Unlock your full potential in IAM
This is Identitrain
Master Identity and Access Management with world-class training designed by experts who live it every day.
Led by practitioners, not theorists, our training gives you the skills to design, implement, and secure identity solutions that protect what matters most.
Choose Your Path to IAM Mastery
Whether you’re starting your IAM journey or advancing toward certification, our structured
learning paths guide you every step of the way. Select from Identity Management, Access Management,
Governance, or Best Practices tracks designed to match your role and goals.
Built for Every IAM Professional
From architects and developers to project managers and business leaders, Identitrain delivers
training that fits your role. Whether you’re designing IAM strategies, building integrations, or
leading transformation projects, we’ve got a path for you.
Training Designed by Practitioners, Proven in the Field
Our instructors bring years of real-world IAM experience into the classroom. We blend
vendor-agnostic fundamentals with deep expertise in leading platforms like Ping, SailPoint, Okta, and
beyond. Every course is modular, lab-focused, and designed to give you actionable skills you can
immediately put to use!
Join a Growing Community of IAM Experts
Training doesn’t end with the last session. Graduates join our global practitioner network,
gaining access to peer discussions, expert webinars, alumni resources, and exclusive discounts.
Learn, connect, and grow alongside IAM professionals worldwide.
Upcoming
Courses
AM-410-BVP Rev B.1
PingAM Deep Dive
The aim of this course is to showcase the key features and capabilities of the versatile and powerful PingAM (AM), formerly known as ForgeRock® Access Management. It provides the student with the knowledge and confidence to manage their own environment. It is accepted that this course is not able to demonstrate all the features and capabilities of AM. Further information and guidance can be found in the documentation and knowledge base in the online repositories at: Backstage https://backstage.forgerock.com.
Note: This course revision is based on version 7 of AM.
Upon completion of this course, you should be able to:
- Start with an unprotected website and end up with a fully functional access management solution where every user trying to access the website is redirected to AM for authentication
- Improve access management security in AM with multi-factor authentication (MFA), context-based risk analysis, and continuous risk checking
- Implement OAuth 2.0 (OAuth2) based protocols; namely, OAuth2 and OpenID Connect 1.0 (OIDC), to enable low-level devices and mobile applications to make requests that access resources belonging to a subscriber. AM can be configured to function as an OIDC client and delegate authentication to social media OIDC providers
- Demonstrate federation across entities using SAML v2.0 (SAML2) with AM
- Install a new AM instance configured with external directory server data stores as the foundation for an AM cluster
The following are the prerequisites for successfully completing this course:
- Completion of the PingAM Essentials course available at: https://backstage.forgerock.com/university/forgerock/on-demand/path/TGVhcm5pbmdQYXRoOjI%3D/chapter/Q291cnNlOjE1NzIy
- Knowledge of UNIX/Linux commands
- An understanding of HTTP and web applications
- A basic understanding of how directory servers function
- A basic understanding of REST
- A basic knowledge of Java based environments would be beneficial, but no programming experience is required
Chapter 1: Enhancing Intelligent Access
Start with an unprotected website and end up with a fully functional access management solution where every user trying to access the website is redirected to AM for authentication.
Lesson 1: Exploring Authentication Mechanisms
Explore the AM admin UI, view the role of cookies used during and after authentication, and describe authentication trees and nodes:
Explore the AM admin UI, view the role of cookies used during and after authentication, and describe authentication trees and nodes:
- Introduce AM authentication
- Understand realms
- Describe authentication life cycle
- Explain sessions
- Examine session cookies
- Access the lab environment
- Examine an initial AM installation
- Configure a realm and examine AM default authentication
- Experiment with session cookies
- Describe the authentication mechanisms of AM
- Create and manage trees
- Explore tree nodes
- Create a login tree
- Test the login tree
Lesson 2: Protecting a Website With PingGateway
Show how PingGateway, formerly known as ForgeRock® Identity Gateway, integrated with AM, can protect a website:
Show how PingGateway, formerly known as ForgeRock® Identity Gateway, integrated with AM, can protect a website:
- Present AM edge clients
- Describe PingGateway functionality as an edge client
- Review the FEC website protected by PingGateway
- Integrate the FEC website with AM
- Observe the PingGateway token cookie
- (Optional) Review PingGateway configuration
- Authenticate identities with AM
- Create an authentication tree with an LDAP Decision node
- Integrate identities in AM with an identity store
- Integrate an identity store with AM
Lesson 3: Controlling Access
Create security policies to control which users can access specific areas of the website:
Create security policies to control which users can access specific areas of the website:
- Describe entitlements with AM authorization
- Define AM policy components
- Define policy environment conditions and response attributes
- Describe the process of policy evaluation
- Implement access control on a website
Chapter 2: Improving Access Management Security
Improve access management security in AM with MFA, context-based risk analysis, and continuous risk checking.
Lesson 1: Increasing Authentication Security
Increase authentication security using MFA:
Increase authentication security using MFA:
- Describe MFA
- Register a device
- Include recovery codes
- Examine OATH authentication
- Implement time-based one-time password (TOTP) authentication
- (Optional) Implement HMAC-based one-time password (HOTP) authentication
- Examine Push notification authentication
- (Optional) Implement Push notification authentication
- Implement passwordless WebAuthn
- (Optional) Implement passwordless WebAuthn
- Examine HOTP authentication using email or SMS
- (Optional) Implement HOTP authentication using email or SMS
Lesson 2: Modifying a User’s Authentication Experience Based on Context
Describe how AM can take into account the context of an authentication request in order to make access decisions:
Describe how AM can take into account the context of an authentication request in order to make access decisions:
- Introduce context-based risk analysis
- Describe device profile nodes
- Determine the risk based on the context
- Implement a browser context change script
- Lock and unlock accounts
- Implement account lockout
Lesson 3: Checking Risk Continuously
Review the AM tools used to check the risk level of requests continuously:
Review the AM tools used to check the risk level of requests continuously:
- Introduce continuous contextual authorization
- Describe step-up authentication
- Implement step-up authentication flow
- Describe transactional authorization
- Implement transactional authorization
- Prevent users from bypassing the default tree
Chapter 3: Extending Services Using OAuth2-Based Protocols
Implement OAuth2 based protocols; namely, OAuth2 and OIDC, to enable low-level devices and mobile applications to make requests that access resources belonging to a subscriber. AM can be configured to function as an OIDC client and delegate authentication to social media OIDC providers.
Lesson 1: Integrating Applications With OAuth2
Integrate clients using OAuth2 by demonstrating the use of the OAuth2 Device Code grant type flow with AM configured as the OAuth2 authorization server (AS):
Integrate clients using OAuth2 by demonstrating the use of the OAuth2 Device Code grant type flow with AM configured as the OAuth2 authorization server (AS):
- Discuss OAuth2 concepts
- Describe OAuth2 tokens and codes
- Describe refresh tokens, macaroons, and token modification
- Request OAuth2 access tokens with OAuth2 grant types
- Explain OAuth2 scopes and consent
- Configure OAuth2 in AM
- Configure AM as an OAuth2 provider
- Configure AM with an OAuth2 client
- Test the OAuth2 Device Code grant type flow
Lesson 2: Integrating Applications With OIDC
Integrate an application using OIDC and the Authorization grant type flow with AM as an OIDC provider:
Integrate an application using OIDC and the Authorization grant type flow with AM as an OIDC provider:
- Introduce OIDC
- Describe OIDC tokens
- Explain OIDC scopes and claims
- List OIDC grant types
- Create and use an OIDC script
- Create an OIDC claims script
- Register an OIDC client and configure the OAuth2 Provider settings
- Test the OIDC Authorization Code grant type flow
Lesson 3: Authenticating OAuth2 Clients and using mTLS in OAuth2 for PoP
Authenticate OAuth2 clients with AM using various approaches and obtain certificate-bound access tokens using mutual TLS (mTLS) to provide token proof-of-possession (PoP):
Authenticate OAuth2 clients with AM using various approaches and obtain certificate-bound access tokens using mutual TLS (mTLS) to provide token proof-of-possession (PoP):
- Examine OAuth2 client authentication
- Examine OAuth2 client authentication using JWT profiles
- Examine OAuth2 client authentication using mTLS
- Authenticate an OAuth2 client using mTLS
- Examine certificate-bound PoP when mTLS is configured
- Obtain a certificate-bound access token
Lesson 4: Transforming OAuth2 Tokens
Request and obtain security tokens from an OAuth2 authorization server, including security tokens that employ impersonation and delegation semantics:
Request and obtain security tokens from an OAuth2 authorization server, including security tokens that employ impersonation and delegation semantics:
- Describe OAuth2 token exchange
- Explain token exchange types and purpose for exchange
- Describe token scopes and claims
- Implement a token exchange impersonation pattern
- Implement a token exchange delegation pattern
- Configure token exchange in AM
- Configure AM for token exchange
- Test token exchange flows
Lesson 5: (Optional) Implementing Social Authentication
Provide a way for users to register and authenticate to AM using a social account:
Provide a way for users to register and authenticate to AM using a social account:
- Delegate registration and authentication to social media providers
- Implement social registration and authentication with Google
Chapter 4: Federating Across Entities Using SAML2
Demonstrate federation across entities using SAML2 with AM.
Lesson 1: Implementing SSO Using SAML2
Demonstrate single sign-on (SSO) functionality across organizational boundaries:
Demonstrate single sign-on (SSO) functionality across organizational boundaries:
- Discuss SAML2 entities and profiles
- Explain the SAML2 flow from the identity provider (IdP) point of view
- Examine SSO across SPs
- Configure AM as an IdP and integrate with third-party service providers (SPs)
- Examine SSO between an SP and IdP and across SPs
Lesson 2: Delegating Authentication Using SAML2
Delegate authentication to a third-party IdP using SAML2 and examine the metadata:
Delegate authentication to a third-party IdP using SAML2 and examine the metadata:
- Explain the SSO flow from the SP point of view
- Describe the metadata content and purpose
- Configure AM as a SAML2 SP and integrate with a third-party IdP
Chapter 5: Installing and Deploying AM
Install a new AM instance configured with external directory server data stores as the foundation for an AM cluster, modify the AM configuration to harden security, upgrade an AM instance to a new version, and deploy the Ping Identity Platform, formerly known as the ForgeRock® Identity Platform, to the Google Cloud Platform (GCP).
Lesson 1: Installing and Upgrading AM
Install AM using interactive and command-line methods creating the foundations for a cluster topology, and upgrade an AM 7.0.1 instance to AM 7.3:
Install AM using interactive and command-line methods creating the foundations for a cluster topology, and upgrade an AM 7.0.1 instance to AM 7.3:
- Plan deployment configurations
- Prepare before installing AM
- Deploy AM
- Outline tasks and methods to install AM
- Install AM with the web wizard
- Install an AM instance with the web wizard
- Install AM and manage configuration with Amster
- Install Amster
- Describe the AM bootstrap process
- Upgrade an AM instance
- Upgrade AM with the web wizard
- (Optional) Upgrade AM with the configuration tool
Lesson 2: Hardening AM Security
Explore a few default configuration and security settings that need to be modified before migrating to a production-ready solution:
Explore a few default configuration and security settings that need to be modified before migrating to a production-ready solution:
- Harden AM security
- Adjust default settings
- Harden AM security
- Describe secrets, certificates, and keys
- Describe keystores and secret stores
- Manage the AM keystore, aliases, and passwords
- Configure and manage secret stores
- Configure an HSM secret store to sign OIDC ID tokens
- Describe the monitoring tools
- Describe the audit logging
- Describe debug logging
- Capture troubleshooting information
- Capture troubleshooting information
Lesson 3: Clustering AM
Create an AM cluster with a second AM instance added to the first AM instance that has already been installed:
Create an AM cluster with a second AM instance added to the first AM instance that has already been installed:
- Explore high availability solutions
- Scale AM deployments
- Describe AM cluster concepts
- Create an AM cluster
- Prepare the initial AM cluster
- Install another AM server in the cluster
- Test AM cluster failover scenarios
- (Optional) Modify the cluster to use client-side sessions
Lesson 4: Deploying the Identity Platform to the Cloud
Deploy the Identity Platform into a cluster in a Google Kubernetes Environment (GKE):
Deploy the Identity Platform into a cluster in a Google Kubernetes Environment (GKE):
- Describe the Identity Platform
- Prepare your deployment environment
- Deploy and access the Identity Platform
- Access and authenticate your GCP account
- Prepare to deploy the Identity Platform
- Deploy the Identity Platform with the Cloud Development Kit (CDK)
- Remove the Identity Platform deployment
AM-421-BVP Rev B.3
PingAM: Customization and APIs
This course provides a hands-on technical introduction to PingAM (AM), formerly known as ForgeRock® Access Management, APIs and customization use cases. Students examine AM extension points and gain the skills required to extend and integrate an AM deployment in a real-world context. Additionally, students learn to implement various clients that communicate with AM. Further information and guidance can be found in the documentation and knowledge base in the online repositories at: Backstage https://backstage.forgerock.com.
Note: This course revision is based on version 7.3 of PingAM
Upon completion of this course, you should be able to:
- This chapter provides a high-level overview of the PingAM (AM) configuration architecture
- Extend and customize PingAM (AM) authentication processing by using authentication trees and a custom authentication node
- Explore how to use the PingAM (AM) authorization policy sets, polices, and policy evaluation, and create custom policy conditions with Java and scripts
- Explore how to use the PingAM (AM) REST API, in the context of a web client application, for authenticating users with AM and AM authentication trees
- Describe how to extend a web client application with the ability to authenticate and authorize a user by using OAuth 2.0 (OAuth2) for authentication, and implement Open Identity Connect (OIDC) claims by using the scripting API
The following are the prerequisites for successfully completing this course:
- Completion of the PingAM Essentials course available at: https://backstage.forgerock.com/university/forgerock/on-demand/path/TGVhcm5pbmdQYXRoOjI%3D/chapter/Q291cnNlOjE1NzIy
- Knowledge of UNIX/Linix commands
- An understanding of HTTP and web applications
- A basic understanding of how directory servers function
- A basic understanding of REST
- A basic knowledge of Java based environments would be beneficial, but no programming experience is required.
Chapter 1: Introducing Customization in PingAM
This chapter provides a high-level overview of the PingAM (AM) configuration architecture, the interfaces through which its functionality can be accessed, and the way its behavior can be customized or extended.
Lesson 1: Using Extension (Customization) Points
Describe a high-level overview of the AM architecture, the interfaces through which its functionality can be accessed, and the way its behavior can be customized or extended:
Describe a high-level overview of the AM architecture, the interfaces through which its functionality can be accessed, and the way its behavior can be customized or extended:
- List extension (customization) points of AM
- List customizable AM components
- Quiz questions
- Access the lab environment
- Manage the course application components
Chapter 2: Customizing Authentication
Extend and customize PingAM (AM) authentication processing by using authentication trees and a custom authentication node.
Extend and customize PingAM (AM) authentication processing by using authentication trees and a custom authentication node.
Lesson 1: Authentication With Trees and Nodes: An Introduction
Introduce authentication trees and nodes and how to configure an authentication tree:
Introduce authentication trees and nodes and how to configure an authentication tree:
- Understand how AM performs authentication
- Describe AM authentication trees and nodes
- Compare tree and chain mechanisms
- Quiz questions
- Create an authentication tree with default nodes
- Test the authentication tree
Lesson 2: Customizing Authentication Trees and Nodes
Prepare a coding build environment and generate a custom authentication node using a Maven archetype:
Prepare a coding build environment and generate a custom authentication node using a Maven archetype:
- Describe custom authentication nodes
- Prepare a build environment
- Generate a custom node with a Maven archetype
- List custom node classes
- Customize node outcomes
- Deploy the custom node
- Modify custom node configuration and logic
- Post-authentication hooks for trees
- Quiz questions
- Create initial custom authentication node source files
- Modify the custom node’s implementation to be dynamic
- Deploy and test the custom authentication node
- Test the authentication tree with the custom node
Lesson 3: Developing Scripts With the Scripting API
Introduce scripting, how scripts work, what they can be used for, and how they can be managed through the AM admin UI:
Introduce scripting, how scripts work, what they can be used for, and how they can be managed through the AM admin UI:
- Understand the basic concepts of scripting
- Understand the scripting environment and the scripting API
- Use the AM admin UI to manage scripts
- Use the REST API to manage scripts
- Develop client and server scripts
- Use decision scripted authentication nodes in trees
- Quiz questions
- Explore client-side scripting with authentication nodes
- Create an authentication tree with client-side and server-side scripts
- Write a server-side script that uses a REST API request
Lesson 4: Migrating Authentication Modules to Trees and Nodes
Describe the design and implementation issues when migrating authentication modules to trees and nodes:
Describe the design and implementation issues when migrating authentication modules to trees and nodes:
- Describe design principles for trees and nodes
- List design and implementation steps
- Choose node types
- Map files from modules to nodes
- Authentication modules as nodes
- Migrate an LDAP chain to a tree
- Migrate post-authentication plugins
- Handle logout notifications
- Configure redirection URLs
- Implement account lockout
- Link a chain to a tree and return custom failure messages
- Quiz questions
- Reference an article about migrating chains to trees
Chapter 3: Customizing Authorization
Explore how to use the PingAM (AM) authorization policy sets, polices, and policy evaluation, and create custom policy conditions with Java and scripts.
Lesson 1: Customizing Authorization
Explore the AM authorization framework and the concepts central to it, such as policy sets (applications), policies, and the policy evaluation flow:
Explore the AM authorization framework and the concepts central to it, such as policy sets (applications), policies, and the policy evaluation flow:
- Understand the policy concepts in AM
- Identify the situation when a custom condition is needed
- Customize policy evaluation with a plugin and an Entitlement Condition class
- Implement a scripted condition
- Quiz Questions
- Explore the ContactList REST APIs and policy design
- Create resource types and a policy set
- Write a policy condition checking for maintenance mode
- Modify the policy condition script to provide additional information
Chapter 4: Customizing With REST Clients
Explore how to use the PingAM (AM) REST API, in the context of a web client application, for authenticating users with AM and AM authentication trees.
Lesson 1: Using the REST API
Introduce the AM REST services and the Common REST API, how to invoke REST services from a JavaScript application, and how to configure CORS in AM:
Introduce the AM REST services and the Common REST API, how to invoke REST services from a JavaScript application, and how to configure CORS in AM:
- Describe AM REST API services and the Common REST API
- Understand the Common REST API
- Explore REST API sorting, versioning, and status codes
- Use AM services from a browser-based application
- Enable CORS
- Quiz questions
- Study the ContactList application architecture
- Configure the CORS filter in AM
- Create a login service that uses AM authentication
Lesson 2: Authenticating With REST
Implement authentication and logout in a client application with the AM REST API either using a simple (header-based) approach or a more complex approach, where the server may request additional information from the client using callbacks:
Implement authentication and logout in a client application with the AM REST API either using a simple (header-based) approach or a more complex approach, where the server may request additional information from the client using callbacks:
- Review authentication and introduce RESTful authentication
- Implement authentication with the simple REST API
- Implement authentication with the full REST API
- Describe callback types available in AM
- Handle session upgrade and logout with the REST API
- Implement RESTful token and session management
- Use REST to manage identities
- Manage realms with the REST API
- Lesson Quiz
- Implement a fully functional AM-based authentication in ContactList
- Modify the login service to use the authentication tree
Lesson 3: Working With RESTful User Self-Service APIs
Discuss how a browser-based application can use the self-service API to perform operations on behalf of the user such as registration, password reset, and displaying the user dashboard:
Discuss how a browser-based application can use the self-service API to perform operations on behalf of the user such as registration, password reset, and displaying the user dashboard:
- Describe the self-service REST API
- Configure AM for self-service
- Implement password reset with REST
- Self-register a user via REST
- Lesson quiz
- Prepare AM for the password reset functionality
- Examine the password reset protocol
- Extend ContactList with a password reset feature
Lesson 4: Authorizing With REST
Demonstrate how the AM REST API policy management and evaluation works, and how it can be utilized to protect resources that are either actual URLs or other entities like actions:
Demonstrate how the AM REST API policy management and evaluation works, and how it can be utilized to protect resources that are either actual URLs or other entities like actions:
- Understand how to use the policy engine to protect resources other than URLs
- Describe the policy management REST API
- Describe the policy evaluator REST API
- Implement fine-grained authorization using policies and the REST API
- Lesson quiz
- Prepare AM for ContactList authorization
- Extend the backend to use the authorization REST API
- Extend the front-end application to use AM
Chapter 5: Federating With OAuth2
Describe how to extend a web client application with the ability to authenticate and authorize a user by using OAuth 2.0 (OAuth2) for authentication, and implement Open Identity Connect (OIDC) claims by using the scripting API.
Lesson 1: Implementing OAuth2 Custom Scopes
Discuss how PingAM (AM) supports the standard OAuth2 and OIDC protocols, including JSON Web Tokens (JWT):
Discuss how PingAM (AM) supports the standard OAuth2 and OIDC protocols, including JSON Web Tokens (JWT):
- Understand OAuth2 and use its HTTP endpoints
- Examine the flow of the OAuth2 Authorization Code grant type
- Understand OIDC and use its HTTP endpoints
- Examine the flow of the OIDC Authorization Code grant type
- Understand the scope validation mechanism and customize its default behavior
- Use the Scripting API to customize the handling of OIDC claims
- Set up the OAuth2/OIDC service in AM
- Study and complete the ContactListTokenResponseTypeHandler code
- Enable OAuth2 federation in the ContactList front-end
- Turn ContactList RESTful backend into an OAuth2 resource server
PA-400 BVP Rev A
PingAccess Administration
This course provides the information you need to set up and configure PingAccess as a policy server to protect both web applications and APIs. After completing this course, you will know how to configure PingAccess in both a gateway and agent model, and configure different types of policies that PingAccess offers.
Upon completion of this course, you should be able to:
- Discover how to configure PingAccess as a reverse proxy, and connect PingAccess to a token provider (PingFederate)
- Configure PingAccess as a Reverse Proxy
- Configure policies in PingAccess to further bolster administration capabilities
The following are the prerequisites for successfully completing this course:
- Completion of the following courses:https://backstage.pingidentity.com/university/on-demand/category/PING
- Introduction to PingAccess
- Getting Started With PingAccess
- Introduction to PingFederate
- Getting Started With PingFederate
Chapter 1: Configuring and Connecting PingAccess
Discover how to configure PingAccess as a reverse proxy, and connect PingAccess to a token provider (PingFederate).
Lesson 1: Configuring PingAccess as a Reverse Proxy (Gateway Model)
Describe how to configure PingAccess as a reverse proxy (gateway model):
- Introduce the gateway model
- Enable PingAccess as a reverse proxy
- Configure PingAccess resources and rewrite rules
Lesson 2: Connecting PingAccess to a Token Provider (PingFederate)
Describe the responsibilities of token providers and how to configure PingAccess to use PingFederate as a token provider:
- Introduce token providers
- Configure OAuth2 in PingFederate
- Configure PingAccess using the gateway model
Chapter 2: Configuring PingAccess Applications, Agents, and Sites
Configure PingAccess as a Reverse Proxy.
Lesson 1: Protecting Web Apps
Describe how to protect web apps by configuring them with PingAccess and OpenID Connect (OIDC):
- Define the OIDC protocol
- Introduce web sessions
- Create a web session using OIDC claims
Lesson 2: Working With Sites
Create identity mappings and advanced web session:
- Create identity mappings and advanced web sessions
Lesson 3: Working With Rules and Policies
Describe how to work with rules and policies within PingAccess:
- Describe the rules and policies process
- Create web access rules
- Create API access control rules
Chapter 3: Configuring Policies and Administration
Configure policies in PingAccess to further bolster administration capabilities.
Lesson 1: Maintaining PingAccess Discuss how to maintain PingAccess through resources, audit logs, and redirection:
- Dive deeper into resources
- Examine audit logs
- Manage redirection
Lesson 2: Configuring PingAccess as a Policy Server (Agent Model)
Configure PIngAccess to be a policy server by implementing the agent model:
- Introduce the agent model
Lesson 3: Optimizing and Configuring PingAccess
Optimize PingAccess through configuration, single sign-on (SSO), and the admin API:
- Implement improvements
- Enable PingAccess administrator SSO
- Use the PingAccess administrative API
- Increase the JVM Heap Size
Lesson 4: Creating PingAccess Clusters
Create PingAccess clusters to increase resilience and simplify procedures:
- Deploy clustersConfigure simple clusters in PingAccess (Optional)
PD-400-BVP Rev A.1
PingDirectory Administration
This course provides the knowledge you need to install and administer each component of the PingDirectory platform which includes: PingDirectory server, PingDirectoryProxy server, PingDataSync server, the PingData Software Development Kit (SDK), and Delegated User Administration. This course references real-world scenarios driven by recurring use cases. You learn how to install each PingDirectory platform component, perform basic maintenance, using the monitoring and troubleshooting tools. While, hands-on lab exercises provide the first-hand experience installing, configuring, tuning, and using the troubleshooting tools
This course is built on version 10.
Upon completion of this course, you should be able to:
- Describe the PingDirectory capabilities and key features, summarize the installation procedures, and review the initial configuration tasks
- Deploy, fine tune, and configure the PingDirectory server to meet the needs of your production environment
- Describe how to install and manage the PingDirectoryProxy server
- Describe the functions provided by the PingDataSync server, and how to install, configure, and synchronize the PingDataSync server
- Describe common maintenance and necessary troubleshooting tasks needed to optimize PingDirectory performance.
The following are the prerequisites for successfully completing this course:
- Knowledge of UNIX/Linux commands.
- A basic understanding of how directory servers function.
- A basic understanding of REST and HTTP.
- A basic knowledge of Java based environments would be beneficial, but no programming experience is required.
- Completion of the Introduction to PingDirectory available at: https://backstage.pingidentity.com/university/
Chapter 1: Installing PingDirectory
Describe the PingDirectory capabilities and key features, summarize the installation procedures, and review the initial configuration tasks.
Lesson 1: Providing an Overview of PingDirectory
Describe the capabilities and key features of PingDirectory:
- Describe the key features of PingDirectory
Lesson 2: Installing the PingDirectory Server
Summarize the PingDirectory server installation procedures:
- Perform pre-installation procedures
- Install PingDirectory
- Describe post-installation procedures
Lesson 3: Completing Initial Configuration
Complete the PingDirectory server initial configuration settings:
- Use server profiles
- (Optional) Install PingDirectory
Chapter 2: Deploying PingDirectory
Deploy, fine tune, and configure the PingDirectory server to meet the needs of your production environment.
Lesson 1: Managing the Schema
Lesson 1: Managing the Schema
Describe the functions of the schema, and modify the schema by creating new attribute types, object classes, and a new custom user:
- Describe the schema
- Modify the schema
- Modify the schema
- Modify object classes
- Create auxiliary object classes
- Load custom schema elements
Lesson 2: Managing Objects
Define objects in LDAP and use the command-line tools to search, add, modify, and delete entries:
- Search entries
- Manage entries
- Create objects
Lesson 3: Using Security and Encryption
Describe the basic vulnerabilities in LDAP server implementations, secure server data, use the encryption-settings tool to create an encryption settings database, and create sensitive attributes:
- Prevent data vulnerability
- Keep data secure
- Configure encryption settings
Lesson 4: Using Virtual Attributes
Define virtual attributes and their use, recall the virtual attribute types, and create mirrored virtual attributes:
- Define virtual attributes
- Administer virtual attributes
Lesson 5: Managing Password Policies
Describe how to use password policies, and then create and assign password policies to individual accounts and/or user groups:
- Describe password policies
- Create a password policy
Lesson 6: Administering JSON Attributes
Describe how to manage and create JSON attributes:
- Manage JSON attributes
- Create JSON attributes
- Manage the Password Policy State JSON
- Administer JSON Attributes
Lesson 7: Managing the REST APIs
Describe the available REST APIs, list the HTTP methods available, and use the Directory REST API to create and update user entries:
- Understand the Rest APIs
- Use the SCIM 2.0 REST API
- Administer the Directory REST API
Lesson 8: Managing Logging
List the three types of available log publishers, describe the elements of the log format, and create log publishers:
- Manage log publishers
- Configure logging
- Create a log publisher
Lesson 9: Managing Replication
Define the replication process and architecture, set up a server topology, enable the replication process, and initialize new replicas:
- Understand replication
- Enable replication
- Resolve conflicts
- Understand the replication protocol
- Use replication over WAN
- Plan deployment
- Configure replication
- Scale replication
- Enable the replication process
Lesson 10: Managing Server Topologies
Discuss the topology registry, create server groups to aid in configuration changes, and compare configurations on separate directory servers:
- Define the topology registry
- Administer the server topology
Chapter 3: Administering the PingDirectoryProxy Server
Describe how to install and manage the PingDirectoryProxy server.
Lesson 1: Providing an Overview of the PingDirectoryProxy Server
Describe the capabilities and key features of the PingDirectoryProxy server:
- Describe the key features
Lesson 2: Installing the PingDirectoryProxy Server
Describe how to install the PingDirectoryProxy server:
- Describe the installation process
- Install the PingDirectoryProxy server
- Lesson 3: Managing the PingDirectoryProxy Server
- Describe the key advanced PingDirectoryProxy server transformation features:
- Describe the proxy transformations
- Understand entry balancing
- Create transformations
Chapter 4: Administering the PingDataSync Server
Describe the functions provided by the PingDataSync server, and how to install, configure, and synchronize the PingDataSync server.
Lesson 1: Providing an Overview of PingDataSync
Describe the capabilities and key features of the PingDataSync server:
- Describe the key features
Lesson 2: Installing the PingDataSync Server
Summarize the PingDataSync server installation procedures:
- Install the PingDataSync server
- Use the start, stop, and restart commands
- Describe the failover server
- Install the failover server
- Install the PingDataSync server
Lesson 3: Configuring the PingDataSync Server
Define and install the PingDataSync server components:
- Define Sync Pipe components
- Create the synchronization flow
- Use the retry mechanism
- Configure the PingDataSync server
- Configure and synchronize the PingDataSync server
Lesson 4: Synchronizing the PingDataSync Server
Describe the features needed, in a relational database and AD, to allow synchronization through the PingDataSync serve:
- Synchronize with a relational database
- Synchronize with AD
Chapter 5: Troubleshooting and Maintenance
Describe common maintenance and necessary troubleshooting tasks needed to optimize PingDirectory performance.
Lesson 1: Providing an Overview of the Server SDK
Provide an overview of the Server SDK:
- Describe the key features of the Server SDK
Lesson 2: Maintaining the PingDirectory Server
Summarize common PingDirectory maintenance tasks:
- Use the start, stop, and restart server commands
- Understand common maintenance tasks
- Perform maintenance tasks
- Understand Delegated Admin
- Configure Delegated Admin
- Administer Delegated Admin
- Understand data recovery
- Perform data recovery
Lesson 3: Monitoring a PingDirectory Deployment
Explain how monitoring is a vital part of a PingDirectory deployment:
- Monitor the PingDirectory server
Lesson 4: Troubleshooting the PingDirectory server
Provide information about available troubleshooting tools and log files to help ensure the resolution of any problems:
- Understand how to troubleshoot issues
- Repair a conflict resolution
- Use troubleshooting tools
IG-430-BVP Rev A
PingGateway Deep Dive
The aim of this course is to showcase the key features and capabilities of the versatile and powerful edge security solution with the PingGateway environment, formerly known as ForgeRock® Identity Gateway. It provides the student with the knowledge and confidence to manage their own environment. It is accepted that this course is not able to demonstrate all the features and capabilities of PingGateway. Further information and guidance can be found in the documentation and knowledge base documents in the online repositories at: Backstage https://backstage.forgerock.com.
Note: Revision A of this course is based on version 7.2 of PingGateway.
Upon completion of this course, you should be able to:
- Integrate and protect web applications, APIs, legacy applications, and microservices with the Ping Identity Platform (Identity Platform), formerly known as ForgeRock® Identity Platform, by using PingGateway
- Add authentication to the ForgeRock Entertainment Company (FEC) solution using PingOne Advanced Identity Cloud (Advanced Identity Cloud), formerly known as ForgeRock® Identity Cloud, or PingAM (AM), formerly known as ForgeRock® Access Management, as the access manager, OpenID Connect (OIDC) provider, and Security Assertion Markup Language (SAML2) identity provider (IdP)
- Demonstrate how to use PingGateway to manage access to a website using Advanced Identity Cloud (or AM) policies and policies with advice
- Protect a REST API with PingGateway and extend PingGateway functionality with scripting
- Highlight various areas that must be taken into account when preparing PingGateway for a production environment. Topics discussed include auditing, monitoring, tuning, security, and deployment
The following are the prerequisites for successfully completing this course:
- Completion of the PingGateway Essentials course available at: https://backstage.forgerock.com/university/forgerock/on-demand/path/TGVhcm5pbmdQYXRoOjQ%3D/chapter/Q291cnNlOjE1NzI2
Chapter 1: Integrating Applications With PingGateway
Integrate and protect web applications, APIs, legacy applications, and microservices with Identity Platform by using PingGateway.
Lesson 1: Introducing PingGateway
Introduce PingGateway and discuss scenarios for protecting web applications, APIs, and legacy applications:
Introduce PingGateway and discuss scenarios for protecting web applications, APIs, and legacy applications:
- Introduce PingGateway
- Describe PingGateway features
- Compare PingGateway with policy agents
- Explore PingGateway integration with web applications
- Describe PingGateway integration with OIDC and SAML
- Explore PingGateway policy enforcement and second-factor authentication (2FA)
- Describe PingGateway protection of APIs
- Access your CloudShare VM
- Examine the lab environment
- Access the FEC and DVD4U websites
Lesson 2: Fronting a Website With PingGateway
Configure PingGateway to listen for secure connections, operate in development mode, and be a reverse proxy in front of the FEC website:
Configure PingGateway to listen for secure connections, operate in development mode, and be a reverse proxy in front of the FEC website:
- Examine the PingGateway configuration structure
- Describe required PingGateway configuration
- Configure PingGateway for secure connections
- Configure PingGateway routes
- Creating and managing routes in PingGateway Studio
- Protect a website by using PingGateway Studio
- Upgrade a route to use WebSockets
- Configure PingGateway for development mode and TLS connections
- Protect the FEC website with PingGateway by using PingGateway Studio
- Manage routes in PingGateway Studio and examine PingGateway log files
Lesson 3: Routing Requests and Responses
Configure PingGateway to route requests depending on external conditions, and use various filters and handlers to process requests and responses within a route:
Configure PingGateway to route requests depending on external conditions, and use various filters and handlers to process requests and responses within a route:
- Describe the PingGateway object model
- Examine objects available in routes
- Retrieve context data and configure sessions
- Route requests depending on conditions
- Describe route handlers
- Manage requests and responses with a route handler
- Process requests and responses with filters
- Create a route to allow access to a public area of FEC
- Add a page not found route
- Create a route to access the legacy DVD4U application
- Add password replay for the DVD4U application
Lesson 4: Configuring PingGateway Logging and Capturing Route Communication
Introduce decorators, capture information in the PingGateway logs information using the CaptureDecorator, and retrieve credentials from a file with a FileAttributesFilter:
Introduce decorators, capture information in the PingGateway logs information using the CaptureDecorator, and retrieve credentials from a file with a FileAttributesFilter:
- Manage PingGateway logs
- Introduce Decorators
- Configure route activity logs
- Capture inbound and outbound communication
- Retrieve credentials from a file
- Observe requests and responses in PingGateway logs
- Test different capture configuration settings
- Centralize PingGateway logging configuration
- Modify the DVD4U route to get credentials from a file
- Use Logback configuration for troubleshooting
Chapter 2: Configuring Agentless Single Sign-On
Add authentication to the FEC solution, using Advanced Identity Cloud or AM as the access manager, OIDC provider, and SAML2 identity provider.
Lesson 1: Implementing Authentication with the SSO Filter
Implement authentication for websites with the single sign-on (SSO) filter by using PingGateway to interact with Advanced Identity Cloud or AM as the authentication server, to ensure access to non-public content requires authentication:
Implement authentication for websites with the single sign-on (SSO) filter by using PingGateway to interact with Advanced Identity Cloud or AM as the authentication server, to ensure access to non-public content requires authentication:
- Create a route by using the PingGateway Studio Freeform Designer
- Configure Advanced Identity Cloud or AM as a service
- Describe how to use the SSO Filter
- Retrieve user data from the authentication provider
- Configure PingGateway as an HTTPS client
- Create a route with the PingGateway Studio Freeform Designer
- Redirect requests to AM for authentication
- Configure PingGateway for client-side HTTPS
- Access properties in SSO token context
- Retrieve user profile data for display in a web page
- Store information in a PingGateway HTTP session
- Configure capture decorators in Freeform Designer
Lesson 2: Configuring CDSSO for the Legacy Application
Configure cross-domain single sign-on (CDSSO) to support applications located in different domains, by using the CrossDomainSingleSignOnFilter:
Configure cross-domain single sign-on (CDSSO) to support applications located in different domains, by using the CrossDomainSingleSignOnFilter:
- Describe the CDSSO Filter
- Configure the CDSSO Filter Solution
- Configure CDSSO redirect endpoints
- Integrate the legacy application with CDSSO
- Create a new route to protect DVD4U with CDSSO and AM
- Update the DVD4U route to automatically log in the authenticated user
- Prepare the Advanced Identity Cloud tenant
- Protect the DVD4U and FEC websites using CDSSO with Advanced Identity Cloud
Lesson 3: Performing SSO With PingGateway as an OIDC Relying Party
Configure PingGateway to operate as an OIDC client (relying party) to offer potential subscriber users access to the trial sections and immediate access to promotional content of the website by using their Gmail account:
Configure PingGateway to operate as an OIDC client (relying party) to offer potential subscriber users access to the trial sections and immediate access to promotional content of the website by using their Gmail account:
- Describe basic OIDC concepts
- Configure PingGateway as an OIDC client
- Examine the flow of OIDC redirects for authentication and consent
- Explore the flow of OIDC callbacks and data injection
- Configure an OIDC relying party route
- Examine the OIDC relying party solution
Lesson 4: Providing SSO with PingGateway as a SAML2 SP
Configure PingGateway to act as a SAML2 service provider (SP), enabling an application to be SAML2-compliant:
Configure PingGateway to act as a SAML2 service provider (SP), enabling an application to be SAML2-compliant:
- Authenticate with a SAML2 identity provider (IdP)
- Describe the use of the SAML federation handler
- Describe the use of the dispatch handler
- Describe the SAML2 implementation flow
- Set up SAML2 configuration files for PingGateway
- Configure a SAML2 route for the trial section
- Examine the SAML2 solution (optional)
Chapter 3: Controlling Access with PingGateway as Policy Enforcement Point
Demonstrate how to use PingGateway to manage access to a website using Advanced Identity Cloud (or AM) policies and policies with advice.
Lesson 1: Implementing Authorization With a Policy Enforcement Filter
Configure PingGateway to manage access to a website by evaluating policies configured in Advanced Identity Cloud (or AM) and using a PolicyEnforcementFilter:
Configure PingGateway to manage access to a website by evaluating policies configured in Advanced Identity Cloud (or AM) and using a PolicyEnforcementFilter:
- Describe the use of the Policy Enforcement Filter
- Illustrate the use of the Policy Enforcement Filter
- Configure a policy enforcement point (PEP) route for the premium section of FEC
- Examine the PEP solution (optional)
Lesson 2: Providing Step-Up Authentication and Transactional Authorization
Illustrate how PingGateway handles step-up authentication and transactional authorization policy advices with Advanced Identity Cloud (or AM):
Illustrate how PingGateway handles step-up authentication and transactional authorization policy advices with Advanced Identity Cloud (or AM):
- Describe step-up authentication
- Illustrate how PingGateway handles step-up authentication
- Describe transactional authorization
- Illustrate how PingGateway handles transactional authorization
- Configure a PEP route for the on demand and profile sections of FEC
- Examine the profile solution (optional)
- Examine the on-demand solution (optional)
Chapter 4: Protecting a REST API
Protect a REST API with PingGateway and extend PingGateway functionality with scripting.
Lesson 1: Configuring PingGateway as an OAuth2 Resource Server
Configure PingGateway to act as an OAuth2 resource server that protects a REST API:
- Describe the use of the OAuth2 resource server filter
- List access token resolvers
- Validate certificate-bound access tokens
- Observe the flow with the token introspection resolver
- Prepare the OAuth2 solution to protect the FEC REST API
- Configure PingGateway to protect the FEC REST APIs
- Examine the REST API solution (optional)
Lesson 2: Extending Functionality With Scripts
Log information on context, implement dynamic scopes to manage access to resources, and refine allowed access using script-based objects in PingGateway:
Log information on context, implement dynamic scopes to manage access to resources, and refine allowed access using script-based objects in PingGateway:
- Describe the scripting functionality for extending PingGateway
- Explore scriptable objects
- Examine dynamic scopes solution
- Describe OAuth2 token swapping in PingGateway
- Configure a scriptable filter to log the content of the OAuth2 context
- Configure a dynamic scopes script
- Configure a scriptable filter to retrieve the correct favorite list
Chapter 5: Preparing for Production with PingGateway
Highlight various areas that must be taken into account when preparing PingGateway for a production environment. Topics discussed include auditing, monitoring, tuning, security, and deployment.
Lesson 1: Auditing, Monitoring, and Tuning a PingGateway Solution
Prepare PingGateway for a production environment by considering auditing, monitoring, tuning, security, and deployment topics:
Prepare PingGateway for a production environment by considering auditing, monitoring, tuning, security, and deployment topics:
- Describe the audit framework
- Excluding sensitive data from audit logs
- Accessing the Common REST API monitoring endpoint
- Decreasing the number of requests through caching
Lesson 2: Developing an Awareness of Security Questions With PingGateway
Develop awareness of best practices, describe JwtSessions, examine common secrets, and manage request rates and throttling:
Develop awareness of best practices, describe JwtSessions, examine common secrets, and manage request rates and throttling:
- Discuss PingGateway best practices regarding security
- Examine the common secrets
- Explore secret store types
- Describe throttling
- Create common secret stores
- Configure throttling
Lesson 3: Deploying PingGateway
Explore how to deploy PingGateway into a production context by using property value substitution and clustering:
Explore how to deploy PingGateway into a production context by using property value substitution and clustering:
- Describe property value substitution
- Set up multiple PingGateway instances
- Integrate configuration tokens in the solution
- Deploy a second PingGateway instance
PD-400-BVP Rev A.1
PingDirectory Administration
This course provides the knowledge you need to install and administer each component of the PingDirectory platform which includes: PingDirectory server, PingDirectoryProxy server, PingDataSync server, the PingData Software Development Kit (SDK), and Delegated User Administration. This course references real-world scenarios driven by recurring use cases. You learn how to install each PingDirectory platform component, perform basic maintenance, using the monitoring and troubleshooting tools. While, hands-on lab exercises provide the first-hand experience installing, configuring, tuning, and using the troubleshooting tools
This course is built on version 10.
Upon completion of this course, you should be able to:
- Describe the PingDirectory capabilities and key features, summarize the installation procedures, and review the initial configuration tasks
- Deploy, fine tune, and configure the PingDirectory server to meet the needs of your production environment
- Describe how to install and manage the PingDirectoryProxy server
- Describe the functions provided by the PingDataSync server, and how to install, configure, and synchronize the PingDataSync server
- Describe common maintenance and necessary troubleshooting tasks needed to optimize PingDirectory performance.
The following are the prerequisites for successfully completing this course:
- Knowledge of UNIX/Linux commands.
- A basic understanding of how directory servers function.
- A basic understanding of REST and HTTP.
- A basic knowledge of Java based environments would be beneficial, but no programming experience is required.
- Completion of the Introduction to PingDirectory available at: https://backstage.pingidentity.com/university/
Chapter 1: Installing PingDirectory
Describe the PingDirectory capabilities and key features, summarize the installation procedures, and review the initial configuration tasks.
Lesson 1: Providing an Overview of PingDirectory
Describe the capabilities and key features of PingDirectory:
- Describe the key features of PingDirectory
Lesson 2: Installing the PingDirectory Server
Summarize the PingDirectory server installation procedures:
- Perform pre-installation procedures
- Install PingDirectory
- Describe post-installation procedures
Lesson 3: Completing Initial Configuration
Complete the PingDirectory server initial configuration settings:
- Use server profiles
- (Optional) Install PingDirectory
Chapter 2: Deploying PingDirectory
Deploy, fine tune, and configure the PingDirectory server to meet the needs of your production environment.
Lesson 1: Managing the Schema
Lesson 1: Managing the Schema
Describe the functions of the schema, and modify the schema by creating new attribute types, object classes, and a new custom user:
- Describe the schema
- Modify the schema
- Modify the schema
- Modify object classes
- Create auxiliary object classes
- Load custom schema elements
Lesson 2: Managing Objects
Define objects in LDAP and use the command-line tools to search, add, modify, and delete entries:
- Search entries
- Manage entries
- Create objects
Lesson 3: Using Security and Encryption
Describe the basic vulnerabilities in LDAP server implementations, secure server data, use the encryption-settings tool to create an encryption settings database, and create sensitive attributes:
- Prevent data vulnerability
- Keep data secure
- Configure encryption settings
Lesson 4: Using Virtual Attributes
Define virtual attributes and their use, recall the virtual attribute types, and create mirrored virtual attributes:
- Define virtual attributes
- Administer virtual attributes
Lesson 5: Managing Password Policies
Describe how to use password policies, and then create and assign password policies to individual accounts and/or user groups:
- Describe password policies
- Create a password policy
Lesson 6: Administering JSON Attributes
Describe how to manage and create JSON attributes:
- Manage JSON attributes
- Create JSON attributes
- Manage the Password Policy State JSON
- Administer JSON Attributes
Lesson 7: Managing the REST APIs
Describe the available REST APIs, list the HTTP methods available, and use the Directory REST API to create and update user entries:
- Understand the Rest APIs
- Use the SCIM 2.0 REST API
- Administer the Directory REST API
Lesson 8: Managing Logging
List the three types of available log publishers, describe the elements of the log format, and create log publishers:
- Manage log publishers
- Configure logging
- Create a log publisher
Lesson 9: Managing Replication
Define the replication process and architecture, set up a server topology, enable the replication process, and initialize new replicas:
- Understand replication
- Enable replication
- Resolve conflicts
- Understand the replication protocol
- Use replication over WAN
- Plan deployment
- Configure replication
- Scale replication
- Enable the replication process
Lesson 10: Managing Server Topologies
Discuss the topology registry, create server groups to aid in configuration changes, and compare configurations on separate directory servers:
- Define the topology registry
- Administer the server topology
Chapter 3: Administering the PingDirectoryProxy Server
Describe how to install and manage the PingDirectoryProxy server.
Lesson 1: Providing an Overview of the PingDirectoryProxy Server
Describe the capabilities and key features of the PingDirectoryProxy server:
- Describe the key features
Lesson 2: Installing the PingDirectoryProxy Server
Describe how to install the PingDirectoryProxy server:
- Describe the installation process
- Install the PingDirectoryProxy server
- Lesson 3: Managing the PingDirectoryProxy Server
- Describe the key advanced PingDirectoryProxy server transformation features:
- Describe the proxy transformations
- Understand entry balancing
- Create transformations
Chapter 4: Administering the PingDataSync Server
Describe the functions provided by the PingDataSync server, and how to install, configure, and synchronize the PingDataSync server.
Lesson 1: Providing an Overview of PingDataSync
Describe the capabilities and key features of the PingDataSync server:
- Describe the key features
Lesson 2: Installing the PingDataSync Server
Summarize the PingDataSync server installation procedures:
- Install the PingDataSync server
- Use the start, stop, and restart commands
- Describe the failover server
- Install the failover server
- Install the PingDataSync server
Lesson 3: Configuring the PingDataSync Server
Define and install the PingDataSync server components:
- Define Sync Pipe components
- Create the synchronization flow
- Use the retry mechanism
- Configure the PingDataSync server
- Configure and synchronize the PingDataSync server
Lesson 4: Synchronizing the PingDataSync Server
Describe the features needed, in a relational database and AD, to allow synchronization through the PingDataSync serve:
- Synchronize with a relational database
- Synchronize with AD
Chapter 5: Troubleshooting and Maintenance
Describe common maintenance and necessary troubleshooting tasks needed to optimize PingDirectory performance.
Lesson 1: Providing an Overview of the Server SDK
Provide an overview of the Server SDK:
- Describe the key features of the Server SDK
Lesson 2: Maintaining the PingDirectory Server
Summarize common PingDirectory maintenance tasks:
- Use the start, stop, and restart server commands
- Understand common maintenance tasks
- Perform maintenance tasks
- Understand Delegated Admin
- Configure Delegated Admin
- Administer Delegated Admin
- Understand data recovery
- Perform data recovery
Lesson 3: Monitoring a PingDirectory Deployment
Explain how monitoring is a vital part of a PingDirectory deployment:
- Monitor the PingDirectory server
Lesson 4: Troubleshooting the PingDirectory server
Provide information about available troubleshooting tools and log files to help ensure the resolution of any problems:
- Understand how to troubleshoot issues
- Repair a conflict resolution
- Use troubleshooting tools