Unlock your full potential in IAM
This is Identitrain
Master Identity and Access Management with world-class training designed by experts who live it every day.
Led by practitioners, not theorists, our training gives you the skills to design, implement, and secure identity solutions that protect what matters most.
Choose Your Path to IAM Mastery
Whether you’re starting your IAM journey or advancing toward certification, our structured
learning paths guide you every step of the way. Select from Identity Management, Access Management,
Governance, or Best Practices tracks designed to match your role and goals.
Built for Every IAM Professional
From architects and developers to project managers and business leaders, Identitrain delivers
training that fits your role. Whether you’re designing IAM strategies, building integrations, or
leading transformation projects, we’ve got a path for you.
Training Designed by Practitioners, Proven in the Field
Our instructors bring years of real-world IAM experience into the classroom. We blend
vendor-agnostic fundamentals with deep expertise in leading platforms like Ping, SailPoint, Okta, and
beyond. Every course is modular, lab-focused, and designed to give you actionable skills you can
immediately put to use!
Join a Growing Community of IAM Experts
Training doesn’t end with the last session. Graduates join our global practitioner network,
gaining access to peer discussions, expert webinars, alumni resources, and exclusive discounts.
Learn, connect, and grow alongside IAM professionals worldwide.
Upcoming
Courses
PD-400-BVP Rev A.1
PingDirectory Administration
This course provides the knowledge you need to install and administer each component of the PingDirectory platform which includes: PingDirectory server, PingDirectoryProxy server, PingDataSync server, the PingData Software Development Kit (SDK), and Delegated User Administration. This course references real-world scenarios driven by recurring use cases. You learn how to install each PingDirectory platform component, perform basic maintenance, using the monitoring and troubleshooting tools. While, hands-on lab exercises provide the first-hand experience installing, configuring, tuning, and using the troubleshooting tools
This course is built on version 10.
Upon completion of this course, you should be able to:
- Describe the PingDirectory capabilities and key features, summarize the installation procedures, and review the initial configuration tasks
- Deploy, fine tune, and configure the PingDirectory server to meet the needs of your production environment
- Describe how to install and manage the PingDirectoryProxy server
- Describe the functions provided by the PingDataSync server, and how to install, configure, and synchronize the PingDataSync server
- Describe common maintenance and necessary troubleshooting tasks needed to optimize PingDirectory performance.
The following are the prerequisites for successfully completing this course:
- Knowledge of UNIX/Linux commands.
- A basic understanding of how directory servers function.
- A basic understanding of REST and HTTP.
- A basic knowledge of Java based environments would be beneficial, but no programming experience is required.
- Completion of the Introduction to PingDirectory available at: https://backstage.pingidentity.com/university/
Chapter 1: Installing PingDirectory
Describe the PingDirectory capabilities and key features, summarize the installation procedures, and review the initial configuration tasks.
Lesson 1: Providing an Overview of PingDirectory
Describe the capabilities and key features of PingDirectory:
- Describe the key features of PingDirectory
Lesson 2: Installing the PingDirectory Server
Summarize the PingDirectory server installation procedures:
- Perform pre-installation procedures
- Install PingDirectory
- Describe post-installation procedures
Lesson 3: Completing Initial Configuration
Complete the PingDirectory server initial configuration settings:
- Use server profiles
- (Optional) Install PingDirectory
Chapter 2: Deploying PingDirectory
Deploy, fine tune, and configure the PingDirectory server to meet the needs of your production environment.
Lesson 1: Managing the Schema
Lesson 1: Managing the Schema
Describe the functions of the schema, and modify the schema by creating new attribute types, object classes, and a new custom user:
- Describe the schema
- Modify the schema
- Modify the schema
- Modify object classes
- Create auxiliary object classes
- Load custom schema elements
Lesson 2: Managing Objects
Define objects in LDAP and use the command-line tools to search, add, modify, and delete entries:
- Search entries
- Manage entries
- Create objects
Lesson 3: Using Security and Encryption
Describe the basic vulnerabilities in LDAP server implementations, secure server data, use the encryption-settings tool to create an encryption settings database, and create sensitive attributes:
- Prevent data vulnerability
- Keep data secure
- Configure encryption settings
Lesson 4: Using Virtual Attributes
Define virtual attributes and their use, recall the virtual attribute types, and create mirrored virtual attributes:
- Define virtual attributes
- Administer virtual attributes
Lesson 5: Managing Password Policies
Describe how to use password policies, and then create and assign password policies to individual accounts and/or user groups:
- Describe password policies
- Create a password policy
Lesson 6: Administering JSON Attributes
Describe how to manage and create JSON attributes:
- Manage JSON attributes
- Create JSON attributes
- Manage the Password Policy State JSON
- Administer JSON Attributes
Lesson 7: Managing the REST APIs
Describe the available REST APIs, list the HTTP methods available, and use the Directory REST API to create and update user entries:
- Understand the Rest APIs
- Use the SCIM 2.0 REST API
- Administer the Directory REST API
Lesson 8: Managing Logging
List the three types of available log publishers, describe the elements of the log format, and create log publishers:
- Manage log publishers
- Configure logging
- Create a log publisher
Lesson 9: Managing Replication
Define the replication process and architecture, set up a server topology, enable the replication process, and initialize new replicas:
- Understand replication
- Enable replication
- Resolve conflicts
- Understand the replication protocol
- Use replication over WAN
- Plan deployment
- Configure replication
- Scale replication
- Enable the replication process
Lesson 10: Managing Server Topologies
Discuss the topology registry, create server groups to aid in configuration changes, and compare configurations on separate directory servers:
- Define the topology registry
- Administer the server topology
Chapter 3: Administering the PingDirectoryProxy Server
Describe how to install and manage the PingDirectoryProxy server.
Lesson 1: Providing an Overview of the PingDirectoryProxy Server
Describe the capabilities and key features of the PingDirectoryProxy server:
- Describe the key features
Lesson 2: Installing the PingDirectoryProxy Server
Describe how to install the PingDirectoryProxy server:
- Describe the installation process
- Install the PingDirectoryProxy server
- Lesson 3: Managing the PingDirectoryProxy Server
- Describe the key advanced PingDirectoryProxy server transformation features:
- Describe the proxy transformations
- Understand entry balancing
- Create transformations
Chapter 4: Administering the PingDataSync Server
Describe the functions provided by the PingDataSync server, and how to install, configure, and synchronize the PingDataSync server.
Lesson 1: Providing an Overview of PingDataSync
Describe the capabilities and key features of the PingDataSync server:
- Describe the key features
Lesson 2: Installing the PingDataSync Server
Summarize the PingDataSync server installation procedures:
- Install the PingDataSync server
- Use the start, stop, and restart commands
- Describe the failover server
- Install the failover server
- Install the PingDataSync server
Lesson 3: Configuring the PingDataSync Server
Define and install the PingDataSync server components:
- Define Sync Pipe components
- Create the synchronization flow
- Use the retry mechanism
- Configure the PingDataSync server
- Configure and synchronize the PingDataSync server
Lesson 4: Synchronizing the PingDataSync Server
Describe the features needed, in a relational database and AD, to allow synchronization through the PingDataSync serve:
- Synchronize with a relational database
- Synchronize with AD
Chapter 5: Troubleshooting and Maintenance
Describe common maintenance and necessary troubleshooting tasks needed to optimize PingDirectory performance.
Lesson 1: Providing an Overview of the Server SDK
Provide an overview of the Server SDK:
- Describe the key features of the Server SDK
Lesson 2: Maintaining the PingDirectory Server
Summarize common PingDirectory maintenance tasks:
- Use the start, stop, and restart server commands
- Understand common maintenance tasks
- Perform maintenance tasks
- Understand Delegated Admin
- Configure Delegated Admin
- Administer Delegated Admin
- Understand data recovery
- Perform data recovery
Lesson 3: Monitoring a PingDirectory Deployment
Explain how monitoring is a vital part of a PingDirectory deployment:
- Monitor the PingDirectory server
Lesson 4: Troubleshooting the PingDirectory server
Provide information about available troubleshooting tools and log files to help ensure the resolution of any problems:
- Understand how to troubleshoot issues
- Repair a conflict resolution
- Use troubleshooting tools
P1DV-300-BVP Rev B
Getting Started With PingOne DaVinci
This course provides the foundation to design, build, and integrate identity orchestration flows using PingOne DaVinci (DaVinci). You will create user interactions, extend flows with APIs, and integrate these solutions into applications. You will also leverage core PingOne services like SSO, identity management, and analytics. Through hands-on labs and instruction, you will gain the skills to deploy real-world orchestration solutions with confidence.
Upon completion of this course, you should be able to:
- Build basic user interactions with DaVinci flows
- Integrate a DaVinci flow into an application
- Integrate PingOne single sign-on (SSO) and identities in DaVinci flows
- Build an authentication flow in DaVinci
- Provide custom analytics in a DaVinci flow
The following are the prerequisites for successfully completing this course:
- Basic understanding of JavaScript, HTML, CSS, and the PingOne Platform
- Completion of the Introduction to PingOne DaVinci course available at:
Chapter 1: Building Basic User Interactions With DaVinci Flows
Build basic user interactions with DaVinci flows.
Lesson 1: Defining the Basic Flow and Interaction Steps
Define the basic flow and provide an introduction to the foundational concepts of DaVinci:
- Introduce the PingOne Platform and DaVinci
- Access and launch the DaVinci admin console
- Understand Flows
- Build basic user interaction in a flow
Lesson 2: Using Functions and API Calls
Define the basic flow and provide an introduction to the foundational concepts of DaVinci:
- Extend DaVinci flows
- Verify the age of the user
- Make an API callCollect the user’s email and password
- Implement a robot check
- Document the flow
Lesson 3: Improving the User Experience
Use more advanced concepts in DaVinci to implement your flows:
- Improve the UI
- Convert user interactions to use HTML templates
Lesson 4: Using Variables and Form Validation
Expand further the functionality of your existing flow by using flow variables and improving interaction with the user:
- Incorporate variables
- Understand localizing flows
- Use flow variables and form validation
- Incorporate form validation
- Improve form validation inputs
- Troubleshoot issues
Lesson 5: Using Subflows to Manage Complexity
Externalize functionality that is often reused or complex to its own flow; for example, if the flow needed to connect to an API that isn’t available as a native connector, CRUD operations could be built in a new flow that could be leveraged by many:
- Create and use subflows
- Implement the subflow
- Replace the API call with the subflow
Chapter 2: Integrating a DaVinci Flow Into an Application
Integrate a DaVinci flow into an application.
Lesson 1: Integrating an Application to Launch a Flow
Integrate the flow into a web application which allows the application to provide the CSS (look and feel). Other flows can also be integrated to enable a richer user experience:
- Add a flow to a web application
- Create and customize the application
Lesson 2: Using a CSS in Flows vs Applications
Review how CSS is leveraged in a flow vs an application, and determine the advantages of leaving the presentation layer controlled by your application rather than using a CSS in your flow:
- Leverage a CSS
- Determine how a custom CSS in a flow is embedded with a web application
Lesson 3: Adding a Flow to an Existing Applicatio
Take the flow and integrate it into a web application:
- Embed flows using the widget method
- Import the DaVinci JavaScript library
- Create a JavaScript method to call the flow
Lesson 4: Integrating Non-UI Flows
Explore how DaVinci can accelerate development when integrating with backend services and APIs, enriching the overall user experience:
- Integrate a non-UI flow
- Build out your flow
- Integrate the flow
Lesson 5: Passing Data Into a Flow From an Application
Run through the process of passing data into a flow, whether it has user interaction or not:
- Enable dynamic flows
- Create and integrate a DaVinci subflow
Lesson 6: Performing A/B Testing
Define a flow that deals with age first, instead of name, during registration:
- Understand A/B testing
- Define a new flow
- Incorporate flow policies
- Build out a flow policy
Chapter 3: Integrating PingOne SSO and Identities in DaVinci Flows
Integrate PingOne SSO and identities in DaVinci flows.
Lesson 1: Setting Up Parallel Processing
Set up a flow that has two paths that execute in parallel and then come to their own conclusion:
- Implement parallel processing
- Leverage the PingOne Notification service
Lesson 2: Automating Flows With DaVinci Admin APIs
Learn how to manage DaVinci programmatically using the DaVinci Admin APIs:
- Understand DaVinci Admin APIs
- Explain administrator roles
Lesson 3: Creating Registered Accounts
Take the information collected during the registration process and create a user account in PingOne, which is the first step to expanding the capabilities of the application to support authentication:
- Create registered accounts
- Review your PingOne setup
- Build out a new registration flow
- Verify if an account already exists
Lesson 4: Verifying an Email Address
Establish a process to verify the email address of the user:
- Configure email verification
- Create an email verification subflow
- Complete the subflow
Chapter 4: Building an Authentication Flow in DaVinci
Build an authentication flow in DaVinci.
Lesson 1: Handling Authentication
Handle authentication for the application:
- Design and implement the authentication flow
- Design the flow logic
- Implement teleports for flow efficiency
- Authenticate and validate user identity
Lesson 2: Handling Forgotten Passwords
Handle forgotten password in the authentication flow:
- Manage password recovery flows
- Develop the end-to-end forgot password flow
Lesson 3: Adding an Authentication Method
Add another method of authentication, an email magic link, for the users of the application:
- Implement magic link authentication
- Add a magic link authentication method
Chapter 5: Providing Custom Analytics in a DaVinci Flow
Provide custom analytics in a DaVinci flow.
Lesson 1: Leveraging analytics to monitor flow usage
Implement custom analytics to track key business milestones and user behavior across DaVinci flows:
- Understand and apply flow analytics
- Configure authentication analysis
PF-300-BVP Rev A
PingFederate Administration
This course implements various use cases with PingFederate and introduces industry concepts such as federation, SAML, and OAuth. The course also includes PingFederate-specific topics such as integration kits, adapters, SSO connections, and OAuth configuration. Hands-on exercises allow the participants to have first-hand experience in configuring PingFederate, establishing a web SSO connection and OAuth clients, and doing some basic troubleshooting.
The following are the prerequisites for successfully completing this course:
- Completion of the Getting Started With PingFederate course available at:
Day 1: Background of Federation Web SSO and Core Product
- Introduction to identity federation
- Introduction to integration kits
- Configuring SP and IdP adapters and password credential validators
- Lab 1: HTML Form Adapter and Reference ID adapter configuration
- Introduction to SAML
- Configuring IdP and SP SSO connection
- Lab 2: Creating connections for IdP and SP web SSO
- Lab 2: Creating connections for IdP and SP web SSO
- Server logs
- Lab 3: Review the server logs to follow and SSO transaction
Day 2: Further Integration and PingFederate Functionality
- Attribute mapping and data source
- Lab 4: Mapping attributes from external sources
- Lab 5: Using an external source for authentication
- Introduction to authentication policies
- Lab 6: Creating authentication selectors, policy contracts, and authentication policies
- Lab 7: Tracing SSO transactions in the PingFederate logs
Day 3: OAuth2 and Advanced Administration
- Introduction to OAuth2
- OAuth2 scopes and access tokens
- Lab 8: Configuring OAuth2 grants (including token validation, authorization code)
- Lab 9: Create an OAuth client for client Credentials grant type
- Lab 10: Create an OAuth client for a resource server
- Lab 11: Create an OAuth client for authorization grant type
- PingFederate administrative API
- Lab 12: Using the admin API
- Server Administration
- Deployment scenarios and clustering
- Lab 13 (optional): Configuring a cluster
AIC-400-BVP Rev A
PingOne Advanced Identity Cloud Administration
This course builds upon the Getting Started With PingOne Advanced Identity Cloud for Administrators training to provide advanced techniques for managing and configuring PingOne Advanced Identity Cloud (Advanced Identity Cloud). Students will master advanced authentication journeys with multi-factor authentication (MFA), implement context-based authorization policies, and learn to model complex identity objects with relationships between managed objects. The course covers essential synchronization techniques, including connector configuration, reconciliation, LiveSync, and role-based provisioning to manage identity flow between Advanced Identity Cloud and external resources. Participants will gain hands-on experience with the REST API for programmatic access to identity management features, enabling automation and integration with external systems. Through practical exercises, students will learn to deploy and configure PingGateway to protect websites, implement continuous contextual authorization, and create comprehensive identity management solutions.
Upon completion of this course, you should be able to:
- Recap authentication with Advanced Identity Cloud. Increase security by introducing MFA as well as context-based user journeys. Protect a website using PingGateway
- Implement and manage comprehensive authorization policies in Advanced Identity Cloud to control resource access and enable continuous contextual authorization
- Understand and configure Advanced Identity Cloud managed objects, their properties, and relationships to effectively model your identity data structures and implement delegated administration
- Configure and manage connections between Advanced Identity Cloud and external resources to enable identity synchronization, reconciliation, and role-based provisioning
- Master the Advanced Identity Cloud REST interfaces to authenticate, query, and manage identity objects programmatically
The following are the prerequisites for successfully completing this course:
- Completion of the Getting Started With PingOne Advanced Identity Cloud for Administrators course available at: https://backstage.pingidentity.com/university/
- Experience with Identity and Access Management
- Working knowledge of REST communication
Chapter 1: Administering Authentication Journeys
Recap authentication with Advanced Identity Cloud. Increase security by introducing MFA as well as context-based user journeys. Protect a website using PingGateway.
Lesson 1: (Recap) Exploring Authentication in Advanced Identity Cloud
- Provide a recap of authentication in Advanced Identity Cloud:
- Introduce the basic concepts of authentication
- Prepare the lab environment
- Describe the authentication mechanisms of Advanced Identity Cloud
- Examine Advanced Identity Cloud default authentication
- Create and manage journeys
- Explore journey nodes
- Create a login journey
- Test the login journey
Lesson 2: Increasing Authentication Security
Increase authentication security using MFA:
- Describe MFA
- Register a device
- Include recovery codes
- Examine OATH authentication
- Implement TOTP authentication
- Examine Push notification authentication
- Implement passwordless WebAuthn
- (Optional) Implement passwordless WebAuthn
Lesson 3: Modifying a User’s Journey Based on Context
Describe how Advanced Identity Cloud can take into account the context of an authentication request in order to take access decisions:
- Introduce context-based risk analysis
- Describe device profile nodes
- Determine the risk based on the context
- Implement a browser context change script
- Lock and unlock accounts
- (Optional) Implement account lockout
Lesson 4: Protecting a Website With PingGateway
Show how PingGateway, integrated with Advanced Identity Cloud, can protect a website:
- Present Advanced Identity Cloud edge clients
- Describe PingGateway functionality as an edge client
- Review the BXE website protected by PingGateway
- Integrate the BXE website with Advanced Identity Cloud
- Observe the PingGateway token cookie
- (Optional) Review PingGateway configuration
Chapter 2: Administering Authorization Policies
Implement and manage comprehensive authorization policies in Advanced Identity Cloud to control resource access and enable continuous contextual authorization.
Lesson 1: Controlling Access
Create security policies to control which users can access specific areas of the website:
- Describe entitlements with Advanced Identity Cloud authorization
- Define Advanced Identity Cloud policy components
- Define policy environment conditions and response attributes
- Process of Advanced Identity Cloud policy evaluation
- Implement access control on a website
Lesson 2: Checking Risk Continuously
Review the Advanced Identity Cloud tools used to check the risk level of requests continuously:
- Introduce continuous contextual authorization
- Describe step-up authentication
- Implement step-up authentication flow
- Describe transactional authorization
- Implement transactional authorization
- (Optional) Prevent users from bypassing the default journey
Chapter 3: Administering Managed Objects
Understand and configure Advanced Identity Cloud managed objects, their properties, and relationships to effectively model your identity data structures and implement delegated administration.
Lesson 1: Modeling an Identity Profile
Learn about the different object types in Advanced Identity Cloud, and how you can model a custom user profile onto an existing managed user object type in Advanced Identity Cloud:
- Review the Advanced Identity Cloud documentation
- Describe the different object types in Advanced Identity Cloud
- Map an identity object to a managed object
- Describe how to use placeholder attributes
- Model a managed user object in Advanced Identity Cloud
Lesson 2: Introducing Relationships
Describe relationships between managed objects:
- Describe the purpose of relationships
- Describe how relationships are stored in the schema
- Query an object relationship using the REST interface
Lesson 3: Managing Organizations
Set up managed organizations to delegate user administration based on the owner of hierarchical trees:
- Describe the roles and privileges within an organization
- Implement the organization example
Chapter 4: Administering Connectors, Synchronization, and Provisioning
Configure and manage connections between Advanced Identity Cloud and external resources to enable identity synchronization, reconciliation, and role-based provisioning.
Lesson 1: Connecting to External Resources Using Connectors
Describe the connectors supported in Advanced Identity Cloud, and how to create connector configurations to communicate with external resources:
- Describe how to connect external resources to Advanced Identity Cloud
- Configure communication between Advanced Identity Cloud and a remote connector server (RCS)
- Describe how to connect to external resources using ICF connectors
Lesson 2: Configuring Connectors Over the Identity Management Admin UI
- Describe the process for creating a connector configuration using the Identity Management admin UI
- Describe the object types and property mappings
- Add a connector configuration for an external LDAP resource
Lesson 3: Performing Basic Synchronization
Describe how to use the Identity Management admin UI to create synchronization mappings (sync mappings) to reconcile identities between Advanced Identity Cloud and an external resource:
- Describe how to create mappings to synchronize identity objects and properties
- Describe how to create a sync mapping from Advanced Identity Cloud to an external resource
- Describe how to add source and target properties to the sync mapping
- Describe how to add a correlation query and a situational event script
- Describe how to set the situational behaviors and run reconciliation
- Add a sync mapping from Advanced Identity Cloud to an LDAP server
- Describe the sync mapping from an LDAP server to Advanced Identity Cloud
- Add a sync mapping from an LDAP server to Advanced Identity Cloud
Lesson 4: Running Selective Synchronization and LiveSync
Filter objects that are synchronized and automate synchronization using LiveSync:
- Describe the different methods that you can use to filter entries
- Run selective synchronization using filters
- Describe how to use LiveSync to synchronize changes
- Trigger LiveSync on a connector
- Describe how to schedule LiveSync
- Schedule LiveSync with an external resource
Lesson 5: Configuring Role-Based Provisioning
Automatically provision users to a set of LDAP groups based on role membership:
- Describe how to provision attributes to a target system based on static role assignments
- Describe the steps to enable role-based provisioning
- Query the role assignment properties using the REST interface
- Provision attributes to a target resource based on static role assignments
- Describe how to provision attributes to a target system based on dynamic role assignments
- Provision attributes to a target resource based on dynamic role assignments
- Describe how to add temporal constraints to a role
- Add temporal constraints to a role
Chapter 5: Access Advanced Identity Cloud Over REST
Master the Advanced Identity Cloud REST interfaces to authenticate, query, and manage identity objects programmatically.
Lesson 1: Authenticating Over REST
Use Postman to access the Advanced Identity Cloud REST API and authenticate either using a simple (header-based) approach or a more complex approach, where the server may request additional information from the client using callback:
- Understand the REST authentication protocol
- Authenticate with REST
- Authenticate using header-based simple authentication
- Authenticate using callback-based complex authentication
Lesson 2: Querying Advanced Identity Cloud Objects Over REST
- Create security policies to control which users can access specific areas of the website:
- Describe how to query objects using the REST interface
- Describe how to use the Advanced Identity Cloud Postman collection
- Query Advanced Identity Cloud Identity objects using Postman
AM-421-BVP Rev B.3
PingAM: Customization and APIs
This course provides a hands-on technical introduction to PingAM (AM), formerly known as ForgeRock® Access Management, APIs and customization use cases. Students examine AM extension points and gain the skills required to extend and integrate an AM deployment in a real-world context. Additionally, students learn to implement various clients that communicate with AM. Further information and guidance can be found in the documentation and knowledge base in the online repositories at: Backstage https://backstage.forgerock.com.
Note: This course revision is based on version 7.3 of PingAM
Upon completion of this course, you should be able to:
- This chapter provides a high-level overview of the PingAM (AM) configuration architecture
- Extend and customize PingAM (AM) authentication processing by using authentication trees and a custom authentication node
- Explore how to use the PingAM (AM) authorization policy sets, polices, and policy evaluation, and create custom policy conditions with Java and scripts
- Explore how to use the PingAM (AM) REST API, in the context of a web client application, for authenticating users with AM and AM authentication trees
- Describe how to extend a web client application with the ability to authenticate and authorize a user by using OAuth 2.0 (OAuth2) for authentication, and implement Open Identity Connect (OIDC) claims by using the scripting API
The following are the prerequisites for successfully completing this course:
- Completion of the PingAM Essentials course available at: https://backstage.forgerock.com/university/forgerock/on-demand/path/TGVhcm5pbmdQYXRoOjI%3D/chapter/Q291cnNlOjE1NzIy
- Knowledge of UNIX/Linix commands
- An understanding of HTTP and web applications
- A basic understanding of how directory servers function
- A basic understanding of REST
- A basic knowledge of Java based environments would be beneficial, but no programming experience is required.
Chapter 1: Introducing Customization in PingAM
This chapter provides a high-level overview of the PingAM (AM) configuration architecture, the interfaces through which its functionality can be accessed, and the way its behavior can be customized or extended.
Lesson 1: Using Extension (Customization) Points
Describe a high-level overview of the AM architecture, the interfaces through which its functionality can be accessed, and the way its behavior can be customized or extended:
Describe a high-level overview of the AM architecture, the interfaces through which its functionality can be accessed, and the way its behavior can be customized or extended:
- List extension (customization) points of AM
- List customizable AM components
- Quiz questions
- Access the lab environment
- Manage the course application components
Chapter 2: Customizing Authentication
Extend and customize PingAM (AM) authentication processing by using authentication trees and a custom authentication node.
Extend and customize PingAM (AM) authentication processing by using authentication trees and a custom authentication node.
Lesson 1: Authentication With Trees and Nodes: An Introduction
Introduce authentication trees and nodes and how to configure an authentication tree:
Introduce authentication trees and nodes and how to configure an authentication tree:
- Understand how AM performs authentication
- Describe AM authentication trees and nodes
- Compare tree and chain mechanisms
- Quiz questions
- Create an authentication tree with default nodes
- Test the authentication tree
Lesson 2: Customizing Authentication Trees and Nodes
Prepare a coding build environment and generate a custom authentication node using a Maven archetype:
Prepare a coding build environment and generate a custom authentication node using a Maven archetype:
- Describe custom authentication nodes
- Prepare a build environment
- Generate a custom node with a Maven archetype
- List custom node classes
- Customize node outcomes
- Deploy the custom node
- Modify custom node configuration and logic
- Post-authentication hooks for trees
- Quiz questions
- Create initial custom authentication node source files
- Modify the custom node’s implementation to be dynamic
- Deploy and test the custom authentication node
- Test the authentication tree with the custom node
Lesson 3: Developing Scripts With the Scripting API
Introduce scripting, how scripts work, what they can be used for, and how they can be managed through the AM admin UI:
Introduce scripting, how scripts work, what they can be used for, and how they can be managed through the AM admin UI:
- Understand the basic concepts of scripting
- Understand the scripting environment and the scripting API
- Use the AM admin UI to manage scripts
- Use the REST API to manage scripts
- Develop client and server scripts
- Use decision scripted authentication nodes in trees
- Quiz questions
- Explore client-side scripting with authentication nodes
- Create an authentication tree with client-side and server-side scripts
- Write a server-side script that uses a REST API request
Lesson 4: Migrating Authentication Modules to Trees and Nodes
Describe the design and implementation issues when migrating authentication modules to trees and nodes:
Describe the design and implementation issues when migrating authentication modules to trees and nodes:
- Describe design principles for trees and nodes
- List design and implementation steps
- Choose node types
- Map files from modules to nodes
- Authentication modules as nodes
- Migrate an LDAP chain to a tree
- Migrate post-authentication plugins
- Handle logout notifications
- Configure redirection URLs
- Implement account lockout
- Link a chain to a tree and return custom failure messages
- Quiz questions
- Reference an article about migrating chains to trees
Chapter 3: Customizing Authorization
Explore how to use the PingAM (AM) authorization policy sets, polices, and policy evaluation, and create custom policy conditions with Java and scripts.
Lesson 1: Customizing Authorization
Explore the AM authorization framework and the concepts central to it, such as policy sets (applications), policies, and the policy evaluation flow:
Explore the AM authorization framework and the concepts central to it, such as policy sets (applications), policies, and the policy evaluation flow:
- Understand the policy concepts in AM
- Identify the situation when a custom condition is needed
- Customize policy evaluation with a plugin and an Entitlement Condition class
- Implement a scripted condition
- Quiz Questions
- Explore the ContactList REST APIs and policy design
- Create resource types and a policy set
- Write a policy condition checking for maintenance mode
- Modify the policy condition script to provide additional information
Chapter 4: Customizing With REST Clients
Explore how to use the PingAM (AM) REST API, in the context of a web client application, for authenticating users with AM and AM authentication trees.
Lesson 1: Using the REST API
Introduce the AM REST services and the Common REST API, how to invoke REST services from a JavaScript application, and how to configure CORS in AM:
Introduce the AM REST services and the Common REST API, how to invoke REST services from a JavaScript application, and how to configure CORS in AM:
- Describe AM REST API services and the Common REST API
- Understand the Common REST API
- Explore REST API sorting, versioning, and status codes
- Use AM services from a browser-based application
- Enable CORS
- Quiz questions
- Study the ContactList application architecture
- Configure the CORS filter in AM
- Create a login service that uses AM authentication
Lesson 2: Authenticating With REST
Implement authentication and logout in a client application with the AM REST API either using a simple (header-based) approach or a more complex approach, where the server may request additional information from the client using callbacks:
Implement authentication and logout in a client application with the AM REST API either using a simple (header-based) approach or a more complex approach, where the server may request additional information from the client using callbacks:
- Review authentication and introduce RESTful authentication
- Implement authentication with the simple REST API
- Implement authentication with the full REST API
- Describe callback types available in AM
- Handle session upgrade and logout with the REST API
- Implement RESTful token and session management
- Use REST to manage identities
- Manage realms with the REST API
- Lesson Quiz
- Implement a fully functional AM-based authentication in ContactList
- Modify the login service to use the authentication tree
Lesson 3: Working With RESTful User Self-Service APIs
Discuss how a browser-based application can use the self-service API to perform operations on behalf of the user such as registration, password reset, and displaying the user dashboard:
Discuss how a browser-based application can use the self-service API to perform operations on behalf of the user such as registration, password reset, and displaying the user dashboard:
- Describe the self-service REST API
- Configure AM for self-service
- Implement password reset with REST
- Self-register a user via REST
- Lesson quiz
- Prepare AM for the password reset functionality
- Examine the password reset protocol
- Extend ContactList with a password reset feature
Lesson 4: Authorizing With REST
Demonstrate how the AM REST API policy management and evaluation works, and how it can be utilized to protect resources that are either actual URLs or other entities like actions:
Demonstrate how the AM REST API policy management and evaluation works, and how it can be utilized to protect resources that are either actual URLs or other entities like actions:
- Understand how to use the policy engine to protect resources other than URLs
- Describe the policy management REST API
- Describe the policy evaluator REST API
- Implement fine-grained authorization using policies and the REST API
- Lesson quiz
- Prepare AM for ContactList authorization
- Extend the backend to use the authorization REST API
- Extend the front-end application to use AM
Chapter 5: Federating With OAuth2
Describe how to extend a web client application with the ability to authenticate and authorize a user by using OAuth 2.0 (OAuth2) for authentication, and implement Open Identity Connect (OIDC) claims by using the scripting API.
Lesson 1: Implementing OAuth2 Custom Scopes
Discuss how PingAM (AM) supports the standard OAuth2 and OIDC protocols, including JSON Web Tokens (JWT):
Discuss how PingAM (AM) supports the standard OAuth2 and OIDC protocols, including JSON Web Tokens (JWT):
- Understand OAuth2 and use its HTTP endpoints
- Examine the flow of the OAuth2 Authorization Code grant type
- Understand OIDC and use its HTTP endpoints
- Examine the flow of the OIDC Authorization Code grant type
- Understand the scope validation mechanism and customize its default behavior
- Use the Scripting API to customize the handling of OIDC claims
- Set up the OAuth2/OIDC service in AM
- Study and complete the ContactListTokenResponseTypeHandler code
- Enable OAuth2 federation in the ContactList front-end
- Turn ContactList RESTful backend into an OAuth2 resource server
AIC-330-BVP Rev A
Getting Started With PingOne Advanced Identity Cloud for Administrators
This course shows students how to administer PingOne Advanced Identity Cloud (Advanced Identity Cloud), formerly known as ForgeRock® Identity Cloud. This is achieved through the various online resources available to them, to a fully functional hands-on development environment, where they learn how to administer Advanced Identity Cloud in a training environment. Students are provided with a live Advanced Identity Cloud environment, where they learn the concepts and tasks necessary to successfully manage identities, applications, user journeys, and tenant configuration in their own Advanced Identity Cloud.
Upon completion of this course, you should be able to:
- Describe how to access an Advanced Identity Cloud tenant as an administrator and understand UI integration options
- Manage identities with the Advanced Identity Cloud admin UI and implement delegated administration to manage organizations and reset user passwords
- Manage journeys, email templates used in journeys, and authentication sessions as an Advanced Identity Cloud administrator
- Understand the use of Applications, synchronize identities between Advanced Identity Cloud and external applications, and explore how Identity Gateway can protect web applications when it is integrated with Advanced Identity Cloud
- Manage the configuration, monitor tenant activities, and perform common administration tasks for Advanced Identity Cloud tenants
The following are the prerequisites for successfully completing this course:
- Completion of the Product Essentials courses available at: https://backstage.forgerock.com/university/cloud-learning
- Introduction to PingAM
- PingIDM Essentials
- PingGateway Essentials
- Introduction to PingDS
Chapter 1: Accessing Advanced Identity Cloud
Describe how to access an Advanced Identity Cloud tenant as an administrator and understand UI integration options.
Lesson 1: Managing Administrators
Invite additional administrators using the Advanced Identity Cloud admin UI, which is an administrative interface to manage your tenant settings:
Invite additional administrators using the Advanced Identity Cloud admin UI, which is an administrative interface to manage your tenant settings:
- Introduce the Advanced Identity Cloud admin UI
- Manage administrators
- Invite an administrator
Lesson 2: Introducing UI Integration
Understand UI integration options:
Understand UI integration options:
- Explain UI integration options
- Configure themes for the Alpha and Bravo realms
Chapter 2: Administering Identities
Manage identities with the Advanced Identity Cloud admin UI and implement delegated administration to manage organizations and reset user passwords.
Lesson 1: Managing Identities
Manage user identities:
Manage user identities:
- Introduce managed objects
- Manage a user profile
Lesson 2: Adding Identities With Bulk Import
Bulk import user identities from a CSV file to add test users to your tenant:
Bulk import user identities from a CSV file to add test users to your tenant:
- Describe bulk import
- Import test users
Lesson 3: Managing Organizations
Explain how an organization hierarchical structure can be used to model a brand hierarchy to control access to business applications:
Explain how an organization hierarchical structure can be used to model a brand hierarchy to control access to business applications:
- Describe roles and privileges within an organization
- Implement delegated administration for an organization model
Lesson 4: Delegating User Management
Explain how to delegate administration privileges to managed users:
Explain how to delegate administration privileges to managed users:
- Delegate administration privileges
- Delegate password reset
Chapter 3: Managing User Journeys
Manage journeys, email templates used in journeys, and authentication sessions as an Advanced Identity Cloud administrator.
Lesson 1: Managing Journeys
Understand how journeys are used with Advanced Identity Cloud and how to import, export, and debug journeys:
Understand how journeys are used with Advanced Identity Cloud and how to import, export, and debug journeys:
- Introduce journeys
- Modify journeys
- Describe how to export and import journeys
- Export and import journeys
- Describe how to debug a journey
- Enable debug mode on a user journey
Lesson 2: Managing Server-Side Sessions
Understand how authentication sessions are used with Advanced Identity Cloud and how to invalidate server-side sessions:
Understand how authentication sessions are used with Advanced Identity Cloud and how to invalidate server-side sessions:
- Describe server-side sessions
- Invalidate server-side sessions
Lesson 3: Configuring Email Templates
Understand the use of email templates in a journey flow:
Understand the use of email templates in a journey flow:
- Explore email templates and nodes
- Configure email templates
- Use email templates in user journeys
Chapter 4: Integrating With Advanced Identity Cloud
Understand the use of Applications, synchronize identities between Advanced Identity Cloud and external applications, and explore how PingGateway can protect web applications when it is integrated with Advanced Identity Cloud.
Lesson 1: Defining Applications
Describe the role of an application in Advanced Identity Cloud:
Describe the role of an application in Advanced Identity Cloud:
- Introduce applications
- Register a Bookmark app
Lesson 2: Synchronizing Identities
Connect to external resources using a Remote Connector Server (RCS), and synchronize identities between Advanced Identity Cloud and on-prem resources:
Connect to external resources using a Remote Connector Server (RCS), and synchronize identities between Advanced Identity Cloud and on-prem resources:
- Explain how to connect to external resources
- Configure an RCS cluster
- Configure debug logging
- Add an authoritative application
- Explain synchronization
- Create inbound mappings and run reconciliation
- Synchronize passwords
- Create a target Application with outbound mappings
Lesson 3: Protecting Web Resources
Demonstrate how PingGateway can protect a web application when it is integrated with Advanced Identity Cloud:
Demonstrate how PingGateway can protect a web application when it is integrated with Advanced Identity Cloud:
- Introduce PingGateway
- Integrate PingGateway with Advanced Identity Cloud
- Integrate the PingGateway sample application with Advanced Identity Cloud
Chapter 5: Administering Your Tenant
Manage the configuration, monitor tenant activities, and perform common administration tasks for Advanced Identity Cloud tenants.
Lesson 1: Managing the Configuration
Explain how to create service accounts to use the REST API endpoints, create a baseline configuration repository for developers, manage ESVs, and understand the promotion process:
Explain how to create service accounts to use the REST API endpoints, create a baseline configuration repository for developers, manage ESVs, and understand the promotion process:
- Introduce Service Accounts
- Create and manage a service account
- Introduce the Advanced Identity Cloud REST API
- Display Advanced Identity Cloud identities using the REST API
- Introduce configuration management
- Create a baseline configuration repository
- Describe how to manage ESVs
- Create and call ESV variables
- Promote your configuration
Lesson 2: Monitoring Tenant Activities
Explore and retrieve log data using the REST API and the Frodo CLI, monitor tenant activities, and visualize monitoring metrics using Prometheus and Grafana:
Explore and retrieve log data using the REST API and the Frodo CLI, monitor tenant activities, and visualize monitoring metrics using Prometheus and Grafana:
- Explore Logs
- Retrieve log data using the REST API
- Retrieve log data using the Frodo CLI
- Monitor your tenant
- Monitor tenant health and visualize monitoring metrics
- Explore the Advanced Identity Cloud analytics dashboard
Lesson 3: Managing Password Policies
Explain how an Advanced Identity Cloud administrator manages realm password policies:
Explain how an Advanced Identity Cloud administrator manages realm password policies:
- Manage realm password policies
- Configure password policies
Lesson 4: Additional Administration Tasks
Understand additional tasks that an Advanced Identity Cloud administrator should be aware of:
Understand additional tasks that an Advanced Identity Cloud administrator should be aware of:
- Introduce outbound static IP addresses
- View outbound static IP addresses
- Manage tenant certificates
- Add a custom domain name