloud
Describe how to access an Advanced Identity Cloud tenant as an administrator and understand UI integration options.
Lesson 1: Managing Administrators
Invite additional administrators using the Advanced Identity Cloud admin UI, which is an administrative interface to manage your tenant settings:
Invite additional administrators using the Advanced Identity Cloud admin UI, which is an administrative interface to manage your tenant settings:
- Introduce the Advanced Identity Cloud admin UI
- Manage administrators
- Invite an administrator
Lesson 2: Introducing UI Integration
Understand UI integration options:
Understand UI integration options:
- Explain UI integration options
- Configure themes for the Alpha and Bravo realms
Chapter 2: Administering Identities
Manage identities with the Advanced Identity Cloud admin UI and implement delegated administration to manage organizations and reset user passwords.
Lesson 1: Managing Identities
Manage user identities:
Manage user identities:
- Introduce managed objects
- Manage a user profile
Lesson 2: Adding Identities With Bulk Import
Bulk import user identities from a CSV file to add test users to your tenant:
Bulk import user identities from a CSV file to add test users to your tenant:
- Describe bulk import
- Import test users
Lesson 3: Managing Organizations
Explain how an organization hierarchical structure can be used to model a brand hierarchy to control access to business applications:
Explain how an organization hierarchical structure can be used to model a brand hierarchy to control access to business applications:
- Describe roles and privileges within an organization
- Implement delegated administration for an organization model
Lesson 4: Delegating User Management
Explain how to delegate administration privileges to managed users:
Explain how to delegate administration privileges to managed users:
- Delegate administration privileges
- Delegate password reset
Chapter 3: Managing User Journeys
Manage journeys, email templates used in journeys, and authentication sessions as an Advanced Identity Cloud administrator.
Lesson 1: Managing Journeys
Understand how journeys are used with Advanced Identity Cloud and how to import, export, and debug journeys:
Understand how journeys are used with Advanced Identity Cloud and how to import, export, and debug journeys:
- Introduce journeys
- Modify journeys
- Describe how to export and import journeys
- Export and import journeys
- Describe how to debug a journey
- Enable debug mode on a user journey
Lesson 2: Managing Server-Side Sessions
Understand how authentication sessions are used with Advanced Identity Cloud and how to invalidate server-side sessions:
Understand how authentication sessions are used with Advanced Identity Cloud and how to invalidate server-side sessions:
- Describe server-side sessions
- Invalidate server-side sessions
Lesson 3: Configuring Email Templates
Understand the use of email templates in a journey flow:
Understand the use of email templates in a journey flow:
- Explore email templates and nodes
- Configure email templates
- Use email templates in user journeys
Chapter 4: Integrating With Advanced Identity Cloud
Understand the use of Applications, synchronize identities between Advanced Identity Cloud and external applications, and explore how PingGateway can protect web applications when it is integrated with Advanced Identity Cloud.
Lesson 1: Defining Applications
Describe the role of an application in Advanced Identity Cloud:
Describe the role of an application in Advanced Identity Cloud:
- Introduce applications
- Register a Bookmark app
Lesson 2: Synchronizing Identities
Connect to external resources using a Remote Connector Server (RCS), and synchronize identities between Advanced Identity Cloud and on-prem resources:
Connect to external resources using a Remote Connector Server (RCS), and synchronize identities between Advanced Identity Cloud and on-prem resources:
- Explain how to connect to external resources
- Configure an RCS cluster
- Configure debug logging
- Add an authoritative application
- Explain synchronization
- Create inbound mappings and run reconciliation
- Synchronize passwords
- Create a target Application with outbound mappings
Lesson 3: Protecting Web Resources
Demonstrate how PingGateway can protect a web application when it is integrated with Advanced Identity Cloud:
Demonstrate how PingGateway can protect a web application when it is integrated with Advanced Identity Cloud:
- Introduce PingGateway
- Integrate PingGateway with Advanced Identity Cloud
- Integrate the PingGateway sample application with Advanced Identity Cloud
Chapter 5: Administering Your Tenant
Manage the configuration, monitor tenant activities, and perform common administration tasks for Advanced Identity Cloud tenants.
Lesson 1: Managing the Configuration
Explain how to create service accounts to use the REST API endpoints, create a baseline configuration repository for developers, manage ESVs, and understand the promotion process:
Explain how to create service accounts to use the REST API endpoints, create a baseline configuration repository for developers, manage ESVs, and understand the promotion process:
- Introduce Service Accounts
- Create and manage a service account
- Introduce the Advanced Identity Cloud REST API
- Display Advanced Identity Cloud identities using the REST API
- Introduce configuration management
- Create a baseline configuration repository
- Describe how to manage ESVs
- Create and call ESV variables
- Promote your configuration
Lesson 2: Monitoring Tenant Activities
Explore and retrieve log data using the REST API and the Frodo CLI, monitor tenant activities, and visualize monitoring metrics using Prometheus and Grafana:
Explore and retrieve log data using the REST API and the Frodo CLI, monitor tenant activities, and visualize monitoring metrics using Prometheus and Grafana:
- Explore Logs
- Retrieve log data using the REST API
- Retrieve log data using the Frodo CLI
- Monitor your tenant
- Monitor tenant health and visualize monitoring metrics
- Explore the Advanced Identity Cloud analytics dashboard
Lesson 3: Managing Password Policies
Explain how an Advanced Identity Cloud administrator manages realm password policies:
Explain how an Advanced Identity Cloud administrator manages realm password policies:
- Manage realm password policies
- Configure password policies
Lesson 4: Additional Administration Tasks
Understand additional tasks that an Advanced Identity Cloud administrator should be aware of:
Understand additional tasks that an Advanced Identity Cloud administrator should be aware of:
- Introduce outbound static IP addresses
- View outbound static IP addresses
- Manage tenant certificates
- Add a custom domain name
AM-410-BVP Rev B.1
PingAM Deep Dive
The aim of this course is to showcase the key features and capabilities of the versatile and powerful PingAM (AM), formerly known as ForgeRock® Access Management. It provides the student with the knowledge and confidence to manage their own environment. It is accepted that this course is not able to demonstrate all the features and capabilities of AM. Further information and guidance can be found in the documentation and knowledge base in the online repositories at: Backstage https://backstage.forgerock.com.
Note: This course revision is based on version 7 of AM.
Upon completion of this course, you should be able to:
- Start with an unprotected website and end up with a fully functional access management solution where every user trying to access the website is redirected to AM for authentication
- Improve access management security in AM with multi-factor authentication (MFA), context-based risk analysis, and continuous risk checking
- Implement OAuth 2.0 (OAuth2) based protocols; namely, OAuth2 and OpenID Connect 1.0 (OIDC), to enable low-level devices and mobile applications to make requests that access resources belonging to a subscriber. AM can be configured to function as an OIDC client and delegate authentication to social media OIDC providers
- Demonstrate federation across entities using SAML v2.0 (SAML2) with AM
- Install a new AM instance configured with external directory server data stores as the foundation for an AM cluster
The following are the prerequisites for successfully completing this course:
- Completion of the PingAM Essentials course available at: https://backstage.forgerock.com/university/forgerock/on-demand/path/TGVhcm5pbmdQYXRoOjI%3D/chapter/Q291cnNlOjE1NzIy
- Knowledge of UNIX/Linux commands
- An understanding of HTTP and web applications
- A basic understanding of how directory servers function
- A basic understanding of REST
- A basic knowledge of Java based environments would be beneficial, but no programming experience is required
Chapter 1: Enhancing Intelligent Access
Start with an unprotected website and end up with a fully functional access management solution where every user trying to access the website is redirected to AM for authentication.
Lesson 1: Exploring Authentication Mechanisms
Explore the AM admin UI, view the role of cookies used during and after authentication, and describe authentication trees and nodes:
Explore the AM admin UI, view the role of cookies used during and after authentication, and describe authentication trees and nodes:
- Introduce AM authentication
- Understand realms
- Describe authentication life cycle
- Explain sessions
- Examine session cookies
- Access the lab environment
- Examine an initial AM installation
- Configure a realm and examine AM default authentication
- Experiment with session cookies
- Describe the authentication mechanisms of AM
- Create and manage trees
- Explore tree nodes
- Create a login tree
- Test the login tree
Lesson 2: Protecting a Website With PingGateway
Show how PingGateway, formerly known as ForgeRock® Identity Gateway, integrated with AM, can protect a website:
Show how PingGateway, formerly known as ForgeRock® Identity Gateway, integrated with AM, can protect a website:
- Present AM edge clients
- Describe PingGateway functionality as an edge client
- Review the FEC website protected by PingGateway
- Integrate the FEC website with AM
- Observe the PingGateway token cookie
- (Optional) Review PingGateway configuration
- Authenticate identities with AM
- Create an authentication tree with an LDAP Decision node
- Integrate identities in AM with an identity store
- Integrate an identity store with AM
Lesson 3: Controlling Access
Create security policies to control which users can access specific areas of the website:
Create security policies to control which users can access specific areas of the website:
- Describe entitlements with AM authorization
- Define AM policy components
- Define policy environment conditions and response attributes
- Describe the process of policy evaluation
- Implement access control on a website
Chapter 2: Improving Access Management Security
Improve access management security in AM with MFA, context-based risk analysis, and continuous risk checking.
Lesson 1: Increasing Authentication Security
Increase authentication security using MFA:
Increase authentication security using MFA:
- Describe MFA
- Register a device
- Include recovery codes
- Examine OATH authentication
- Implement time-based one-time password (TOTP) authentication
- (Optional) Implement HMAC-based one-time password (HOTP) authentication
- Examine Push notification authentication
- (Optional) Implement Push notification authentication
- Implement passwordless WebAuthn
- (Optional) Implement passwordless WebAuthn
- Examine HOTP authentication using email or SMS
- (Optional) Implement HOTP authentication using email or SMS
Lesson 2: Modifying a User’s Authentication Experience Based on Context
Describe how AM can take into account the context of an authentication request in order to make access decisions:
Describe how AM can take into account the context of an authentication request in order to make access decisions:
- Introduce context-based risk analysis
- Describe device profile nodes
- Determine the risk based on the context
- Implement a browser context change script
- Lock and unlock accounts
- Implement account lockout
Lesson 3: Checking Risk Continuously
Review the AM tools used to check the risk level of requests continuously:
Review the AM tools used to check the risk level of requests continuously:
- Introduce continuous contextual authorization
- Describe step-up authentication
- Implement step-up authentication flow
- Describe transactional authorization
- Implement transactional authorization
- Prevent users from bypassing the default tree
Chapter 3: Extending Services Using OAuth2-Based Protocols
Implement OAuth2 based protocols; namely, OAuth2 and OIDC, to enable low-level devices and mobile applications to make requests that access resources belonging to a subscriber. AM can be configured to function as an OIDC client and delegate authentication to social media OIDC providers.
Lesson 1: Integrating Applications With OAuth2
Integrate clients using OAuth2 by demonstrating the use of the OAuth2 Device Code grant type flow with AM configured as the OAuth2 authorization server (AS):
Integrate clients using OAuth2 by demonstrating the use of the OAuth2 Device Code grant type flow with AM configured as the OAuth2 authorization server (AS):
- Discuss OAuth2 concepts
- Describe OAuth2 tokens and codes
- Describe refresh tokens, macaroons, and token modification
- Request OAuth2 access tokens with OAuth2 grant types
- Explain OAuth2 scopes and consent
- Configure OAuth2 in AM
- Configure AM as an OAuth2 provider
- Configure AM with an OAuth2 client
- Test the OAuth2 Device Code grant type flow
Lesson 2: Integrating Applications With OIDC
Integrate an application using OIDC and the Authorization grant type flow with AM as an OIDC provider:
Integrate an application using OIDC and the Authorization grant type flow with AM as an OIDC provider:
- Introduce OIDC
- Describe OIDC tokens
- Explain OIDC scopes and claims
- List OIDC grant types
- Create and use an OIDC script
- Create an OIDC claims script
- Register an OIDC client and configure the OAuth2 Provider settings
- Test the OIDC Authorization Code grant type flow
Lesson 3: Authenticating OAuth2 Clients and using mTLS in OAuth2 for PoP
Authenticate OAuth2 clients with AM using various approaches and obtain certificate-bound access tokens using mutual TLS (mTLS) to provide token proof-of-possession (PoP):
Authenticate OAuth2 clients with AM using various approaches and obtain certificate-bound access tokens using mutual TLS (mTLS) to provide token proof-of-possession (PoP):
- Examine OAuth2 client authentication
- Examine OAuth2 client authentication using JWT profiles
- Examine OAuth2 client authentication using mTLS
- Authenticate an OAuth2 client using mTLS
- Examine certificate-bound PoP when mTLS is configured
- Obtain a certificate-bound access token
Lesson 4: Transforming OAuth2 Tokens
Request and obtain security tokens from an OAuth2 authorization server, including security tokens that employ impersonation and delegation semantics:
Request and obtain security tokens from an OAuth2 authorization server, including security tokens that employ impersonation and delegation semantics:
- Describe OAuth2 token exchange
- Explain token exchange types and purpose for exchange
- Describe token scopes and claims
- Implement a token exchange impersonation pattern
- Implement a token exchange delegation pattern
- Configure token exchange in AM
- Configure AM for token exchange
- Test token exchange flows
Lesson 5: (Optional) Implementing Social Authentication
Provide a way for users to register and authenticate to AM using a social account:
Provide a way for users to register and authenticate to AM using a social account:
- Delegate registration and authentication to social media providers
- Implement social registration and authentication with Google
Chapter 4: Federating Across Entities Using SAML2
Demonstrate federation across entities using SAML2 with AM.
Lesson 1: Implementing SSO Using SAML2
Demonstrate single sign-on (SSO) functionality across organizational boundaries:
Demonstrate single sign-on (SSO) functionality across organizational boundaries:
- Discuss SAML2 entities and profiles
- Explain the SAML2 flow from the identity provider (IdP) point of view
- Examine SSO across SPs
- Configure AM as an IdP and integrate with third-party service providers (SPs)
- Examine SSO between an SP and IdP and across SPs
Lesson 2: Delegating Authentication Using SAML2
Delegate authentication to a third-party IdP using SAML2 and examine the metadata:
Delegate authentication to a third-party IdP using SAML2 and examine the metadata:
- Explain the SSO flow from the SP point of view
- Describe the metadata content and purpose
- Configure AM as a SAML2 SP and integrate with a third-party IdP
Chapter 5: Installing and Deploying AM
Install a new AM instance configured with external directory server data stores as the foundation for an AM cluster, modify the AM configuration to harden security, upgrade an AM instance to a new version, and deploy the Ping Identity Platform, formerly known as the ForgeRock® Identity Platform, to the Google Cloud Platform (GCP).
Lesson 1: Installing and Upgrading AM
Install AM using interactive and command-line methods creating the foundations for a cluster topology, and upgrade an AM 7.0.1 instance to AM 7.3:
Install AM using interactive and command-line methods creating the foundations for a cluster topology, and upgrade an AM 7.0.1 instance to AM 7.3:
- Plan deployment configurations
- Prepare before installing AM
- Deploy AM
- Outline tasks and methods to install AM
- Install AM with the web wizard
- Install an AM instance with the web wizard
- Install AM and manage configuration with Amster
- Install Amster
- Describe the AM bootstrap process
- Upgrade an AM instance
- Upgrade AM with the web wizard
- (Optional) Upgrade AM with the configuration tool
Lesson 2: Hardening AM Security
Explore a few default configuration and security settings that need to be modified before migrating to a production-ready solution:
Explore a few default configuration and security settings that need to be modified before migrating to a production-ready solution:
- Harden AM security
- Adjust default settings
- Harden AM security
- Describe secrets, certificates, and keys
- Describe keystores and secret stores
- Manage the AM keystore, aliases, and passwords
- Configure and manage secret stores
- Configure an HSM secret store to sign OIDC ID tokens
- Describe the monitoring tools
- Describe the audit logging
- Describe debug logging
- Capture troubleshooting information
- Capture troubleshooting information
Lesson 3: Clustering AM
Create an AM cluster with a second AM instance added to the first AM instance that has already been installed:
Create an AM cluster with a second AM instance added to the first AM instance that has already been installed:
- Explore high availability solutions
- Scale AM deployments
- Describe AM cluster concepts
- Create an AM cluster
- Prepare the initial AM cluster
- Install another AM server in the cluster
- Test AM cluster failover scenarios
- (Optional) Modify the cluster to use client-side sessions
Lesson 4: Deploying the Identity Platform to the Cloud
Deploy the Identity Platform into a cluster in a Google Kubernetes Environment (GKE):
Deploy the Identity Platform into a cluster in a Google Kubernetes Environment (GKE):
- Describe the Identity Platform
- Prepare your deployment environment
- Deploy and access the Identity Platform
- Access and authenticate your GCP account
- Prepare to deploy the Identity Platform
- Deploy the Identity Platform with the Cloud Development Kit (CDK)
- Remove the Identity Platform deployment
AM-410-BVP Rev B.1
PingAM Deep Dive
The aim of this course is to showcase the key features and capabilities of the versatile and powerful PingAM (AM), formerly known as ForgeRock® Access Management. It provides the student with the knowledge and confidence to manage their own environment. It is accepted that this course is not able to demonstrate all the features and capabilities of AM. Further information and guidance can be found in the documentation and knowledge base in the online repositories at: Backstage https://backstage.forgerock.com.
Note: This course revision is based on version 7 of AM.
Upon completion of this course, you should be able to:
- Start with an unprotected website and end up with a fully functional access management solution where every user trying to access the website is redirected to AM for authentication
- Improve access management security in AM with multi-factor authentication (MFA), context-based risk analysis, and continuous risk checking
- Implement OAuth 2.0 (OAuth2) based protocols; namely, OAuth2 and OpenID Connect 1.0 (OIDC), to enable low-level devices and mobile applications to make requests that access resources belonging to a subscriber. AM can be configured to function as an OIDC client and delegate authentication to social media OIDC providers
- Demonstrate federation across entities using SAML v2.0 (SAML2) with AM
- Install a new AM instance configured with external directory server data stores as the foundation for an AM cluster
The following are the prerequisites for successfully completing this course:
- Completion of the PingAM Essentials course available at: https://backstage.forgerock.com/university/forgerock/on-demand/path/TGVhcm5pbmdQYXRoOjI%3D/chapter/Q291cnNlOjE1NzIy
- Knowledge of UNIX/Linux commands
- An understanding of HTTP and web applications
- A basic understanding of how directory servers function
- A basic understanding of REST
- A basic knowledge of Java based environments would be beneficial, but no programming experience is required
Chapter 1: Enhancing Intelligent Access
Start with an unprotected website and end up with a fully functional access management solution where every user trying to access the website is redirected to AM for authentication.
Lesson 1: Exploring Authentication Mechanisms
Explore the AM admin UI, view the role of cookies used during and after authentication, and describe authentication trees and nodes:
Explore the AM admin UI, view the role of cookies used during and after authentication, and describe authentication trees and nodes:
- Introduce AM authentication
- Understand realms
- Describe authentication life cycle
- Explain sessions
- Examine session cookies
- Access the lab environment
- Examine an initial AM installation
- Configure a realm and examine AM default authentication
- Experiment with session cookies
- Describe the authentication mechanisms of AM
- Create and manage trees
- Explore tree nodes
- Create a login tree
- Test the login tree
Lesson 2: Protecting a Website With PingGateway
Show how PingGateway, formerly known as ForgeRock® Identity Gateway, integrated with AM, can protect a website:
Show how PingGateway, formerly known as ForgeRock® Identity Gateway, integrated with AM, can protect a website:
- Present AM edge clients
- Describe PingGateway functionality as an edge client
- Review the FEC website protected by PingGateway
- Integrate the FEC website with AM
- Observe the PingGateway token cookie
- (Optional) Review PingGateway configuration
- Authenticate identities with AM
- Create an authentication tree with an LDAP Decision node
- Integrate identities in AM with an identity store
- Integrate an identity store with AM
Lesson 3: Controlling Access
Create security policies to control which users can access specific areas of the website:
Create security policies to control which users can access specific areas of the website:
- Describe entitlements with AM authorization
- Define AM policy components
- Define policy environment conditions and response attributes
- Describe the process of policy evaluation
- Implement access control on a website
Chapter 2: Improving Access Management Security
Improve access management security in AM with MFA, context-based risk analysis, and continuous risk checking.
Lesson 1: Increasing Authentication Security
Increase authentication security using MFA:
Increase authentication security using MFA:
- Describe MFA
- Register a device
- Include recovery codes
- Examine OATH authentication
- Implement time-based one-time password (TOTP) authentication
- (Optional) Implement HMAC-based one-time password (HOTP) authentication
- Examine Push notification authentication
- (Optional) Implement Push notification authentication
- Implement passwordless WebAuthn
- (Optional) Implement passwordless WebAuthn
- Examine HOTP authentication using email or SMS
- (Optional) Implement HOTP authentication using email or SMS
Lesson 2: Modifying a User’s Authentication Experience Based on Context
Describe how AM can take into account the context of an authentication request in order to make access decisions:
Describe how AM can take into account the context of an authentication request in order to make access decisions:
- Introduce context-based risk analysis
- Describe device profile nodes
- Determine the risk based on the context
- Implement a browser context change script
- Lock and unlock accounts
- Implement account lockout
Lesson 3: Checking Risk Continuously
Review the AM tools used to check the risk level of requests continuously:
Review the AM tools used to check the risk level of requests continuously:
- Introduce continuous contextual authorization
- Describe step-up authentication
- Implement step-up authentication flow
- Describe transactional authorization
- Implement transactional authorization
- Prevent users from bypassing the default tree
Chapter 3: Extending Services Using OAuth2-Based Protocols
Implement OAuth2 based protocols; namely, OAuth2 and OIDC, to enable low-level devices and mobile applications to make requests that access resources belonging to a subscriber. AM can be configured to function as an OIDC client and delegate authentication to social media OIDC providers.
Lesson 1: Integrating Applications With OAuth2
Integrate clients using OAuth2 by demonstrating the use of the OAuth2 Device Code grant type flow with AM configured as the OAuth2 authorization server (AS):
Integrate clients using OAuth2 by demonstrating the use of the OAuth2 Device Code grant type flow with AM configured as the OAuth2 authorization server (AS):
- Discuss OAuth2 concepts
- Describe OAuth2 tokens and codes
- Describe refresh tokens, macaroons, and token modification
- Request OAuth2 access tokens with OAuth2 grant types
- Explain OAuth2 scopes and consent
- Configure OAuth2 in AM
- Configure AM as an OAuth2 provider
- Configure AM with an OAuth2 client
- Test the OAuth2 Device Code grant type flow
Lesson 2: Integrating Applications With OIDC
Integrate an application using OIDC and the Authorization grant type flow with AM as an OIDC provider:
Integrate an application using OIDC and the Authorization grant type flow with AM as an OIDC provider:
- Introduce OIDC
- Describe OIDC tokens
- Explain OIDC scopes and claims
- List OIDC grant types
- Create and use an OIDC script
- Create an OIDC claims script
- Register an OIDC client and configure the OAuth2 Provider settings
- Test the OIDC Authorization Code grant type flow
Lesson 3: Authenticating OAuth2 Clients and using mTLS in OAuth2 for PoP
Authenticate OAuth2 clients with AM using various approaches and obtain certificate-bound access tokens using mutual TLS (mTLS) to provide token proof-of-possession (PoP):
Authenticate OAuth2 clients with AM using various approaches and obtain certificate-bound access tokens using mutual TLS (mTLS) to provide token proof-of-possession (PoP):
- Examine OAuth2 client authentication
- Examine OAuth2 client authentication using JWT profiles
- Examine OAuth2 client authentication using mTLS
- Authenticate an OAuth2 client using mTLS
- Examine certificate-bound PoP when mTLS is configured
- Obtain a certificate-bound access token
Lesson 4: Transforming OAuth2 Tokens
Request and obtain security tokens from an OAuth2 authorization server, including security tokens that employ impersonation and delegation semantics:
Request and obtain security tokens from an OAuth2 authorization server, including security tokens that employ impersonation and delegation semantics:
- Describe OAuth2 token exchange
- Explain token exchange types and purpose for exchange
- Describe token scopes and claims
- Implement a token exchange impersonation pattern
- Implement a token exchange delegation pattern
- Configure token exchange in AM
- Configure AM for token exchange
- Test token exchange flows
Lesson 5: (Optional) Implementing Social Authentication
Provide a way for users to register and authenticate to AM using a social account:
Provide a way for users to register and authenticate to AM using a social account:
- Delegate registration and authentication to social media providers
- Implement social registration and authentication with Google
Chapter 4: Federating Across Entities Using SAML2
Demonstrate federation across entities using SAML2 with AM.
Lesson 1: Implementing SSO Using SAML2
Demonstrate single sign-on (SSO) functionality across organizational boundaries:
Demonstrate single sign-on (SSO) functionality across organizational boundaries:
- Discuss SAML2 entities and profiles
- Explain the SAML2 flow from the identity provider (IdP) point of view
- Examine SSO across SPs
- Configure AM as an IdP and integrate with third-party service providers (SPs)
- Examine SSO between an SP and IdP and across SPs
Lesson 2: Delegating Authentication Using SAML2
Delegate authentication to a third-party IdP using SAML2 and examine the metadata:
Delegate authentication to a third-party IdP using SAML2 and examine the metadata:
- Explain the SSO flow from the SP point of view
- Describe the metadata content and purpose
- Configure AM as a SAML2 SP and integrate with a third-party IdP
Chapter 5: Installing and Deploying AM
Install a new AM instance configured with external directory server data stores as the foundation for an AM cluster, modify the AM configuration to harden security, upgrade an AM instance to a new version, and deploy the Ping Identity Platform, formerly known as the ForgeRock® Identity Platform, to the Google Cloud Platform (GCP).
Lesson 1: Installing and Upgrading AM
Install AM using interactive and command-line methods creating the foundations for a cluster topology, and upgrade an AM 7.0.1 instance to AM 7.3:
Install AM using interactive and command-line methods creating the foundations for a cluster topology, and upgrade an AM 7.0.1 instance to AM 7.3:
- Plan deployment configurations
- Prepare before installing AM
- Deploy AM
- Outline tasks and methods to install AM
- Install AM with the web wizard
- Install an AM instance with the web wizard
- Install AM and manage configuration with Amster
- Install Amster
- Describe the AM bootstrap process
- Upgrade an AM instance
- Upgrade AM with the web wizard
- (Optional) Upgrade AM with the configuration tool
Lesson 2: Hardening AM Security
Explore a few default configuration and security settings that need to be modified before migrating to a production-ready solution:
Explore a few default configuration and security settings that need to be modified before migrating to a production-ready solution:
- Harden AM security
- Adjust default settings
- Harden AM security
- Describe secrets, certificates, and keys
- Describe keystores and secret stores
- Manage the AM keystore, aliases, and passwords
- Configure and manage secret stores
- Configure an HSM secret store to sign OIDC ID tokens
- Describe the monitoring tools
- Describe the audit logging
- Describe debug logging
- Capture troubleshooting information
- Capture troubleshooting information
Lesson 3: Clustering AM
Create an AM cluster with a second AM instance added to the first AM instance that has already been installed:
Create an AM cluster with a second AM instance added to the first AM instance that has already been installed:
- Explore high availability solutions
- Scale AM deployments
- Describe AM cluster concepts
- Create an AM cluster
- Prepare the initial AM cluster
- Install another AM server in the cluster
- Test AM cluster failover scenarios
- (Optional) Modify the cluster to use client-side sessions
Lesson 4: Deploying the Identity Platform to the Cloud
Deploy the Identity Platform into a cluster in a Google Kubernetes Environment (GKE):
Deploy the Identity Platform into a cluster in a Google Kubernetes Environment (GKE):
- Describe the Identity Platform
- Prepare your deployment environment
- Deploy and access the Identity Platform
- Access and authenticate your GCP account
- Prepare to deploy the Identity Platform
- Deploy the Identity Platform with the Cloud Development Kit (CDK)
- Remove the Identity Platform deployment
AIC-CERT-PREP Rev A.1
Certified Professional - PingOne Advanced Identity Cloud Exam Preparation
This course helps prepare students to take the Certified Professional - PingOne Advanced Identity Cloud exam, formerly known as the ForgeRock® Identity Cloud Certified Professional exam. This is accomplished by presenting students with information concerning exam contents, logistics, tips for preparing to take the exam, lab exercises to cover exam contents, and a sample exam that is representative of the exam, itself.
Upon completion of this course, you should be able to:
- Register to take the exam
- Prepare for the exam using recommended study materials
- Take the exam either remotely or at a Pearson Testing Center
The following are the prerequisites for successfully completing this course:
- Successful completion of the AIC-300 Getting Started With PingOne Advanced Identity Cloud for Administrators course
- Thorough understanding of all PingOne Advanced Identity Cloud documentation and Knowledge Base articles on Backstage
- 3-6 months of experience configuring and administering PingOne Identity tenants
- Working knowledge of OAuth 2.0, OpenID Connect and SAML v2.0
Course Contents
Exam Overview
- Explain exam metrics and passing scores
- Provide an approach for responding to test questions
- Identify options for registering and taking the exam
- Describe testing center requirements
- Describe requirements for taking the exam online
- Show how to access exam results
Exam Details
- Review the exam details and requirements
- Explain exam topics and study areas
- Present the objectives covered in the exam
- Review important concepts associated with exam objectives
- Review sample questions associated with objectives
- Provide applicable materials for review
Lab Exercises
- Research topics which will be covered in the exam
- Navigate the PingOne Advanced Identity Cloud admin UI
- Describe PingOne Advanced Identity Cloud configuration settings
- Explain how to perform PingOne Advanced Identity Cloud related tasks
- Configure PingOne Advanced Identity Cloud related services
Sample Exam
- Test a student’s knowledge of PingOne Advanced Identity Cloud
- Provide students with a representative exam experience