Upcoming Courses

The aim of this course is to showcase the key features and capabilities of the versatile and powerful edge security solution with the PingGateway environment, formerly known as ForgeRock® Identity Gateway. It provides the student with the knowledge and confidence to manage their own environment. It is accepted that this course is not able to demonstrate all the features and capabilities of PingGateway. Further information and guidance can be found in the documentation and knowledge base documents in the online repositories at: Backstage https://backstage.forgerock.com.

Note: Revision A of this course is based on version 7.2 of PingGateway.

Upon completion of this course, you should be able to:

• Integrate and protect web applications, APIs, legacy applications, and microservices with the Ping Identity Platform (Identity Platform), formerly known as ForgeRock® Identity Platform, by using PingGateway
• Add authentication to the ForgeRock Entertainment Company (FEC) solution using PingOne Advanced Identity Cloud (Advanced Identity Cloud), formerly known as ForgeRock® Identity Cloud, or PingAM (AM), formerly known as ForgeRock® Access Management, as the access manager, OpenID Connect (OIDC) provider, and Security Assertion Markup Language (SAML2) identity provider (IdP)
• Demonstrate how to use PingGateway to manage access to a website using Advanced Identity Cloud (or AM) policies and policies with advice
• Protect a REST API with PingGateway and extend PingGateway functionality with scripting
• Highlight various areas that must be taken into account when preparing PingGateway for a production environment. Topics discussed include auditing, monitoring, tuning, security, and deployment

The following are the prerequisites for successfully completing this course:

• Completion of the PingGateway Essentials course available at: https://backstage.forgerock.com/university/forgerock/on-demand/path/TGVhcm5pbmdQYXRoOjQ%3D/chapter/Q291cnNlOjE1NzI2

Chapter 1: Integrating Applications With PingGateway

• Introduce PingGateway
• Describe PingGateway features
• Compare PingGateway with policy agents
• Explore PingGateway integration with web applications
• Describe PingGateway integration with OIDC and SAML
• Explore PingGateway policy enforcement and second-factor authentication (2FA)
• Describe PingGateway protection of APIs
• Access your CloudShare VM
• Examine the lab environment
• Access the FEC and DVD4U websites

• Examine the PingGateway configuration structure
• Describe required PingGateway configuration
• Configure PingGateway for secure connections
• Configure PingGateway routes
• Creating and managing routes in PingGateway Studio
• Protect a website by using PingGateway Studio
• Upgrade a route to use WebSockets
• Configure PingGateway for development mode and TLS connections
• Protect the FEC website with PingGateway by using PingGateway Studio
• Manage routes in PingGateway Studio and examine PingGateway log files

• Describe the PingGateway object model
• Examine objects available in routes
• Retrieve context data and configure sessions
• Route requests depending on conditions
• Describe route handlers
• Manage requests and responses with a route handler
• Process requests and responses with filters
• Create a route to allow access to a public area of FEC
• Add a page not found route
• Create a route to access the legacy DVD4U application
• Add password replay for the DVD4U application

• Manage PingGateway logs
• Introduce Decorators
• Configure route activity logs
• Capture inbound and outbound communication
• Retrieve credentials from a file
• Observe requests and responses in PingGateway logs
• Test different capture configuration settings
• Centralize PingGateway logging configuration
• Modify the DVD4U route to get credentials from a file
• Use Logback configuration for troubleshooting

• Create a route by using the PingGateway Studio Freeform Designer
• Configure Advanced Identity Cloud or AM as a service
• Describe how to use the SSO Filter
• Retrieve user data from the authentication provider
• Configure PingGateway as an HTTPS client
• Create a route with the PingGateway Studio Freeform Designer
• Redirect requests to AM for authentication
• Configure PingGateway for client-side HTTPS
• Access properties in SSO token context
• Retrieve user profile data for display in a web page
• Store information in a PingGateway HTTP session
• Configure capture decorators in Freeform Designer

• Describe the CDSSO Filter
• Configure the CDSSO Filter Solution
• Configure CDSSO redirect endpoints
• Integrate the legacy application with CDSSO
• Create a new route to protect DVD4U with CDSSO and AM
• Update the DVD4U route to automatically log in the authenticated user
• Prepare the Advanced Identity Cloud tenant
• Protect the DVD4U and FEC websites using CDSSO with Advanced Identity Cloud

• Describe basic OIDC concepts
• Configure PingGateway as an OIDC client
• Examine the flow of OIDC redirects for authentication and consent
• Explore the flow of OIDC callbacks and data injection
• Configure an OIDC relying party route
• Examine the OIDC relying party solution

• Authenticate with a SAML2 identity provider (IdP)
• Describe the use of the SAML federation handler
• Describe the use of the dispatch handler
• Describe the SAML2 implementation flow
• Set up SAML2 configuration files for PingGateway
• Configure a SAML2 route for the trial section
• Examine the SAML2 solution (optional)

• Describe the use of the Policy Enforcement Filter
• Illustrate the use of the Policy Enforcement Filter
• Configure a policy enforcement point (PEP) route for the premium section of FEC
• Examine the PEP solution (optional)

• Describe step-up authentication
• Illustrate how PingGateway handles step-up authentication
• Describe transactional authorization
• Illustrate how PingGateway handles transactional authorization
• Configure a PEP route for the on demand and profile sections of FEC
• Examine the profile solution (optional)
• Examine the on-demand solution (optional)

Lesson 1: Configuring PingGateway as an OAuth2 Resource Server
Configure PingGateway to act as an OAuth2 resource server that protects a REST API:

• Describe the use of the OAuth2 resource server filter
• List access token resolvers
• Validate certificate-bound access tokens
• Observe the flow with the token introspection resolver
• Prepare the OAuth2 solution to protect the FEC REST API
• Configure PingGateway to protect the FEC REST APIs
• Examine the REST API solution (optional)

• Describe the scripting functionality for extending PingGateway
• Explore scriptable objects
• Examine dynamic scopes solution
• Describe OAuth2 token swapping in PingGateway
• Configure a scriptable filter to log the content of the OAuth2 context
• Configure a dynamic scopes script
• Configure a scriptable filter to retrieve the correct favorite list

• Describe the audit framework
• Excluding sensitive data from audit logs
• Accessing the Common REST API monitoring endpoint
• Decreasing the number of requests through caching

• Discuss PingGateway best practices regarding security
• Examine the common secrets
• Explore secret store types
• Describe throttling
• Create common secret stores
• Configure throttling

• Describe property value substitution
• Set up multiple PingGateway instances
• Integrate configuration tokens in the solution
• Deploy a second PingGateway instance

This course implements various use cases with PingFederate and introduces industry concepts such as federation, SAML, and OAuth. The course also includes PingFederate-specific topics such as integration kits, adapters, SSO connections, and OAuth configuration. Hands-on exercises allow the participants to have first-hand experience in configuring PingFederate, establishing a web SSO connection and OAuth clients, and doing some basic troubleshooting.

The following are the prerequisites for successfully completing this course:

• Completion of the Getting Started With PingFederate course available at:
  • https://backstage.forgerock.com/university/ping/on-demand/category/PING

Day 1: Background of Federation Web SSO and Core Product

• Introduction to identity federation
• Introduction to integration kits
• Configuring SP and IdP adapters and password credential validators
  • Lab 1: HTML Form Adapter and Reference ID adapter configuration
• Introduction to SAML
• Configuring IdP and SP SSO connection
  • Lab 2: Creating connections for IdP and SP web SSO
    
• Server logs

• Lab 3: Review the server logs to follow and SSO transaction

Day 2: Further Integration and PingFederate Functionality

• Attribute mapping and data source
  • Lab 4: Mapping attributes from external sources
  • Lab 5: Using an external source for authentication
• Introduction to authentication policies
  • Lab 6: Creating authentication selectors, policy contracts, and authentication policies
  • Lab 7: Tracing SSO transactions in the PingFederate logs

Day 3: OAuth2 and Advanced Administration

• Introduction to OAuth2
• OAuth2 scopes and access tokens
  • Lab 8: Configuring OAuth2 grants (including token validation, authorization code)
  • Lab 9: Create an OAuth client for client Credentials grant type
  • Lab 10: Create an OAuth client for a resource server
  • Lab 11: Create an OAuth client for authorization grant type
  Introduction to OIDC
• PingFederate administrative API
  • Lab 12: Using the admin API
• Server Administration 
• Deployment scenarios and clustering
  • Lab 13 (optional): Configuring a cluster

Learn how to install and deploy PingIDM (IDM) in an on-prem or self-managed cloud environment to manage the lifecycle and relationship of digital identities. Topics include how to model identity objects in IDM, create connector configurations and synchronization mappings to manage the flow identity objects and properties with various external identity resources, manage workflows, and deploy IDM within a cluster. This course explores the identity management-related features in depth, how they work, and the configuration options available during implementation.

Note: Revision A of this course is based on version 8.0.1 of PingIDM.

Upon completion of this course, you should be able to:

• Provide an overview of the lab environment, model objects and identities, and set up the end-user UI with IDM
• Create and configure connections between external resources and IDM
• Synchronize identity data across multiple external resources, in real-time or by scheduling reconciliation events, and consolidate multiple identity data stores into one centralized identity store
• Install and deploy IDM in an on-prem or cloud provider Linux environment

The following are the prerequisites for successfully completing this course:

• Completion of the PingIDM Essentials course available at: https://backstage.pingidentity.com/university/on-demand/category/PING
• Basic knowledge and skills using the Linux operating system will be required to complete the labs.
• Basic knowledge of JSON, JavaScript, REST, Java, Groovy, SQL and LDAP would be helpful for understanding the examples; however, programming experience is not required.

Chapter 1: Building and Configuring the Prerequisites

Provide an overview of the lab environment, model objects and identities, and set up the end-user UI with IDM.

Lesson 1: Setting Up the Lab
Provide an overview of how to set up the lab environment:

• Install IDM
• Explore the auxiliary software

Lesson 2: Modeling Objects and Identities
Describe how to model objects and identities via REST:

• Introduce the Postman collection
• Run the Postman collection

Lesson 3: Setting Up the End-User UI
Describe how to configure the end-user UI:

• Install and configure the end-user UI
• Retrieve, compile and deploy the end-user UI
• Access the end-user UI

Chapter 2: Managing Connectors

Create and configure connections between external resources and IDM.

Lesson 1: Configuring Connectors With the IDM Admin UI
Create a connector configuration to connect to an external resource using the IDM admin UI:

• Connect external resources to IDM
• Create a connector configuration using the IDM admin UI
• Add a connector configuration for an external LDAP resource
• Add a CSV connector configuration
• Add a connector configuration to import device identities

Lesson 2: Configuring Connectors Over REST
Create a connector configuration in IDM over the REST interface:

• Create a connector configuration over REST
• Describe the core connector configuration settings
• Describe the object types and property mappings
• Use the scripted SQL connector
• Create a scripted SQL connector configuration

Chapter 3: Managing Synchronization and Reconciliation

Synchronize identity data across multiple external resources, in real-time or by scheduling reconciliation events, and consolidate multiple identity data stores into one centralized identity store.

Lesson 1: Performing Basic Synchronization
Describe how to use the IDM admin UI to create sync mappings to reconcile identities between IDM and an external resource:

• Create mappings to synchronize identity objects and properties
• Create a sync mapping from IDM to an external resource
• Add source and target properties to the sync mapping
• Add a correlation query and a situational event script
• Set the situational behaviors and run reconciliation
• Add a sync mapping from IDM to an LDAP server
• Describe the sync mapping from an LDAP server to IDM
• Add a sync mapping from an LDAP server to IDM
• Create a sync mapping to provision devices to the IDM repository

Lesson 2: Running Selective Synchronization and LiveSync
Filter objects that are synchronized and automate synchronization using LiveSync:

• Filter entries
• Run selective synchronization using filters
• Use LiveSync to synchronize changes
• Trigger LiveSync on a connector
• Schedule LiveSync
• Schedule LiveSync with an external resource
• Control synchronization to multiple targets

Lesson 3: Configuring Role-Based Provisioning
Automatically provision users to a set of LDAP groups based on role membership:

• Provision attributes to a target system based on static role assignments
• Enable role-based provisioning
• Query the role assignment properties using the REST interface
• Provision attributes to a target resource based on static role assignments
• Provision attributes to a target system based on dynamic role assignments
• Provision attributes to a target resource based on dynamic role assignments
• Add temporal constraints to a role
• Set temporal constraints on a role

Lesson 4: Configuring a Custom Endpoint
Describe how to configure a custom endpoint:

• Use a custom endpoint
• Create a custom endpoint (optional)

Chapter 4: Installing and Deploying IDM

Install and deploy IDM in an on-prem or cloud provider Linux environment.

Lesson 1: Installing an IDM instance
Install a stand-alone IDM instance for development and test the IDM sample configurations:

• Describe the basic IDM installation requirements
• Install and start IDM
• Install IDM
• Select MariaDB as a backend repository
• Describe how to start IDM with a sample configuration
• Start IDM with a sample configuration
• Describe how to configure IDM to run as a background process or service
• Configure IDM to run as a background process

Lesson 2: Monitoring and Troubleshooting
Describe how to set up monitoring and perform basic troubleshooting:

• Describe the monitoring options available for IDM
• Set up monitoring in IDM
• Describe the different IDM log files
• Examine the different log files in IDM (optional)

Lesson 3: Managing Passwords
Describe how to set up and fine-tune password policies and synchronizations in an IDM deployment:

• Describe password policies in IDM
• Set up password policies in IDM
• Describe password synchronization from DS into IDM
• Set up password synchronization from DS into IDM

This course helps prepare students to take the Certified Professional - PingOne Advanced Identity Cloud exam, formerly known as the ForgeRock® Identity Cloud Certified Professional exam. This is accomplished by presenting students with information concerning exam contents, logistics, tips for preparing to take the exam, lab exercises to cover exam contents, and a sample exam that is representative of the exam, itself.

Upon completion of this course, you should be able to:

• Register to take the exam
• Prepare for the exam using recommended study materials
• Take the exam either remotely or at a Pearson Testing Center

The following are the prerequisites for successfully completing this course:

• Successful completion of the AIC-300 Getting Started With PingOne Advanced Identity Cloud for Administrators course
• Thorough understanding of all PingOne Advanced Identity Cloud documentation and Knowledge Base articles on Backstage
• 3-6 months of experience configuring and administering PingOne Identity tenants
• Working knowledge of OAuth 2.0, OpenID Connect and SAML v2.0

Course Contents

• Explain exam metrics and passing scores
• Provide an approach for responding to test questions
• Identify options for registering and taking the exam
• Describe testing center requirements
• Describe requirements for taking the exam online
• Show how to access exam results

• Review the exam details and requirements
• Explain exam topics and study areas
• Present the objectives covered in the exam
• Review important concepts associated with exam objectives
• Review sample questions associated with objectives
• Provide applicable materials for review

• Research topics which will be covered in the exam
• Navigate the PingOne Advanced Identity Cloud admin UI
• Describe PingOne Advanced Identity Cloud configuration settings
• Explain how to perform PingOne Advanced Identity Cloud related tasks
• Configure PingOne Advanced Identity Cloud related services

• Test a student’s knowledge of PingOne Advanced Identity Cloud
• Provide students with a representative exam experience

This course is for students who want to learn how to use the SDKs to speed up the integration of JavaScript, Android, and iOS applications, within an access management solution. The course presents key use cases and features of the SDKs.

Note: Revision B of this course is based on version 7 of the Ping Identity Platform (Identity Platform), formerly known as ForgeRock® Identity Platform, and SDK 3.

Upon completion of this course, you should be able to:

• Introduce the SDKs, describe how they fit into the Identity Platform, and how they interact with PingAM, formerly known as ForgeRock® Access Management
• Present the centralized login flow, implement centralized login authentication, and observe device single sign-on (SSO)
• Present the Embedded Login flow and execute authentication, registration, and self-service journey
• Increase the security of your application and enhance the user experience with social authentication, passwordless biometric authentication, device profile and location collection and analysis, and multi-factor authentication (MFA) with one-time passwords (OTPs) and push authentication

The following are the prerequisites for successfully completing this course:

• Basic knowledge and skills using the Linux and Windows operating systems to complete labs
• Basic knowledge of HTTP and communications between clients and servers is critical to understanding the interaction between the SDKs and AM
• Basic knowledge of JSON, JavaScript, REST, and Java
• Good knowledge of either JavaScript, Android, or iOS application development
• Attendance on the PingAM Deep Dive (AM-410) course or equivalent knowledge

• Describe the SDKs
• Explore the role of the SDKs through common use cases
• Technical overview of the SDKs
• Using SDK components
• Interaction between the SDKs and AM

• Preparing the server
• iOS Environment and Project Setup
• Android Environment and Project Setup
• JavaScript Environment and Project Setup
• Preface to the exercises
• Set up an iOS development environment
• Set up an Android development environment
• Set up a JavaScript development environment

• Learn how to use the SDKs with centralized login:
• Understand the login flow choices
• Implement centralized login on mobile
• Implement centralized login in JavaScript
• Authenticate with centralized login on iOS
• Authenticate with centralized login on Android
• Authenticate with centralized login in JavaScript

• SSO between mobile apps with centralized login

• Understand the APIs for Embedded Login
• Authenticate with embedded login on iOS
• Authenticate with embedded login on Android
• Authenticate with embedded login in JavaScript

• Respond to Callbacks
• Respond to Stages
• Respond to stages on iOS
• Respond to stages on Android
• Respond to stages in JavaScript
• (Optional) Transactional authorization

• Respond to registration or self-service journeys
• Implement self-service registration on iOS
• Implement self-service registration on Android
• Implement self-service registration in JavaScript
• Call other journeys / Intercept REST calls
• Implement self-service password change on iOS
• Implement self-service password change on Android
• Implement self-service password change in JavaScript

Lesson 4: Send and Process Verification Emails
Learn how to suspend journey processing and resume after the user followed the resume link sent in email:

• Suspend the journey and await the user following the resume link
• Suspend and resume authentication on iOS
• Suspend and resume authentication on Android
• Suspend and resume authentication in JavaScript
  

Chapter 4: Increasing Security and Enhancing User Experience

• Implement social login
• Login with Google on iOS
• Login with Google on Android
• Login with Google in JavaScript

• Review WebAuthn concepts
• Implement biometric authentication on mobile
• Implement WebAuthn on iOS
• Implement WebAuthn on Android
• Implement web biometric authentication
• Implement WebAuthn in JavaScript

• Configure a user journey to verify and save device profile data
• Device profile processing in the SDKs
• Collect device profile data on iOS
• Implement device profile collection on iOS
• Collect device profile data on Android
• Implement device profile collection on Android
• Collect device profile data in JavaScript
• Implement device profile collection in JavaScript
• Analyze device context
• Implement location-based security
• Collect location information on iOS, Android or in JavaScript
• Implement device tampering detection
• Customize what data is collected
• Check for device tampering and customize device profile collection on iOS
• Check for device tampering and customize device profile collection on Android
• Customize device profile collection in JavaScript

• Integrate the ForgeRock Authenticator Module in a mobile app
• Examine using the Authenticator Module on iOS
• Examine using the Authenticator Module on Android

This course gives learners the tools to get started with PingOne administration. It covers initial setup tasks, including creating and managing PingOne environments, application integration, and customization. This course also provides information on most common administration tasks, including user and group management, managing access policies, best practices, and troubleshooting of common issues.

Upon completion of this course, you should be able to:

• Summarize PingOne capabilities and key features, describe PingOne support resources, and create a new PingOne environment
• Demonstrate administration of PingOne user populations, user roles, attributes, and groups
• Demonstrate integration and troubleshooting of PingOne applications
• Demonstrate how to use access control policies within PingOne
• Describe how to manage the process of establishing a person’s identity and then using this identity in later transactions within PingOne
• Demonstrate troubleshooting techniques and best practices within PingOne

The following are the prerequisites for successfully completing this course:

• Completion of the following courses available at: https://backstage.forgerock.com/university/ping/on-demand/category/PING
• PingOne Fundamentals
• Introduction to PingOne MFA
• Getting Started With PingOne MFA
• Getting Started With PingOne SSO
• (Optional) Introduction to PingOne DaVinci

• Describe PingOne as a cloud-based IDaaS solution
• Describe PingOne environment solutions
• Create a new environment

• Locate Ping Identity support resources

Lesson 1: Managing Users and Populations
Describe how to manage users in PingOne, including how to create populations and add individual users:

• Review default users
• Edit default users
• Create populations
• Create a new population
• Create new users
• Create a new user

• Manage administrator roles
• Assign roles to administrators
• Understand user attributes
• Manage user attributes
• Manage user groups
• Manage user group memberships

• Understand federation protocols
• Add an application from the catalog
• Understand SAML2
• Add a custom SAML2 application
• Understand OAuth2
• Understand OIDC
• Add a custom OIDC application
• Administer the Application Portal

• Describe authentication failures
• Define SSO failures
• Describe attribute mapping errors
• Determine certificate issues
• Define group membership issues
• Describe application integration issues
• Define gateway access issues
• Describe best practices

• Describe authentication policies
• Create an authentication policy

• Define password policies
• Edit a password policy

• Describe MFA and FIDO policies
• Create an MFA policy
• Create a FIDO policy

• Onboard users
• Create users manually

• Provision users

• Administer user accounts
• Manage a user account

• Offboard users

• Monitor activity and view reports

Chapter 6: Troubleshooting and Best Practices

Demonstrate troubleshooting techniques and best practices within PingOne.

• Introduce the troubleshooting process
• Understand common troubleshooting techniques

• Maintain a healthy PingOne environment

Upon completion of this course, you should be able to:

• Describe how to access an Advanced Identity Cloud tenant as an administrator and understand UI integration options
• Manage identities with the Advanced Identity Cloud admin UI and implement delegated administration to manage organizations and reset user passwords
• Manage journeys, email templates used in journeys, and authentication sessions as an Advanced Identity Cloud administrator
• Understand the use of Applications, synchronize identities between Advanced Identity Cloud and external applications, and explore how Identity Gateway can protect web applications when it is integrated with Advanced Identity Cloud
• Manage the configuration, monitor tenant activities, and perform common administration tasks for Advanced Identity Cloud tenants

The following are the prerequisites for successfully completing this course:

• Completion of the Product Essentials courses available at: https://backstage.forgerock.com/university/cloud-learning
• Introduction to PingAM
• PingIDM Essentials
• PingGateway Essentials
• Introduction to PingDS

• Introduce the Advanced Identity Cloud admin UI
• Manage administrators
• Invite an administrator

• Explain UI integration options
• Configure themes for the Alpha and Bravo realms

Chapter 2: Administering Identities

• Introduce managed objects
• Manage a user profile

• Describe bulk import
• Import test users

• Describe roles and privileges within an organization
• Implement delegated administration for an organization model

• Delegate administration privileges
• Delegate password reset

• Introduce journeys
• Modify journeys
• Describe how to export and import journeys
• Export and import journeys
• Describe how to debug a journey
• Enable debug mode on a user journey

• Describe server-side sessions
• Invalidate server-side sessions

• Explore email templates and nodes
• Configure email templates
• Use email templates in user journeys

• Introduce applications
• Register a Bookmark app

• Explain how to connect to external resources
• Configure an RCS cluster
• Configure debug logging
• Add an authoritative application
• Explain synchronization
• Create inbound mappings and run reconciliation
• Synchronize passwords
• Create a target Application with outbound mappings

• Introduce PingGateway
• Integrate PingGateway with Advanced Identity Cloud
• Integrate the PingGateway sample application with Advanced Identity Cloud

• Introduce Service Accounts
• Create and manage a service account
• Introduce the Advanced Identity Cloud REST API
• Display Advanced Identity Cloud identities using the REST API
• Introduce configuration management
• Create a baseline configuration repository
• Describe how to manage ESVs
• Create and call ESV variables
• Promote your configuration

• Explore Logs
• Retrieve log data using the REST API
• Retrieve log data using the Frodo CLI
• Monitor your tenant
• Monitor tenant health and visualize monitoring metrics
• Explore the Advanced Identity Cloud analytics dashboard

• Manage realm password policies
• Configure password policies

• Introduce outbound static IP addresses
• View outbound static IP addresses
• Manage tenant certificates
• Add a custom domain name

This course steps the learner through various advanced PingFederate administration topics, such as configuring memory options for PingFederate, logging to a database server, configuring certificate revocation checking and certificate rotation, configuring self-service features of the HTML Form Adapter, identity provider (IdP) to service provider (SP) bridging, clustering with dynamic discovery, and more.

The following are the prerequisites for successfully completing this course:

• Completion of the PingFederate Administration course, or
• Equivalent experience with PingFederate
  
  

Day 1: Course Introduction

• Server Administration
• Configuring JVM memory options
• Configuring virtual host names
• Certificate based console administration
• Lab 1: Configuring OIDC-based console single sign-on (SSO)

• Customizing audit logs
• The log4j2.xml file
• Logging to an external database
• Lab 2: Logging with PingFederate
• Certificates
• Certificate revocation checking
• Certificate rotation

• HTML Form Adapter Self-Service Features
  • Password spray and account lockout prevention
  • Self-service password change
  • Self-service password reset
  • Self-service username recovery
  • Lab 3: HTML Form Adapter self-service options
• HTML Form Adapter Self-Registration
  • Customer IAM with local identity profiles
  • Self-registration with local identity profiles
  • Self-registration using third-party IdPs
  • Lab 4: HTML Form Adapter customer registration
• Advanced Attribute Mapping
  • Using multiple datastores
  • Using REST API as a datastore
  • Extended properties
  • PingDirectory virtual attributes
• SSO Connections
  • Customizing SSO URLs
  • SP target URL mapping
  • IdP-to-SP bridging
  • Session management
  • Lab 5: SSO connections

• Federation Hub
  • Bridging an IdP to an SP
  • Bridging an IdP to multiple SPs
  • Bridging multiple IdPs to an SP
  • Bridging multiple IdPs to multiple SPs
• OAuth2 and OIDC
  • Dynamic client registration
  • Using directories for persistent grant storage
  • Creating and managing OIDC profiles
  • Lab 6: Configuring OIDC profiles
• Clustering
  • Cluster protocol architecture
  • Runtime state management architecture
  • Adaptive clustering
  • Directed clustering
  • Dynamic discovery
  • Cluster replication
  • Lab 7: Clustering
• Troubleshooting
  • SSO issues
  • OAuth2 issues
  • Certificate issues

Upon completion of this course, you should be able to:

• Describe how to access an Advanced Identity Cloud tenant as an administrator and understand UI integration options
• Manage identities with the Advanced Identity Cloud admin UI and implement delegated administration to manage organizations and reset user passwords
• Manage journeys, email templates used in journeys, and authentication sessions as an Advanced Identity Cloud administrator
• Understand the use of Applications, synchronize identities between Advanced Identity Cloud and external applications, and explore how Identity Gateway can protect web applications when it is integrated with Advanced Identity Cloud
• Manage the configuration, monitor tenant activities, and perform common administration tasks for Advanced Identity Cloud tenants

The following are the prerequisites for successfully completing this course:

• Completion of the Product Essentials courses available at: https://backstage.forgerock.com/university/cloud-learning
• Introduction to PingAM
• PingIDM Essentials
• PingGateway Essentials
• Introduction to PingDS

• Introduce the Advanced Identity Cloud admin UI
• Manage administrators
• Invite an administrator

• Explain UI integration options
• Configure themes for the Alpha and Bravo realms

Chapter 2: Administering Identities

• Introduce managed objects
• Manage a user profile

• Describe bulk import
• Import test users

• Describe roles and privileges within an organization
• Implement delegated administration for an organization model

• Delegate administration privileges
• Delegate password reset

• Introduce journeys
• Modify journeys
• Describe how to export and import journeys
• Export and import journeys
• Describe how to debug a journey
• Enable debug mode on a user journey

• Describe server-side sessions
• Invalidate server-side sessions

• Explore email templates and nodes
• Configure email templates
• Use email templates in user journeys

• Introduce applications
• Register a Bookmark app

• Explain how to connect to external resources
• Configure an RCS cluster
• Configure debug logging
• Add an authoritative application
• Explain synchronization
• Create inbound mappings and run reconciliation
• Synchronize passwords
• Create a target Application with outbound mappings

• Introduce PingGateway
• Integrate PingGateway with Advanced Identity Cloud
• Integrate the PingGateway sample application with Advanced Identity Cloud

• Introduce Service Accounts
• Create and manage a service account
• Introduce the Advanced Identity Cloud REST API
• Display Advanced Identity Cloud identities using the REST API
• Introduce configuration management
• Create a baseline configuration repository
• Describe how to manage ESVs
• Create and call ESV variables
• Promote your configuration

• Explore Logs
• Retrieve log data using the REST API
• Retrieve log data using the Frodo CLI
• Monitor your tenant
• Monitor tenant health and visualize monitoring metrics
• Explore the Advanced Identity Cloud analytics dashboard

• Manage realm password policies
• Configure password policies

• Introduce outbound static IP addresses
• View outbound static IP addresses
• Manage tenant certificates
• Add a custom domain name

This course provides the information you need to set up and configure PingAccess as a policy server to protect both web applications and APIs. After completing this course, you will know how to configure PingAccess in both a gateway and agent model, and configure different types of policies that PingAccess offers.

Upon completion of this course, you should be able to:

• Discover how to configure PingAccess as a reverse proxy, and connect PingAccess to a token provider (PingFederate)
• Configure PingAccess as a Reverse Proxy
• Configure policies in PingAccess to further bolster administration capabilities

The following are the prerequisites for successfully completing this course:

• Completion of the following courses:https://backstage.pingidentity.com/university/on-demand/category/PING
• Introduction to PingAccess
• Getting Started With PingAccess
• Introduction to PingFederate
• Getting Started With PingFederate

Chapter 1: Configuring and Connecting PingAccess

Discover how to configure PingAccess as a reverse proxy, and connect PingAccess to a token provider (PingFederate).

Lesson 1: Configuring PingAccess as a Reverse Proxy (Gateway Model)

Describe how to configure PingAccess as a reverse proxy (gateway model):

• Introduce the gateway model
• Enable PingAccess as a reverse proxy
• Configure PingAccess resources and rewrite rules

Lesson 2: Connecting PingAccess to a Token Provider (PingFederate)

Describe the responsibilities of token providers and how to configure PingAccess to use PingFederate as a token provider:

• Introduce token providers
• Configure OAuth2 in PingFederate
• Configure PingAccess using the gateway model
  
  

Chapter 2: Configuring PingAccess Applications, Agents, and Sites

Configure PingAccess as a Reverse Proxy.

Lesson 1: Protecting Web Apps

Describe how to protect web apps by configuring them with PingAccess and OpenID Connect (OIDC):

• Define the OIDC protocol
• Introduce web sessions
• Create a web session using OIDC claims

Lesson 2: Working With Sites

Create identity mappings and advanced web session:

• Create identity mappings and advanced web sessions

Lesson 3: Working With Rules and Policies

Describe how to work with rules and policies within PingAccess:

• Describe the rules and policies process
• Create web access rules
• Create API access control rules
  
  

Chapter 3: Configuring Policies and Administration

Configure policies in PingAccess to further bolster administration capabilities.

Lesson 1: Maintaining PingAccess Discuss how to maintain PingAccess through resources, audit logs, and redirection:

• Dive deeper into resources
• Examine audit logs
• Manage redirection

Lesson 2: Configuring PingAccess as a Policy Server (Agent Model)

Configure PIngAccess to be a policy server by implementing the agent model:

• Introduce the agent model

Lesson 3: Optimizing and Configuring PingAccess

Optimize PingAccess through configuration, single sign-on (SSO), and the admin API:

• Implement improvements
• Enable PingAccess administrator SSO
• Use the PingAccess administrative API
• Increase the JVM Heap Size

Lesson 4: Creating PingAccess Clusters

Create PingAccess clusters to increase resilience and simplify procedures:

• Deploy clustersConfigure simple clusters in PingAccess (Optional)

This course provides a hands-on technical introduction to PingAM (AM), formerly known as ForgeRock® Access Management, APIs and customization use cases. Students examine AM extension points and gain the skills required to extend and integrate an AM deployment in a real-world context. Additionally, students learn to implement various clients that communicate with AM. Further information and guidance can be found in the documentation and knowledge base in the online repositories at: Backstage https://backstage.forgerock.com.

Note: This course revision is based on version 7.3 of PingAM

Upon completion of this course, you should be able to:

• This chapter provides a high-level overview of the PingAM (AM) configuration architecture
• Extend and customize PingAM (AM) authentication processing by using authentication trees and a custom authentication node
• Explore how to use the PingAM (AM) authorization policy sets, polices, and policy evaluation, and create custom policy conditions with Java and scripts
• Explore how to use the PingAM (AM) REST API, in the context of a web client application, for authenticating users with AM and AM authentication trees
• Describe how to extend a web client application with the ability to authenticate and authorize a user by using OAuth 2.0 (OAuth2) for authentication, and implement Open Identity Connect (OIDC) claims by using the scripting API

The following are the prerequisites for successfully completing this course:

• Completion of the PingAM Essentials course available at: https://backstage.forgerock.com/university/forgerock/on-demand/path/TGVhcm5pbmdQYXRoOjI%3D/chapter/Q291cnNlOjE1NzIy
• Knowledge of UNIX/Linix commands
• An understanding of HTTP and web applications
• A basic understanding of how directory servers function
• A basic understanding of REST
• A basic knowledge of Java based environments would be beneficial, but no programming experience is required.

• List extension (customization) points of AM
• List customizable AM components
• Quiz questions
• Access the lab environment
• Manage the course application components

• Understand how AM performs authentication
• Describe AM authentication trees and nodes
• Compare tree and chain mechanisms
• Quiz questions
• Create an authentication tree with default nodes
• Test the authentication tree

• Describe custom authentication nodes
• Prepare a build environment
• Generate a custom node with a Maven archetype
• List custom node classes
• Customize node outcomes
• Deploy the custom node
• Modify custom node configuration and logic
• Post-authentication hooks for trees
• Quiz questions
• Create initial custom authentication node source files
• Modify the custom node’s implementation to be dynamic
• Deploy and test the custom authentication node
• Test the authentication tree with the custom node

• Understand the basic concepts of scripting
• Understand the scripting environment and the scripting API
• Use the AM admin UI to manage scripts
• Use the REST API to manage scripts
• Develop client and server scripts
• Use decision scripted authentication nodes in trees
• Quiz questions
• Explore client-side scripting with authentication nodes
• Create an authentication tree with client-side and server-side scripts
• Write a server-side script that uses a REST API request

• Describe design principles for trees and nodes
• List design and implementation steps
• Choose node types
• Map files from modules to nodes
• Authentication modules as nodes
• Migrate an LDAP chain to a tree
• Migrate post-authentication plugins
• Handle logout notifications
• Configure redirection URLs
• Implement account lockout
• Link a chain to a tree and return custom failure messages
• Quiz questions
• Reference an article about migrating chains to trees

• Understand the policy concepts in AM
• Identify the situation when a custom condition is needed
• Customize policy evaluation with a plugin and an Entitlement Condition class
• Implement a scripted condition
• Quiz Questions
• Explore the ContactList REST APIs and policy design
• Create resource types and a policy set
• Write a policy condition checking for maintenance mode
• Modify the policy condition script to provide additional information

• Describe AM REST API services and the Common REST API
• Understand the Common REST API
• Explore REST API sorting, versioning, and status codes
• Use AM services from a browser-based application
• Enable CORS
• Quiz questions
• Study the ContactList application architecture
• Configure the CORS filter in AM
• Create a login service that uses AM authentication

• Review authentication and introduce RESTful authentication
• Implement authentication with the simple REST API
• Implement authentication with the full REST API
• Describe callback types available in AM
• Handle session upgrade and logout with the REST API
• Implement RESTful token and session management
• Use REST to manage identities
• Manage realms with the REST API
• Lesson Quiz
• Implement a fully functional AM-based authentication in ContactList
• Modify the login service to use the authentication tree

• Describe the self-service REST API
• Configure AM for self-service
• Implement password reset with REST
• Self-register a user via REST
• Lesson quiz
• Prepare AM for the password reset functionality
• Examine the password reset protocol
• Extend ContactList with a password reset feature

• Understand how to use the policy engine to protect resources other than URLs
• Describe the policy management REST API
• Describe the policy evaluator REST API
• Implement fine-grained authorization using policies and the REST API
• Lesson quiz
• Prepare AM for ContactList authorization
• Extend the backend to use the authorization REST API
• Extend the front-end application to use AM

• Understand OAuth2 and use its HTTP endpoints
• Examine the flow of the OAuth2 Authorization Code grant type
• Understand OIDC and use its HTTP endpoints
• Examine the flow of the OIDC Authorization Code grant type
• Understand the scope validation mechanism and customize its default behavior
• Use the Scripting API to customize the handling of OIDC claims
• Set up the OAuth2/OIDC service in AM
• Study and complete the ContactListTokenResponseTypeHandler code
• Enable OAuth2 federation in the ContactList front-end
• Turn ContactList RESTful backend into an OAuth2 resource server

This course implements various use cases with PingFederate and introduces industry concepts such as federation, SAML, and OAuth. The course also includes PingFederate-specific topics such as integration kits, adapters, SSO connections, and OAuth configuration. Hands-on exercises allow the participants to have first-hand experience in configuring PingFederate, establishing a web SSO connection and OAuth clients, and doing some basic troubleshooting.

The following are the prerequisites for successfully completing this course:

• Completion of the Getting Started With PingFederate course available at:
  • https://backstage.forgerock.com/university/ping/on-demand/category/PING

Day 1: Background of Federation Web SSO and Core Product

• Introduction to identity federation
• Introduction to integration kits
• Configuring SP and IdP adapters and password credential validators
  • Lab 1: HTML Form Adapter and Reference ID adapter configuration
• Introduction to SAML
• Configuring IdP and SP SSO connection
  • Lab 2: Creating connections for IdP and SP web SSO
    
• Server logs

• Lab 3: Review the server logs to follow and SSO transaction

Day 2: Further Integration and PingFederate Functionality

• Attribute mapping and data source
  • Lab 4: Mapping attributes from external sources
  • Lab 5: Using an external source for authentication
• Introduction to authentication policies
  • Lab 6: Creating authentication selectors, policy contracts, and authentication policies
  • Lab 7: Tracing SSO transactions in the PingFederate logs

Day 3: OAuth2 and Advanced Administration

• Introduction to OAuth2
• OAuth2 scopes and access tokens
  • Lab 8: Configuring OAuth2 grants (including token validation, authorization code)
  • Lab 9: Create an OAuth client for client Credentials grant type
  • Lab 10: Create an OAuth client for a resource server
  • Lab 11: Create an OAuth client for authorization grant type
  Introduction to OIDC
• PingFederate administrative API
  • Lab 12: Using the admin API
• Server Administration 
• Deployment scenarios and clustering
  • Lab 13 (optional): Configuring a cluster

This course is designed to provide students with the knowledge and concepts necessary to install, configure, and maintain a PingDS (DS), formerly known as ForgeRock® Directory Services, deployment.

Note: Revision A of this course is based on version 8.0.0 of DS.

Upon completion of this course, you should be able to:

• Understand how to deploy directory servers, and directory proxy servers, manage replication, upgrade DS servers, and configure the DS password synchronization plugin
• Measure performance, tune, and troubleshoot DS
• Use the HTTP Directory Access Protocol (HDAP) APIs for REST-based HTTP(S) access to directory services

The following are the prerequisites for successfully completing this course:

• Knowledge of Lightweight Directory Access Protocol (LDAP).
• An understanding of how directory servers function.
• An understanding of REST and HTTP.
• Knowledge of UNIX/Linux commands.
• A basic knowledge of Java based environments would be beneficial, but no programming experience is required.

Completion of the PDS-100: Introduction to PingDS and PDS-330: Getting Started with PingDS on-demand courses.

Chapter 1: Deploying Directory Services

Understand how to deploy directory servers, and directory proxy servers, manage replication, upgrade DS servers, and configure the DS password synchronization plugin.

• Install directory servers for custom and Ping Identity Platform (Identity Platform) product deployments:
• Prepare for a directory server installation
• Access your lab environment
• Prepare the lab environment
• Install a directory server
• Prepare directory servers for Identity Platform installations
• Set up directory servers for AM
• Set up a directory server as an IDM repository
• Synchronize passwords with IDM
• Configure password synchronization

Lesson 2: Replicating Data

• Implement high availability for directory servers and maintain, monitor, and restore a replicated directory server topology:
• Plan for replication
• Install a replicated topology
• Manage a replicated topology
• Monitor and maintain replication

• Prepare for and perform an upgrade of directory servers in a DS 7 replicated topology to DS 8:
• Describe upgrade options
• Upgrade DS 7 servers to DS 8

• Understand the role of DS directory proxy and install DS directory proxy to provide a single point of entry to directory servers:
• Introduce DS directory proxy
• Install DS directory proxy
• Provide a single point of access to replicas

• Understand performance requirements and settings that may be tuned to improve directory server performance:
• Explain settings that affect performance
• Prepare the lab environment
• Tune the JE DB cache and generate performance tests

• Configure log files, collect troubleshooting data for Support, and monitor a DS deployment with Prometheus and Grafana:
• Explain how to collect data for support
• Collect data for support
• Explore log files
• Manage log files
• Monitor a DS deployment
• Observe monitoring metrics

• Access directory servers and perform operations over HTTP(S):
• Describe REST-based HTTP access
• Prepare the lab environment
• Examine HTTP and HDAP configuration properties
• Verify HDAP authentication
• Explain HDAP operations
• Manage resources with HDAP

• Manage passwords and display account usability information and resource schema:
• Manage passwords
• Update passwords
• View JSON Schema
• Get JSON schema

The aim of this course is to showcase the key features and capabilities of the versatile and powerful PingAM (AM), formerly known as ForgeRock® Access Management. It provides the student with the knowledge and confidence to manage their own environment. It is accepted that this course is not able to demonstrate all the features and capabilities of AM. Further information and guidance can be found in the documentation and knowledge base in the online repositories at: Backstage https://backstage.forgerock.com.

Note: This course revision is based on version 7 of AM.

Upon completion of this course, you should be able to:

• Start with an unprotected website and end up with a fully functional access management solution where every user trying to access the website is redirected to AM for authentication
• Improve access management security in AM with multi-factor authentication (MFA), context-based risk analysis, and continuous risk checking
• Implement OAuth 2.0 (OAuth2) based protocols; namely, OAuth2 and OpenID Connect 1.0 (OIDC), to enable low-level devices and mobile applications to make requests that access resources belonging to a subscriber. AM can be configured to function as an OIDC client and delegate authentication to social media OIDC providers
• Demonstrate federation across entities using SAML v2.0 (SAML2) with AM
• Install a new AM instance configured with external directory server data stores as the foundation for an AM cluster

The following are the prerequisites for successfully completing this course:

• Completion of the PingAM Essentials course available at: https://backstage.forgerock.com/university/forgerock/on-demand/path/TGVhcm5pbmdQYXRoOjI%3D/chapter/Q291cnNlOjE1NzIy
• Knowledge of UNIX/Linux commands
• An understanding of HTTP and web applications
• A basic understanding of how directory servers function
• A basic understanding of REST
• A basic knowledge of Java based environments would be beneficial, but no programming experience is required

• Introduce AM authentication
• Understand realms
• Describe authentication life cycle
• Explain sessions
• Examine session cookies
• Access the lab environment
• Examine an initial AM installation
• Configure a realm and examine AM default authentication
• Experiment with session cookies
• Describe the authentication mechanisms of AM
• Create and manage trees
• Explore tree nodes
• Create a login tree
• Test the login tree

• Present AM edge clients
• Describe PingGateway functionality as an edge client
• Review the FEC website protected by PingGateway
• Integrate the FEC website with AM
• Observe the PingGateway token cookie
• (Optional) Review PingGateway configuration
• Authenticate identities with AM
• Create an authentication tree with an LDAP Decision node
• Integrate identities in AM with an identity store
• Integrate an identity store with AM

• Describe entitlements with AM authorization
• Define AM policy components
• Define policy environment conditions and response attributes
• Describe the process of policy evaluation
• Implement access control on a website

• Describe MFA
• Register a device
• Include recovery codes
• Examine OATH authentication
• Implement time-based one-time password (TOTP) authentication
• (Optional) Implement HMAC-based one-time password (HOTP) authentication
• Examine Push notification authentication
• (Optional) Implement Push notification authentication
• Implement passwordless WebAuthn
• (Optional) Implement passwordless WebAuthn
• Examine HOTP authentication using email or SMS
• (Optional) Implement HOTP authentication using email or SMS

• Introduce context-based risk analysis
• Describe device profile nodes
• Determine the risk based on the context
• Implement a browser context change script
• Lock and unlock accounts
• Implement account lockout

• Introduce continuous contextual authorization
• Describe step-up authentication
• Implement step-up authentication flow
• Describe transactional authorization
• Implement transactional authorization
• Prevent users from bypassing the default tree

• Discuss OAuth2 concepts
• Describe OAuth2 tokens and codes
• Describe refresh tokens, macaroons, and token modification
• Request OAuth2 access tokens with OAuth2 grant types
• Explain OAuth2 scopes and consent
• Configure OAuth2 in AM
• Configure AM as an OAuth2 provider
• Configure AM with an OAuth2 client
• Test the OAuth2 Device Code grant type flow

• Introduce OIDC
• Describe OIDC tokens
• Explain OIDC scopes and claims
• List OIDC grant types
• Create and use an OIDC script
• Create an OIDC claims script
• Register an OIDC client and configure the OAuth2 Provider settings
• Test the OIDC Authorization Code grant type flow

• Examine OAuth2 client authentication
• Examine OAuth2 client authentication using JWT profiles
• Examine OAuth2 client authentication using mTLS
• Authenticate an OAuth2 client using mTLS
• Examine certificate-bound PoP when mTLS is configured
• Obtain a certificate-bound access token

• Describe OAuth2 token exchange
• Explain token exchange types and purpose for exchange
• Describe token scopes and claims
• Implement a token exchange impersonation pattern
• Implement a token exchange delegation pattern
• Configure token exchange in AM
• Configure AM for token exchange
• Test token exchange flows

• Delegate registration and authentication to social media providers
• Implement social registration and authentication with Google

• Discuss SAML2 entities and profiles
• Explain the SAML2 flow from the identity provider (IdP) point of view
• Examine SSO across SPs
• Configure AM as an IdP and integrate with third-party service providers (SPs)
• Examine SSO between an SP and IdP and across SPs

• Explain the SSO flow from the SP point of view
• Describe the metadata content and purpose
• Configure AM as a SAML2 SP and integrate with a third-party IdP

• Plan deployment configurations
• Prepare before installing AM
• Deploy AM
• Outline tasks and methods to install AM
• Install AM with the web wizard
• Install an AM instance with the web wizard
• Install AM and manage configuration with Amster
• Install Amster
• Describe the AM bootstrap process
• Upgrade an AM instance
• Upgrade AM with the web wizard
• (Optional) Upgrade AM with the configuration tool

• Harden AM security
• Adjust default settings
• Harden AM security
• Describe secrets, certificates, and keys
• Describe keystores and secret stores
• Manage the AM keystore, aliases, and passwords
• Configure and manage secret stores
• Configure an HSM secret store to sign OIDC ID tokens
• Describe the monitoring tools
• Describe the audit logging
• Describe debug logging
• Capture troubleshooting information
• Capture troubleshooting information

• Explore high availability solutions
• Scale AM deployments
• Describe AM cluster concepts
• Create an AM cluster
• Prepare the initial AM cluster
• Install another AM server in the cluster
• Test AM cluster failover scenarios
• (Optional) Modify the cluster to use client-side sessions

• Describe the Identity Platform
• Prepare your deployment environment
• Deploy and access the Identity Platform
• Access and authenticate your GCP account
• Prepare to deploy the Identity Platform
• Deploy the Identity Platform with the Cloud Development Kit (CDK)
• Remove the Identity Platform deployment

This course provides a hands-on technical introduction to PingAM (AM), formerly known as ForgeRock® Access Management, APIs and customization use cases. Students examine AM extension points and gain the skills required to extend and integrate an AM deployment in a real-world context. Additionally, students learn to implement various clients that communicate with AM. Further information and guidance can be found in the documentation and knowledge base in the online repositories at: Backstage https://backstage.forgerock.com.

Note: This course revision is based on version 7.3 of PingAM

Upon completion of this course, you should be able to:

• This chapter provides a high-level overview of the PingAM (AM) configuration architecture
• Extend and customize PingAM (AM) authentication processing by using authentication trees and a custom authentication node
• Explore how to use the PingAM (AM) authorization policy sets, polices, and policy evaluation, and create custom policy conditions with Java and scripts
• Explore how to use the PingAM (AM) REST API, in the context of a web client application, for authenticating users with AM and AM authentication trees
• Describe how to extend a web client application with the ability to authenticate and authorize a user by using OAuth 2.0 (OAuth2) for authentication, and implement Open Identity Connect (OIDC) claims by using the scripting API

The following are the prerequisites for successfully completing this course:

• Completion of the PingAM Essentials course available at: https://backstage.forgerock.com/university/forgerock/on-demand/path/TGVhcm5pbmdQYXRoOjI%3D/chapter/Q291cnNlOjE1NzIy
• Knowledge of UNIX/Linix commands
• An understanding of HTTP and web applications
• A basic understanding of how directory servers function
• A basic understanding of REST
• A basic knowledge of Java based environments would be beneficial, but no programming experience is required.

• List extension (customization) points of AM
• List customizable AM components
• Quiz questions
• Access the lab environment
• Manage the course application components

• Understand how AM performs authentication
• Describe AM authentication trees and nodes
• Compare tree and chain mechanisms
• Quiz questions
• Create an authentication tree with default nodes
• Test the authentication tree

• Describe custom authentication nodes
• Prepare a build environment
• Generate a custom node with a Maven archetype
• List custom node classes
• Customize node outcomes
• Deploy the custom node
• Modify custom node configuration and logic
• Post-authentication hooks for trees
• Quiz questions
• Create initial custom authentication node source files
• Modify the custom node’s implementation to be dynamic
• Deploy and test the custom authentication node
• Test the authentication tree with the custom node

• Understand the basic concepts of scripting
• Understand the scripting environment and the scripting API
• Use the AM admin UI to manage scripts
• Use the REST API to manage scripts
• Develop client and server scripts
• Use decision scripted authentication nodes in trees
• Quiz questions
• Explore client-side scripting with authentication nodes
• Create an authentication tree with client-side and server-side scripts
• Write a server-side script that uses a REST API request

• Describe design principles for trees and nodes
• List design and implementation steps
• Choose node types
• Map files from modules to nodes
• Authentication modules as nodes
• Migrate an LDAP chain to a tree
• Migrate post-authentication plugins
• Handle logout notifications
• Configure redirection URLs
• Implement account lockout
• Link a chain to a tree and return custom failure messages
• Quiz questions
• Reference an article about migrating chains to trees

• Understand the policy concepts in AM
• Identify the situation when a custom condition is needed
• Customize policy evaluation with a plugin and an Entitlement Condition class
• Implement a scripted condition
• Quiz Questions
• Explore the ContactList REST APIs and policy design
• Create resource types and a policy set
• Write a policy condition checking for maintenance mode
• Modify the policy condition script to provide additional information

• Describe AM REST API services and the Common REST API
• Understand the Common REST API
• Explore REST API sorting, versioning, and status codes
• Use AM services from a browser-based application
• Enable CORS
• Quiz questions
• Study the ContactList application architecture
• Configure the CORS filter in AM
• Create a login service that uses AM authentication

• Review authentication and introduce RESTful authentication
• Implement authentication with the simple REST API
• Implement authentication with the full REST API
• Describe callback types available in AM
• Handle session upgrade and logout with the REST API
• Implement RESTful token and session management
• Use REST to manage identities
• Manage realms with the REST API
• Lesson Quiz
• Implement a fully functional AM-based authentication in ContactList
• Modify the login service to use the authentication tree

• Describe the self-service REST API
• Configure AM for self-service
• Implement password reset with REST
• Self-register a user via REST
• Lesson quiz
• Prepare AM for the password reset functionality
• Examine the password reset protocol
• Extend ContactList with a password reset feature

• Understand how to use the policy engine to protect resources other than URLs
• Describe the policy management REST API
• Describe the policy evaluator REST API
• Implement fine-grained authorization using policies and the REST API
• Lesson quiz
• Prepare AM for ContactList authorization
• Extend the backend to use the authorization REST API
• Extend the front-end application to use AM

• Understand OAuth2 and use its HTTP endpoints
• Examine the flow of the OAuth2 Authorization Code grant type
• Understand OIDC and use its HTTP endpoints
• Examine the flow of the OIDC Authorization Code grant type
• Understand the scope validation mechanism and customize its default behavior
• Use the Scripting API to customize the handling of OIDC claims
• Set up the OAuth2/OIDC service in AM
• Study and complete the ContactListTokenResponseTypeHandler code
• Enable OAuth2 federation in the ContactList front-end
• Turn ContactList RESTful backend into an OAuth2 resource server

This course provides the knowledge you need to install and administer each component of the PingDirectory platform which includes: PingDirectory server, PingDirectoryProxy server, PingDataSync server, the PingData Software Development Kit (SDK), and Delegated User Administration. This course references real-world scenarios driven by recurring use cases. You learn how to install each PingDirectory platform component, perform basic maintenance, using the monitoring and troubleshooting tools. While, hands-on lab exercises provide the first-hand experience installing, configuring, tuning, and using the troubleshooting tools

This course is built on version 10.

Upon completion of this course, you should be able to:

• Describe the PingDirectory capabilities and key features, summarize the installation procedures, and review the initial configuration tasks
• Deploy, fine tune, and configure the PingDirectory server to meet the needs of your production environment
• Describe how to install and manage the PingDirectoryProxy server
• Describe the functions provided by the PingDataSync server, and how to install, configure, and synchronize the PingDataSync server
• Describe common maintenance and necessary troubleshooting tasks needed to optimize PingDirectory performance.

The following are the prerequisites for successfully completing this course:

• Knowledge of UNIX/Linux commands.
• A basic understanding of how directory servers function.
• A basic understanding of REST and HTTP.
• A basic knowledge of Java based environments would be beneficial, but no programming experience is required.
• Completion of the Introduction to PingDirectory available at: https://backstage.pingidentity.com/university/

Chapter 1: Installing PingDirectory

Describe the PingDirectory capabilities and key features, summarize the installation procedures, and review the initial configuration tasks.

• Describe the key features of PingDirectory

• Perform pre-installation procedures
• Install PingDirectory
• Describe post-installation procedures

• Use server profiles
• (Optional) Install PingDirectory

Chapter 2: Deploying PingDirectory

• Describe the schema
  
• Modify the schema
• Modify the schema
• Modify object classes
• Create auxiliary object classes
• Load custom schema elements

• Search entries
• Manage entries
• Create objects

• Prevent data vulnerability
• Keep data secure
• Configure encryption settings

• Define virtual attributes
• Administer virtual attributes

• Describe password policies
• Create a password policy

• Manage JSON attributes
• Create JSON attributes
• Manage the Password Policy State JSON
• Administer JSON Attributes

• Understand the Rest APIs
• Use the SCIM 2.0 REST API
• Administer the Directory REST API

• Manage log publishers
• Configure logging
• Create a log publisher

• Understand replication
• Enable replication
• Resolve conflicts
• Understand the replication protocol
• Use replication over WAN
• Plan deployment
• Configure replication
• Scale replication
• Enable the replication process

• Define the topology registry
• Administer the server topology

• Describe the key features

• Describe the installation process
• Install the PingDirectoryProxy server
• Lesson 3: Managing the PingDirectoryProxy Server
• Describe the key advanced PingDirectoryProxy server transformation features:
• Describe the proxy transformations
• Understand entry balancing
• Create transformations

• Describe the key features

• Install the PingDataSync server
• Use the start, stop, and restart commands
• Describe the failover server
• Install the failover server
• Install the PingDataSync server

• Define Sync Pipe components
• Create the synchronization flow
• Use the retry mechanism
• Configure the PingDataSync server
• Configure and synchronize the PingDataSync server

• Synchronize with a relational database
  
• Synchronize with AD

• Describe the key features of the Server SDK

• Use the start, stop, and restart server commands
• Understand common maintenance tasks
• Perform maintenance tasks
• Understand Delegated Admin
• Configure Delegated Admin
• Administer Delegated Admin
• Understand data recovery
• Perform data recovery

• Monitor the PingDirectory server

• Understand how to troubleshoot issues
• Repair a conflict resolution
• Use troubleshooting tools

This course provides the information you need to set up and configure PingAccess as a policy server to protect both web applications and APIs. After completing this course, you will know how to configure PingAccess in both a gateway and agent model, and configure different types of policies that PingAccess offers.

Upon completion of this course, you should be able to:

• Discover how to configure PingAccess as a reverse proxy, and connect PingAccess to a token provider (PingFederate)
• Configure PingAccess as a Reverse Proxy
• Configure policies in PingAccess to further bolster administration capabilities

The following are the prerequisites for successfully completing this course:

• Completion of the following courses:https://backstage.pingidentity.com/university/on-demand/category/PING
• Introduction to PingAccess
• Getting Started With PingAccess
• Introduction to PingFederate
• Getting Started With PingFederate

Chapter 1: Configuring and Connecting PingAccess

Discover how to configure PingAccess as a reverse proxy, and connect PingAccess to a token provider (PingFederate).

Lesson 1: Configuring PingAccess as a Reverse Proxy (Gateway Model)

Describe how to configure PingAccess as a reverse proxy (gateway model):

• Introduce the gateway model
• Enable PingAccess as a reverse proxy
• Configure PingAccess resources and rewrite rules

Lesson 2: Connecting PingAccess to a Token Provider (PingFederate)

Describe the responsibilities of token providers and how to configure PingAccess to use PingFederate as a token provider:

• Introduce token providers
• Configure OAuth2 in PingFederate
• Configure PingAccess using the gateway model
  
  

Chapter 2: Configuring PingAccess Applications, Agents, and Sites

Configure PingAccess as a Reverse Proxy.

Lesson 1: Protecting Web Apps

Describe how to protect web apps by configuring them with PingAccess and OpenID Connect (OIDC):

• Define the OIDC protocol
• Introduce web sessions
• Create a web session using OIDC claims

Lesson 2: Working With Sites

Create identity mappings and advanced web session:

• Create identity mappings and advanced web sessions

Lesson 3: Working With Rules and Policies

Describe how to work with rules and policies within PingAccess:

• Describe the rules and policies process
• Create web access rules
• Create API access control rules
  
  

Chapter 3: Configuring Policies and Administration

Configure policies in PingAccess to further bolster administration capabilities.

Lesson 1: Maintaining PingAccess Discuss how to maintain PingAccess through resources, audit logs, and redirection:

• Dive deeper into resources
• Examine audit logs
• Manage redirection

Lesson 2: Configuring PingAccess as a Policy Server (Agent Model)

Configure PIngAccess to be a policy server by implementing the agent model:

• Introduce the agent model

Lesson 3: Optimizing and Configuring PingAccess

Optimize PingAccess through configuration, single sign-on (SSO), and the admin API:

• Implement improvements
• Enable PingAccess administrator SSO
• Use the PingAccess administrative API
• Increase the JVM Heap Size

Lesson 4: Creating PingAccess Clusters

Create PingAccess clusters to increase resilience and simplify procedures:

• Deploy clustersConfigure simple clusters in PingAccess (Optional)

This course provides the information you need to set up and configure PingAccess as a policy server to protect both web applications and APIs. After completing this course, you will know how to configure PingAccess in both a gateway and agent model, and configure different types of policies that PingAccess offers.

Upon completion of this course, you should be able to:

• Discover how to configure PingAccess as a reverse proxy, and connect PingAccess to a token provider (PingFederate)
• Configure PingAccess as a Reverse Proxy
• Configure policies in PingAccess to further bolster administration capabilities

The following are the prerequisites for successfully completing this course:

• Completion of the following courses:https://backstage.pingidentity.com/university/on-demand/category/PING
• Introduction to PingAccess
• Getting Started With PingAccess
• Introduction to PingFederate
• Getting Started With PingFederate

Chapter 1: Configuring and Connecting PingAccess

Discover how to configure PingAccess as a reverse proxy, and connect PingAccess to a token provider (PingFederate).

Lesson 1: Configuring PingAccess as a Reverse Proxy (Gateway Model)

Describe how to configure PingAccess as a reverse proxy (gateway model):

• Introduce the gateway model
• Enable PingAccess as a reverse proxy
• Configure PingAccess resources and rewrite rules

Lesson 2: Connecting PingAccess to a Token Provider (PingFederate)

Describe the responsibilities of token providers and how to configure PingAccess to use PingFederate as a token provider:

• Introduce token providers
• Configure OAuth2 in PingFederate
• Configure PingAccess using the gateway model
  
  

Chapter 2: Configuring PingAccess Applications, Agents, and Sites

Configure PingAccess as a Reverse Proxy.

Lesson 1: Protecting Web Apps

Describe how to protect web apps by configuring them with PingAccess and OpenID Connect (OIDC):

• Define the OIDC protocol
• Introduce web sessions
• Create a web session using OIDC claims

Lesson 2: Working With Sites

Create identity mappings and advanced web session:

• Create identity mappings and advanced web sessions

Lesson 3: Working With Rules and Policies

Describe how to work with rules and policies within PingAccess:

• Describe the rules and policies process
• Create web access rules
• Create API access control rules
  
  

Chapter 3: Configuring Policies and Administration

Configure policies in PingAccess to further bolster administration capabilities.

Lesson 1: Maintaining PingAccess Discuss how to maintain PingAccess through resources, audit logs, and redirection:

• Dive deeper into resources
• Examine audit logs
• Manage redirection

Lesson 2: Configuring PingAccess as a Policy Server (Agent Model)

Configure PIngAccess to be a policy server by implementing the agent model:

• Introduce the agent model

Lesson 3: Optimizing and Configuring PingAccess

Optimize PingAccess through configuration, single sign-on (SSO), and the admin API:

• Implement improvements
• Enable PingAccess administrator SSO
• Use the PingAccess administrative API
• Increase the JVM Heap Size

Lesson 4: Creating PingAccess Clusters

Create PingAccess clusters to increase resilience and simplify procedures:

• Deploy clustersConfigure simple clusters in PingAccess (Optional)

This course provides the knowledge you need to install and administer each component of the PingDirectory platform which includes: PingDirectory server, PingDirectoryProxy server, PingDataSync server, the PingData Software Development Kit (SDK), and Delegated User Administration. This course references real-world scenarios driven by recurring use cases. You learn how to install each PingDirectory platform component, perform basic maintenance, using the monitoring and troubleshooting tools. While, hands-on lab exercises provide the first-hand experience installing, configuring, tuning, and using the troubleshooting tools

This course is built on version 10.

Upon completion of this course, you should be able to:

• Describe the PingDirectory capabilities and key features, summarize the installation procedures, and review the initial configuration tasks
• Deploy, fine tune, and configure the PingDirectory server to meet the needs of your production environment
• Describe how to install and manage the PingDirectoryProxy server
• Describe the functions provided by the PingDataSync server, and how to install, configure, and synchronize the PingDataSync server
• Describe common maintenance and necessary troubleshooting tasks needed to optimize PingDirectory performance.

The following are the prerequisites for successfully completing this course:

• Knowledge of UNIX/Linux commands.
• A basic understanding of how directory servers function.
• A basic understanding of REST and HTTP.
• A basic knowledge of Java based environments would be beneficial, but no programming experience is required.
• Completion of the Introduction to PingDirectory available at: https://backstage.pingidentity.com/university/

Chapter 1: Installing PingDirectory

Describe the PingDirectory capabilities and key features, summarize the installation procedures, and review the initial configuration tasks.

• Describe the key features of PingDirectory

• Perform pre-installation procedures
• Install PingDirectory
• Describe post-installation procedures

• Use server profiles
• (Optional) Install PingDirectory

Chapter 2: Deploying PingDirectory

• Describe the schema
  
• Modify the schema
• Modify the schema
• Modify object classes
• Create auxiliary object classes
• Load custom schema elements

• Search entries
• Manage entries
• Create objects

• Prevent data vulnerability
• Keep data secure
• Configure encryption settings

• Define virtual attributes
• Administer virtual attributes

• Describe password policies
• Create a password policy

• Manage JSON attributes
• Create JSON attributes
• Manage the Password Policy State JSON
• Administer JSON Attributes

• Understand the Rest APIs
• Use the SCIM 2.0 REST API
• Administer the Directory REST API

• Manage log publishers
• Configure logging
• Create a log publisher

• Understand replication
• Enable replication
• Resolve conflicts
• Understand the replication protocol
• Use replication over WAN
• Plan deployment
• Configure replication
• Scale replication
• Enable the replication process

• Define the topology registry
• Administer the server topology

• Describe the key features

• Describe the installation process
• Install the PingDirectoryProxy server
• Lesson 3: Managing the PingDirectoryProxy Server
• Describe the key advanced PingDirectoryProxy server transformation features:
• Describe the proxy transformations
• Understand entry balancing
• Create transformations

• Describe the key features

• Install the PingDataSync server
• Use the start, stop, and restart commands
• Describe the failover server
• Install the failover server
• Install the PingDataSync server

• Define Sync Pipe components
• Create the synchronization flow
• Use the retry mechanism
• Configure the PingDataSync server
• Configure and synchronize the PingDataSync server

• Synchronize with a relational database
  
• Synchronize with AD

• Describe the key features of the Server SDK

• Use the start, stop, and restart server commands
• Understand common maintenance tasks
• Perform maintenance tasks
• Understand Delegated Admin
• Configure Delegated Admin
• Administer Delegated Admin
• Understand data recovery
• Perform data recovery

• Monitor the PingDirectory server

• Understand how to troubleshoot issues
• Repair a conflict resolution
• Use troubleshooting tools

This course provides the foundation to design, build, and integrate identity orchestration flows using PingOne DaVinci (DaVinci). You will create user interactions, extend flows with APIs, and integrate these solutions into applications. You will also leverage core PingOne services like SSO, identity management, and analytics. Through hands-on labs and instruction, you will gain the skills to deploy real-world orchestration solutions with confidence.

Upon completion of this course, you should be able to:

• Build basic user interactions with DaVinci flows
• Integrate a DaVinci flow into an application
• Integrate PingOne single sign-on (SSO) and identities in DaVinci flows
• Build an authentication flow in DaVinci
• Provide custom analytics in a DaVinci flow

The following are the prerequisites for successfully completing this course:

• Basic understanding of JavaScript, HTML, CSS, and the PingOne Platform
• Completion of the Introduction to PingOne DaVinci course available at:
  • https://backstage.forgerock.com/university/ping/on-demand/category/PING

Chapter 1: Building Basic User Interactions With DaVinci Flows

Build basic user interactions with DaVinci flows.

Lesson 1: Defining the Basic Flow and Interaction Steps

Define the basic flow and provide an introduction to the foundational concepts of DaVinci:

• Introduce the PingOne Platform and DaVinci
• Access and launch the DaVinci admin console
• Understand Flows
• Build basic user interaction in a flow

Lesson 2: Using Functions and API Calls
Define the basic flow and provide an introduction to the foundational concepts of DaVinci:

• Extend DaVinci flows
• Verify the age of the user
• Make an API callCollect the user’s email and password
• Implement a robot check
• Document the flow

Lesson 3: Improving the User Experience
Use more advanced concepts in DaVinci to implement your flows:

• Improve the UI
• Convert user interactions to use HTML templates

Lesson 4: Using Variables and Form Validation
Expand further the functionality of your existing flow by using flow variables and improving interaction with the user:

• Incorporate variables
• Understand localizing flows
  
• Use flow variables and form validation
  
• Incorporate form validation
  
• Improve form validation inputs
  
• Troubleshoot issues

Lesson 5: Using Subflows to Manage Complexity
Externalize functionality that is often reused or complex to its own flow; for example, if the flow needed to connect to an API that isn’t available as a native connector, CRUD operations could be built in a new flow that could be leveraged by many:

• Create and use subflows
  
• Implement the subflow
  
• Replace the API call with the subflow

Chapter 2: Integrating a DaVinci Flow Into an Application

Integrate a DaVinci flow into an application.

Lesson 1: Integrating an Application to Launch a Flow
Integrate the flow into a web application which allows the application to provide the CSS (look and feel). Other flows can also be integrated to enable a richer user experience:

• Add a flow to a web application
  
• Create and customize the application

Lesson 2: Using a CSS in Flows vs Applications
Review how CSS is leveraged in a flow vs an application, and determine the advantages of leaving the presentation layer controlled by your application rather than using a CSS in your flow:

• Leverage a CSS
  
• Determine how a custom CSS in a flow is embedded with a web application

Lesson 3: Adding a Flow to an Existing Applicatio
Take the flow and integrate it into a web application:

• Embed flows using the widget method
  
• Import the DaVinci JavaScript library
  
• Create a JavaScript method to call the flow

Lesson 4: Integrating Non-UI Flows
Explore how DaVinci can accelerate development when integrating with backend services and APIs, enriching the overall user experience:

• Integrate a non-UI flow
  
• Build out your flow
  
• Integrate the flow

Lesson 5: Passing Data Into a Flow From an Application
Run through the process of passing data into a flow, whether it has user interaction or not:

• Enable dynamic flows
• Create and integrate a DaVinci subflow

Lesson 6: Performing A/B Testing
Define a flow that deals with age first, instead of name, during registration:

• Understand A/B testing
  
• Define a new flow
  
• Incorporate flow policies
  
• Build out a flow policy

Chapter 3: Integrating PingOne SSO and Identities in DaVinci Flows

Integrate PingOne SSO and identities in DaVinci flows.

Lesson 1: Setting Up Parallel Processing

Set up a flow that has two paths that execute in parallel and then come to their own conclusion:

• Implement parallel processing
  
• Leverage the PingOne Notification service

Lesson 2: Automating Flows With DaVinci Admin APIs

Learn how to manage DaVinci programmatically using the DaVinci Admin APIs:

• Understand DaVinci Admin APIs
  
• Explain administrator roles

Lesson 3: Creating Registered Accounts
Take the information collected during the registration process and create a user account in PingOne, which is the first step to expanding the capabilities of the application to support authentication:

• Create registered accounts
  
• Review your PingOne setup
  
• Build out a new registration flow
  
• Verify if an account already exists

Lesson 4: Verifying an Email Address

Establish a process to verify the email address of the user:

• Configure email verification
  
• Create an email verification subflow
  
• Complete the subflow

Chapter 4: Building an Authentication Flow in DaVinci

Build an authentication flow in DaVinci.

Lesson 1: Handling Authentication

Handle authentication for the application:

• Design and implement the authentication flow
  
• Design the flow logic
  
• Implement teleports for flow efficiency
  
• Authenticate and validate user identity

Lesson 2: Handling Forgotten Passwords

Handle forgotten password in the authentication flow:

• Manage password recovery flows
  
• Develop the end-to-end forgot password flow

Lesson 3: Adding an Authentication Method

Add another method of authentication, an email magic link, for the users of the application:

• Implement magic link authentication
  
• Add a magic link authentication method

Chapter 5: Providing Custom Analytics in a DaVinci Flow

Provide custom analytics in a DaVinci flow.

Lesson 1: Leveraging analytics to monitor flow usage

Implement custom analytics to track key business milestones and user behavior across DaVinci flows:

• Understand and apply flow analytics
  
• Configure authentication analysis
  
  

This course implements various use cases with PingFederate and introduces industry concepts such as federation, SAML, and OAuth. The course also includes PingFederate-specific topics such as integration kits, adapters, SSO connections, and OAuth configuration. Hands-on exercises allow the participants to have first-hand experience in configuring PingFederate, establishing a web SSO connection and OAuth clients, and doing some basic troubleshooting.

The following are the prerequisites for successfully completing this course:

• Completion of the Getting Started With PingFederate course available at:
  • https://backstage.forgerock.com/university/ping/on-demand/category/PING

Day 1: Background of Federation Web SSO and Core Product

• Introduction to identity federation
• Introduction to integration kits
• Configuring SP and IdP adapters and password credential validators
  • Lab 1: HTML Form Adapter and Reference ID adapter configuration
• Introduction to SAML
• Configuring IdP and SP SSO connection
  • Lab 2: Creating connections for IdP and SP web SSO
    
• Server logs

• Lab 3: Review the server logs to follow and SSO transaction

Day 2: Further Integration and PingFederate Functionality

• Attribute mapping and data source
  • Lab 4: Mapping attributes from external sources
  • Lab 5: Using an external source for authentication
• Introduction to authentication policies
  • Lab 6: Creating authentication selectors, policy contracts, and authentication policies
  • Lab 7: Tracing SSO transactions in the PingFederate logs

Day 3: OAuth2 and Advanced Administration

• Introduction to OAuth2
• OAuth2 scopes and access tokens
  • Lab 8: Configuring OAuth2 grants (including token validation, authorization code)
  • Lab 9: Create an OAuth client for client Credentials grant type
  • Lab 10: Create an OAuth client for a resource server
  • Lab 11: Create an OAuth client for authorization grant type
  Introduction to OIDC
• PingFederate administrative API
  • Lab 12: Using the admin API
• Server Administration 
• Deployment scenarios and clustering
  • Lab 13 (optional): Configuring a cluster

The aim of this course is to showcase the key features and capabilities of the versatile and powerful PingAM (AM), formerly known as ForgeRock® Access Management. It provides the student with the knowledge and confidence to manage their own environment. It is accepted that this course is not able to demonstrate all the features and capabilities of AM. Further information and guidance can be found in the documentation and knowledge base in the online repositories at: Backstage https://backstage.forgerock.com.

Note: This course revision is based on version 7 of AM.

Upon completion of this course, you should be able to:

• Start with an unprotected website and end up with a fully functional access management solution where every user trying to access the website is redirected to AM for authentication
• Improve access management security in AM with multi-factor authentication (MFA), context-based risk analysis, and continuous risk checking
• Implement OAuth 2.0 (OAuth2) based protocols; namely, OAuth2 and OpenID Connect 1.0 (OIDC), to enable low-level devices and mobile applications to make requests that access resources belonging to a subscriber. AM can be configured to function as an OIDC client and delegate authentication to social media OIDC providers
• Demonstrate federation across entities using SAML v2.0 (SAML2) with AM
• Install a new AM instance configured with external directory server data stores as the foundation for an AM cluster

The following are the prerequisites for successfully completing this course:

• Completion of the PingAM Essentials course available at: https://backstage.forgerock.com/university/forgerock/on-demand/path/TGVhcm5pbmdQYXRoOjI%3D/chapter/Q291cnNlOjE1NzIy
• Knowledge of UNIX/Linux commands
• An understanding of HTTP and web applications
• A basic understanding of how directory servers function
• A basic understanding of REST
• A basic knowledge of Java based environments would be beneficial, but no programming experience is required

• Introduce AM authentication
• Understand realms
• Describe authentication life cycle
• Explain sessions
• Examine session cookies
• Access the lab environment
• Examine an initial AM installation
• Configure a realm and examine AM default authentication
• Experiment with session cookies
• Describe the authentication mechanisms of AM
• Create and manage trees
• Explore tree nodes
• Create a login tree
• Test the login tree

• Present AM edge clients
• Describe PingGateway functionality as an edge client
• Review the FEC website protected by PingGateway
• Integrate the FEC website with AM
• Observe the PingGateway token cookie
• (Optional) Review PingGateway configuration
• Authenticate identities with AM
• Create an authentication tree with an LDAP Decision node
• Integrate identities in AM with an identity store
• Integrate an identity store with AM

• Describe entitlements with AM authorization
• Define AM policy components
• Define policy environment conditions and response attributes
• Describe the process of policy evaluation
• Implement access control on a website

• Describe MFA
• Register a device
• Include recovery codes
• Examine OATH authentication
• Implement time-based one-time password (TOTP) authentication
• (Optional) Implement HMAC-based one-time password (HOTP) authentication
• Examine Push notification authentication
• (Optional) Implement Push notification authentication
• Implement passwordless WebAuthn
• (Optional) Implement passwordless WebAuthn
• Examine HOTP authentication using email or SMS
• (Optional) Implement HOTP authentication using email or SMS

• Introduce context-based risk analysis
• Describe device profile nodes
• Determine the risk based on the context
• Implement a browser context change script
• Lock and unlock accounts
• Implement account lockout

• Introduce continuous contextual authorization
• Describe step-up authentication
• Implement step-up authentication flow
• Describe transactional authorization
• Implement transactional authorization
• Prevent users from bypassing the default tree

• Discuss OAuth2 concepts
• Describe OAuth2 tokens and codes
• Describe refresh tokens, macaroons, and token modification
• Request OAuth2 access tokens with OAuth2 grant types
• Explain OAuth2 scopes and consent
• Configure OAuth2 in AM
• Configure AM as an OAuth2 provider
• Configure AM with an OAuth2 client
• Test the OAuth2 Device Code grant type flow

• Introduce OIDC
• Describe OIDC tokens
• Explain OIDC scopes and claims
• List OIDC grant types
• Create and use an OIDC script
• Create an OIDC claims script
• Register an OIDC client and configure the OAuth2 Provider settings
• Test the OIDC Authorization Code grant type flow

• Examine OAuth2 client authentication
• Examine OAuth2 client authentication using JWT profiles
• Examine OAuth2 client authentication using mTLS
• Authenticate an OAuth2 client using mTLS
• Examine certificate-bound PoP when mTLS is configured
• Obtain a certificate-bound access token

• Describe OAuth2 token exchange
• Explain token exchange types and purpose for exchange
• Describe token scopes and claims
• Implement a token exchange impersonation pattern
• Implement a token exchange delegation pattern
• Configure token exchange in AM
• Configure AM for token exchange
• Test token exchange flows

• Delegate registration and authentication to social media providers
• Implement social registration and authentication with Google

• Discuss SAML2 entities and profiles
• Explain the SAML2 flow from the identity provider (IdP) point of view
• Examine SSO across SPs
• Configure AM as an IdP and integrate with third-party service providers (SPs)
• Examine SSO between an SP and IdP and across SPs

• Explain the SSO flow from the SP point of view
• Describe the metadata content and purpose
• Configure AM as a SAML2 SP and integrate with a third-party IdP

• Plan deployment configurations
• Prepare before installing AM
• Deploy AM
• Outline tasks and methods to install AM
• Install AM with the web wizard
• Install an AM instance with the web wizard
• Install AM and manage configuration with Amster
• Install Amster
• Describe the AM bootstrap process
• Upgrade an AM instance
• Upgrade AM with the web wizard
• (Optional) Upgrade AM with the configuration tool

• Harden AM security
• Adjust default settings
• Harden AM security
• Describe secrets, certificates, and keys
• Describe keystores and secret stores
• Manage the AM keystore, aliases, and passwords
• Configure and manage secret stores
• Configure an HSM secret store to sign OIDC ID tokens
• Describe the monitoring tools
• Describe the audit logging
• Describe debug logging
• Capture troubleshooting information
• Capture troubleshooting information

• Explore high availability solutions
• Scale AM deployments
• Describe AM cluster concepts
• Create an AM cluster
• Prepare the initial AM cluster
• Install another AM server in the cluster
• Test AM cluster failover scenarios
• (Optional) Modify the cluster to use client-side sessions

• Describe the Identity Platform
• Prepare your deployment environment
• Deploy and access the Identity Platform
• Access and authenticate your GCP account
• Prepare to deploy the Identity Platform
• Deploy the Identity Platform with the Cloud Development Kit (CDK)
• Remove the Identity Platform deployment

This course builds upon the Getting Started With PingOne Advanced Identity Cloud for Administrators training to provide advanced techniques for managing and configuring PingOne Advanced Identity Cloud (Advanced Identity Cloud). Students will master advanced authentication journeys with multi-factor authentication (MFA), implement context-based authorization policies, and learn to model complex identity objects with relationships between managed objects. The course covers essential synchronization techniques, including connector configuration, reconciliation, LiveSync, and role-based provisioning to manage identity flow between Advanced Identity Cloud and external resources. Participants will gain hands-on experience with the REST API for programmatic access to identity management features, enabling automation and integration with external systems. Through practical exercises, students will learn to deploy and configure PingGateway to protect websites, implement continuous contextual authorization, and create comprehensive identity management solutions.

Upon completion of this course, you should be able to:

• Recap authentication with Advanced Identity Cloud. Increase security by introducing MFA as well as context-based user journeys. Protect a website using PingGateway
• Implement and manage comprehensive authorization policies in Advanced Identity Cloud to control resource access and enable continuous contextual authorization
• Understand and configure Advanced Identity Cloud managed objects, their properties, and relationships to effectively model your identity data structures and implement delegated administration
• Configure and manage connections between Advanced Identity Cloud and external resources to enable identity synchronization, reconciliation, and role-based provisioning
• Master the Advanced Identity Cloud REST interfaces to authenticate, query, and manage identity objects programmatically

The following are the prerequisites for successfully completing this course:

• Completion of the Getting Started With PingOne Advanced Identity Cloud for Administrators course available at: https://backstage.pingidentity.com/university/
• Experience with Identity and Access Management
• Working knowledge of REST communication

• Provide a recap of authentication in Advanced Identity Cloud:
• Introduce the basic concepts of authentication
• Prepare the lab environment
• Describe the authentication mechanisms of Advanced Identity Cloud
• Examine Advanced Identity Cloud default authentication
• Create and manage journeys
• Explore journey nodes
• Create a login journey
• Test the login journey

• Describe MFA
• Register a device
• Include recovery codes
• Examine OATH authentication
• Implement TOTP authentication
• Examine Push notification authentication
• Implement passwordless WebAuthn
• (Optional) Implement passwordless WebAuthn

• Introduce context-based risk analysis
• Describe device profile nodes
• Determine the risk based on the context
• Implement a browser context change script
• Lock and unlock accounts
• (Optional) Implement account lockout

• Present Advanced Identity Cloud edge clients
• Describe PingGateway functionality as an edge client
• Review the BXE website protected by PingGateway
• Integrate the BXE website with Advanced Identity Cloud
• Observe the PingGateway token cookie
• (Optional) Review PingGateway configuration

• Describe entitlements with Advanced Identity Cloud authorization
• Define Advanced Identity Cloud policy components
• Define policy environment conditions and response attributes
• Process of Advanced Identity Cloud policy evaluation
• Implement access control on a website

• Introduce continuous contextual authorization
• Describe step-up authentication
• Implement step-up authentication flow
• Describe transactional authorization
• Implement transactional authorization
• (Optional) Prevent users from bypassing the default journey

• Review the Advanced Identity Cloud documentation
• Describe the different object types in Advanced Identity Cloud
• Map an identity object to a managed object
• Describe how to use placeholder attributes
• Model a managed user object in Advanced Identity Cloud

• Describe the purpose of relationships
• Describe how relationships are stored in the schema
• Query an object relationship using the REST interface

• Describe the roles and privileges within an organization
• Implement the organization example

• Describe how to connect external resources to Advanced Identity Cloud
• Configure communication between Advanced Identity Cloud and a remote connector server (RCS)
• Describe how to connect to external resources using ICF connectors

• Describe the process for creating a connector configuration using the Identity Management admin UI
• Describe the object types and property mappings
• Add a connector configuration for an external LDAP resource

• Describe how to create mappings to synchronize identity objects and properties
• Describe how to create a sync mapping from Advanced Identity Cloud to an external resource
• Describe how to add source and target properties to the sync mapping
• Describe how to add a correlation query and a situational event script
• Describe how to set the situational behaviors and run reconciliation
• Add a sync mapping from Advanced Identity Cloud to an LDAP server
• Describe the sync mapping from an LDAP server to Advanced Identity Cloud
• Add a sync mapping from an LDAP server to Advanced Identity Cloud

• Describe the different methods that you can use to filter entries
• Run selective synchronization using filters
• Describe how to use LiveSync to synchronize changes
• Trigger LiveSync on a connector
• Describe how to schedule LiveSync
• Schedule LiveSync with an external resource

• Describe how to provision attributes to a target system based on static role assignments
• Describe the steps to enable role-based provisioning
• Query the role assignment properties using the REST interface
• Provision attributes to a target resource based on static role assignments
• Describe how to provision attributes to a target system based on dynamic role assignments
• Provision attributes to a target resource based on dynamic role assignments
• Describe how to add temporal constraints to a role
• Add temporal constraints to a role

• Understand the REST authentication protocol
• Authenticate with REST
• Authenticate using header-based simple authentication
• Authenticate using callback-based complex authentication

Lesson 2: Querying Advanced Identity Cloud Objects Over REST

• Create security policies to control which users can access specific areas of the website:
• Describe how to query objects using the REST interface
• Describe how to use the Advanced Identity Cloud Postman collection
• Query Advanced Identity Cloud Identity objects using Postman

Learn how to install and deploy PingIDM (IDM) in an on-prem or self-managed cloud environment to manage the lifecycle and relationship of digital identities. Topics include how to model identity objects in IDM, create connector configurations and synchronization mappings to manage the flow identity objects and properties with various external identity resources, manage workflows, and deploy IDM within a cluster. This course explores the identity management-related features in depth, how they work, and the configuration options available during implementation.

Note: Revision A of this course is based on version 8.0.1 of PingIDM.

Upon completion of this course, you should be able to:

• Provide an overview of the lab environment, model objects and identities, and set up the end-user UI with IDM
• Create and configure connections between external resources and IDM
• Synchronize identity data across multiple external resources, in real-time or by scheduling reconciliation events, and consolidate multiple identity data stores into one centralized identity store
• Install and deploy IDM in an on-prem or cloud provider Linux environment

The following are the prerequisites for successfully completing this course:

• Completion of the PingIDM Essentials course available at: https://backstage.pingidentity.com/university/on-demand/category/PING
• Basic knowledge and skills using the Linux operating system will be required to complete the labs.
• Basic knowledge of JSON, JavaScript, REST, Java, Groovy, SQL and LDAP would be helpful for understanding the examples; however, programming experience is not required.

Chapter 1: Building and Configuring the Prerequisites

Provide an overview of the lab environment, model objects and identities, and set up the end-user UI with IDM.

Lesson 1: Setting Up the Lab
Provide an overview of how to set up the lab environment:

• Install IDM
• Explore the auxiliary software

Lesson 2: Modeling Objects and Identities
Describe how to model objects and identities via REST:

• Introduce the Postman collection
• Run the Postman collection

Lesson 3: Setting Up the End-User UI
Describe how to configure the end-user UI:

• Install and configure the end-user UI
• Retrieve, compile and deploy the end-user UI
• Access the end-user UI

Chapter 2: Managing Connectors

Create and configure connections between external resources and IDM.

Lesson 1: Configuring Connectors With the IDM Admin UI
Create a connector configuration to connect to an external resource using the IDM admin UI:

• Connect external resources to IDM
• Create a connector configuration using the IDM admin UI
• Add a connector configuration for an external LDAP resource
• Add a CSV connector configuration
• Add a connector configuration to import device identities

Lesson 2: Configuring Connectors Over REST
Create a connector configuration in IDM over the REST interface:

• Create a connector configuration over REST
• Describe the core connector configuration settings
• Describe the object types and property mappings
• Use the scripted SQL connector
• Create a scripted SQL connector configuration

Chapter 3: Managing Synchronization and Reconciliation

Synchronize identity data across multiple external resources, in real-time or by scheduling reconciliation events, and consolidate multiple identity data stores into one centralized identity store.

Lesson 1: Performing Basic Synchronization
Describe how to use the IDM admin UI to create sync mappings to reconcile identities between IDM and an external resource:

• Create mappings to synchronize identity objects and properties
• Create a sync mapping from IDM to an external resource
• Add source and target properties to the sync mapping
• Add a correlation query and a situational event script
• Set the situational behaviors and run reconciliation
• Add a sync mapping from IDM to an LDAP server
• Describe the sync mapping from an LDAP server to IDM
• Add a sync mapping from an LDAP server to IDM
• Create a sync mapping to provision devices to the IDM repository

Lesson 2: Running Selective Synchronization and LiveSync
Filter objects that are synchronized and automate synchronization using LiveSync:

• Filter entries
• Run selective synchronization using filters
• Use LiveSync to synchronize changes
• Trigger LiveSync on a connector
• Schedule LiveSync
• Schedule LiveSync with an external resource
• Control synchronization to multiple targets

Lesson 3: Configuring Role-Based Provisioning
Automatically provision users to a set of LDAP groups based on role membership:

• Provision attributes to a target system based on static role assignments
• Enable role-based provisioning
• Query the role assignment properties using the REST interface
• Provision attributes to a target resource based on static role assignments
• Provision attributes to a target system based on dynamic role assignments
• Provision attributes to a target resource based on dynamic role assignments
• Add temporal constraints to a role
• Set temporal constraints on a role

Lesson 4: Configuring a Custom Endpoint
Describe how to configure a custom endpoint:

• Use a custom endpoint
• Create a custom endpoint (optional)

Chapter 4: Installing and Deploying IDM

Install and deploy IDM in an on-prem or cloud provider Linux environment.

Lesson 1: Installing an IDM instance
Install a stand-alone IDM instance for development and test the IDM sample configurations:

• Describe the basic IDM installation requirements
• Install and start IDM
• Install IDM
• Select MariaDB as a backend repository
• Describe how to start IDM with a sample configuration
• Start IDM with a sample configuration
• Describe how to configure IDM to run as a background process or service
• Configure IDM to run as a background process

Lesson 2: Monitoring and Troubleshooting
Describe how to set up monitoring and perform basic troubleshooting:

• Describe the monitoring options available for IDM
• Set up monitoring in IDM
• Describe the different IDM log files
• Examine the different log files in IDM (optional)

Lesson 3: Managing Passwords
Describe how to set up and fine-tune password policies and synchronizations in an IDM deployment:

• Describe password policies in IDM
• Set up password policies in IDM
• Describe password synchronization from DS into IDM
• Set up password synchronization from DS into IDM

The aim of this course is to showcase the key features and capabilities of the versatile and powerful PingAM (AM), formerly known as ForgeRock® Access Management. It provides the student with the knowledge and confidence to manage their own environment. It is accepted that this course is not able to demonstrate all the features and capabilities of AM. Further information and guidance can be found in the documentation and knowledge base in the online repositories at: Backstage https://backstage.forgerock.com.

Note: This course revision is based on version 7 of AM.

Upon completion of this course, you should be able to:

• Start with an unprotected website and end up with a fully functional access management solution where every user trying to access the website is redirected to AM for authentication
• Improve access management security in AM with multi-factor authentication (MFA), context-based risk analysis, and continuous risk checking
• Implement OAuth 2.0 (OAuth2) based protocols; namely, OAuth2 and OpenID Connect 1.0 (OIDC), to enable low-level devices and mobile applications to make requests that access resources belonging to a subscriber. AM can be configured to function as an OIDC client and delegate authentication to social media OIDC providers
• Demonstrate federation across entities using SAML v2.0 (SAML2) with AM
• Install a new AM instance configured with external directory server data stores as the foundation for an AM cluster

The following are the prerequisites for successfully completing this course:

• Completion of the PingAM Essentials course available at: https://backstage.forgerock.com/university/forgerock/on-demand/path/TGVhcm5pbmdQYXRoOjI%3D/chapter/Q291cnNlOjE1NzIy
• Knowledge of UNIX/Linux commands
• An understanding of HTTP and web applications
• A basic understanding of how directory servers function
• A basic understanding of REST
• A basic knowledge of Java based environments would be beneficial, but no programming experience is required

• Introduce AM authentication
• Understand realms
• Describe authentication life cycle
• Explain sessions
• Examine session cookies
• Access the lab environment
• Examine an initial AM installation
• Configure a realm and examine AM default authentication
• Experiment with session cookies
• Describe the authentication mechanisms of AM
• Create and manage trees
• Explore tree nodes
• Create a login tree
• Test the login tree

• Present AM edge clients
• Describe PingGateway functionality as an edge client
• Review the FEC website protected by PingGateway
• Integrate the FEC website with AM
• Observe the PingGateway token cookie
• (Optional) Review PingGateway configuration
• Authenticate identities with AM
• Create an authentication tree with an LDAP Decision node
• Integrate identities in AM with an identity store
• Integrate an identity store with AM

• Describe entitlements with AM authorization
• Define AM policy components
• Define policy environment conditions and response attributes
• Describe the process of policy evaluation
• Implement access control on a website

• Describe MFA
• Register a device
• Include recovery codes
• Examine OATH authentication
• Implement time-based one-time password (TOTP) authentication
• (Optional) Implement HMAC-based one-time password (HOTP) authentication
• Examine Push notification authentication
• (Optional) Implement Push notification authentication
• Implement passwordless WebAuthn
• (Optional) Implement passwordless WebAuthn
• Examine HOTP authentication using email or SMS
• (Optional) Implement HOTP authentication using email or SMS

• Introduce context-based risk analysis
• Describe device profile nodes
• Determine the risk based on the context
• Implement a browser context change script
• Lock and unlock accounts
• Implement account lockout

• Introduce continuous contextual authorization
• Describe step-up authentication
• Implement step-up authentication flow
• Describe transactional authorization
• Implement transactional authorization
• Prevent users from bypassing the default tree

• Discuss OAuth2 concepts
• Describe OAuth2 tokens and codes
• Describe refresh tokens, macaroons, and token modification
• Request OAuth2 access tokens with OAuth2 grant types
• Explain OAuth2 scopes and consent
• Configure OAuth2 in AM
• Configure AM as an OAuth2 provider
• Configure AM with an OAuth2 client
• Test the OAuth2 Device Code grant type flow

• Introduce OIDC
• Describe OIDC tokens
• Explain OIDC scopes and claims
• List OIDC grant types
• Create and use an OIDC script
• Create an OIDC claims script
• Register an OIDC client and configure the OAuth2 Provider settings
• Test the OIDC Authorization Code grant type flow

• Examine OAuth2 client authentication
• Examine OAuth2 client authentication using JWT profiles
• Examine OAuth2 client authentication using mTLS
• Authenticate an OAuth2 client using mTLS
• Examine certificate-bound PoP when mTLS is configured
• Obtain a certificate-bound access token

• Describe OAuth2 token exchange
• Explain token exchange types and purpose for exchange
• Describe token scopes and claims
• Implement a token exchange impersonation pattern
• Implement a token exchange delegation pattern
• Configure token exchange in AM
• Configure AM for token exchange
• Test token exchange flows

• Delegate registration and authentication to social media providers
• Implement social registration and authentication with Google

• Discuss SAML2 entities and profiles
• Explain the SAML2 flow from the identity provider (IdP) point of view
• Examine SSO across SPs
• Configure AM as an IdP and integrate with third-party service providers (SPs)
• Examine SSO between an SP and IdP and across SPs

• Explain the SSO flow from the SP point of view
• Describe the metadata content and purpose
• Configure AM as a SAML2 SP and integrate with a third-party IdP

• Plan deployment configurations
• Prepare before installing AM
• Deploy AM
• Outline tasks and methods to install AM
• Install AM with the web wizard
• Install an AM instance with the web wizard
• Install AM and manage configuration with Amster
• Install Amster
• Describe the AM bootstrap process
• Upgrade an AM instance
• Upgrade AM with the web wizard
• (Optional) Upgrade AM with the configuration tool

• Harden AM security
• Adjust default settings
• Harden AM security
• Describe secrets, certificates, and keys
• Describe keystores and secret stores
• Manage the AM keystore, aliases, and passwords
• Configure and manage secret stores
• Configure an HSM secret store to sign OIDC ID tokens
• Describe the monitoring tools
• Describe the audit logging
• Describe debug logging
• Capture troubleshooting information
• Capture troubleshooting information

• Explore high availability solutions
• Scale AM deployments
• Describe AM cluster concepts
• Create an AM cluster
• Prepare the initial AM cluster
• Install another AM server in the cluster
• Test AM cluster failover scenarios
• (Optional) Modify the cluster to use client-side sessions

• Describe the Identity Platform
• Prepare your deployment environment
• Deploy and access the Identity Platform
• Access and authenticate your GCP account
• Prepare to deploy the Identity Platform
• Deploy the Identity Platform with the Cloud Development Kit (CDK)
• Remove the Identity Platform deployment

The aim of this course is to showcase the key features and capabilities of the versatile and powerful PingAM (AM), formerly known as ForgeRock® Access Management. It provides the student with the knowledge and confidence to manage their own environment. It is accepted that this course is not able to demonstrate all the features and capabilities of AM. Further information and guidance can be found in the documentation and knowledge base in the online repositories at: Backstage https://backstage.forgerock.com.

Note: This course revision is based on version 7 of AM.

Upon completion of this course, you should be able to:

• Start with an unprotected website and end up with a fully functional access management solution where every user trying to access the website is redirected to AM for authentication
• Improve access management security in AM with multi-factor authentication (MFA), context-based risk analysis, and continuous risk checking
• Implement OAuth 2.0 (OAuth2) based protocols; namely, OAuth2 and OpenID Connect 1.0 (OIDC), to enable low-level devices and mobile applications to make requests that access resources belonging to a subscriber. AM can be configured to function as an OIDC client and delegate authentication to social media OIDC providers
• Demonstrate federation across entities using SAML v2.0 (SAML2) with AM
• Install a new AM instance configured with external directory server data stores as the foundation for an AM cluster

The following are the prerequisites for successfully completing this course:

• Completion of the PingAM Essentials course available at: https://backstage.forgerock.com/university/forgerock/on-demand/path/TGVhcm5pbmdQYXRoOjI%3D/chapter/Q291cnNlOjE1NzIy
• Knowledge of UNIX/Linux commands
• An understanding of HTTP and web applications
• A basic understanding of how directory servers function
• A basic understanding of REST
• A basic knowledge of Java based environments would be beneficial, but no programming experience is required

• Introduce AM authentication
• Understand realms
• Describe authentication life cycle
• Explain sessions
• Examine session cookies
• Access the lab environment
• Examine an initial AM installation
• Configure a realm and examine AM default authentication
• Experiment with session cookies
• Describe the authentication mechanisms of AM
• Create and manage trees
• Explore tree nodes
• Create a login tree
• Test the login tree

• Present AM edge clients
• Describe PingGateway functionality as an edge client
• Review the FEC website protected by PingGateway
• Integrate the FEC website with AM
• Observe the PingGateway token cookie
• (Optional) Review PingGateway configuration
• Authenticate identities with AM
• Create an authentication tree with an LDAP Decision node
• Integrate identities in AM with an identity store
• Integrate an identity store with AM

• Describe entitlements with AM authorization
• Define AM policy components
• Define policy environment conditions and response attributes
• Describe the process of policy evaluation
• Implement access control on a website

• Describe MFA
• Register a device
• Include recovery codes
• Examine OATH authentication
• Implement time-based one-time password (TOTP) authentication
• (Optional) Implement HMAC-based one-time password (HOTP) authentication
• Examine Push notification authentication
• (Optional) Implement Push notification authentication
• Implement passwordless WebAuthn
• (Optional) Implement passwordless WebAuthn
• Examine HOTP authentication using email or SMS
• (Optional) Implement HOTP authentication using email or SMS

• Introduce context-based risk analysis
• Describe device profile nodes
• Determine the risk based on the context
• Implement a browser context change script
• Lock and unlock accounts
• Implement account lockout

• Introduce continuous contextual authorization
• Describe step-up authentication
• Implement step-up authentication flow
• Describe transactional authorization
• Implement transactional authorization
• Prevent users from bypassing the default tree

• Discuss OAuth2 concepts
• Describe OAuth2 tokens and codes
• Describe refresh tokens, macaroons, and token modification
• Request OAuth2 access tokens with OAuth2 grant types
• Explain OAuth2 scopes and consent
• Configure OAuth2 in AM
• Configure AM as an OAuth2 provider
• Configure AM with an OAuth2 client
• Test the OAuth2 Device Code grant type flow

• Introduce OIDC
• Describe OIDC tokens
• Explain OIDC scopes and claims
• List OIDC grant types
• Create and use an OIDC script
• Create an OIDC claims script
• Register an OIDC client and configure the OAuth2 Provider settings
• Test the OIDC Authorization Code grant type flow

• Examine OAuth2 client authentication
• Examine OAuth2 client authentication using JWT profiles
• Examine OAuth2 client authentication using mTLS
• Authenticate an OAuth2 client using mTLS
• Examine certificate-bound PoP when mTLS is configured
• Obtain a certificate-bound access token

• Describe OAuth2 token exchange
• Explain token exchange types and purpose for exchange
• Describe token scopes and claims
• Implement a token exchange impersonation pattern
• Implement a token exchange delegation pattern
• Configure token exchange in AM
• Configure AM for token exchange
• Test token exchange flows

• Delegate registration and authentication to social media providers
• Implement social registration and authentication with Google

• Discuss SAML2 entities and profiles
• Explain the SAML2 flow from the identity provider (IdP) point of view
• Examine SSO across SPs
• Configure AM as an IdP and integrate with third-party service providers (SPs)
• Examine SSO between an SP and IdP and across SPs

• Explain the SSO flow from the SP point of view
• Describe the metadata content and purpose
• Configure AM as a SAML2 SP and integrate with a third-party IdP

• Plan deployment configurations
• Prepare before installing AM
• Deploy AM
• Outline tasks and methods to install AM
• Install AM with the web wizard
• Install an AM instance with the web wizard
• Install AM and manage configuration with Amster
• Install Amster
• Describe the AM bootstrap process
• Upgrade an AM instance
• Upgrade AM with the web wizard
• (Optional) Upgrade AM with the configuration tool

• Harden AM security
• Adjust default settings
• Harden AM security
• Describe secrets, certificates, and keys
• Describe keystores and secret stores
• Manage the AM keystore, aliases, and passwords
• Configure and manage secret stores
• Configure an HSM secret store to sign OIDC ID tokens
• Describe the monitoring tools
• Describe the audit logging
• Describe debug logging
• Capture troubleshooting information
• Capture troubleshooting information

• Explore high availability solutions
• Scale AM deployments
• Describe AM cluster concepts
• Create an AM cluster
• Prepare the initial AM cluster
• Install another AM server in the cluster
• Test AM cluster failover scenarios
• (Optional) Modify the cluster to use client-side sessions

• Describe the Identity Platform
• Prepare your deployment environment
• Deploy and access the Identity Platform
• Access and authenticate your GCP account
• Prepare to deploy the Identity Platform
• Deploy the Identity Platform with the Cloud Development Kit (CDK)
• Remove the Identity Platform deployment

This course provides a hands-on technical introduction to PingAM (AM), formerly known as ForgeRock® Access Management, APIs and customization use cases. Students examine AM extension points and gain the skills required to extend and integrate an AM deployment in a real-world context. Additionally, students learn to implement various clients that communicate with AM. Further information and guidance can be found in the documentation and knowledge base in the online repositories at: Backstage https://backstage.forgerock.com.

Note: This course revision is based on version 7.3 of PingAM

Upon completion of this course, you should be able to:

• This chapter provides a high-level overview of the PingAM (AM) configuration architecture
• Extend and customize PingAM (AM) authentication processing by using authentication trees and a custom authentication node
• Explore how to use the PingAM (AM) authorization policy sets, polices, and policy evaluation, and create custom policy conditions with Java and scripts
• Explore how to use the PingAM (AM) REST API, in the context of a web client application, for authenticating users with AM and AM authentication trees
• Describe how to extend a web client application with the ability to authenticate and authorize a user by using OAuth 2.0 (OAuth2) for authentication, and implement Open Identity Connect (OIDC) claims by using the scripting API

The following are the prerequisites for successfully completing this course:

• Completion of the PingAM Essentials course available at: https://backstage.forgerock.com/university/forgerock/on-demand/path/TGVhcm5pbmdQYXRoOjI%3D/chapter/Q291cnNlOjE1NzIy
• Knowledge of UNIX/Linix commands
• An understanding of HTTP and web applications
• A basic understanding of how directory servers function
• A basic understanding of REST
• A basic knowledge of Java based environments would be beneficial, but no programming experience is required.

• List extension (customization) points of AM
• List customizable AM components
• Quiz questions
• Access the lab environment
• Manage the course application components

• Understand how AM performs authentication
• Describe AM authentication trees and nodes
• Compare tree and chain mechanisms
• Quiz questions
• Create an authentication tree with default nodes
• Test the authentication tree

• Describe custom authentication nodes
• Prepare a build environment
• Generate a custom node with a Maven archetype
• List custom node classes
• Customize node outcomes
• Deploy the custom node
• Modify custom node configuration and logic
• Post-authentication hooks for trees
• Quiz questions
• Create initial custom authentication node source files
• Modify the custom node’s implementation to be dynamic
• Deploy and test the custom authentication node
• Test the authentication tree with the custom node

• Understand the basic concepts of scripting
• Understand the scripting environment and the scripting API
• Use the AM admin UI to manage scripts
• Use the REST API to manage scripts
• Develop client and server scripts
• Use decision scripted authentication nodes in trees
• Quiz questions
• Explore client-side scripting with authentication nodes
• Create an authentication tree with client-side and server-side scripts
• Write a server-side script that uses a REST API request

• Describe design principles for trees and nodes
• List design and implementation steps
• Choose node types
• Map files from modules to nodes
• Authentication modules as nodes
• Migrate an LDAP chain to a tree
• Migrate post-authentication plugins
• Handle logout notifications
• Configure redirection URLs
• Implement account lockout
• Link a chain to a tree and return custom failure messages
• Quiz questions
• Reference an article about migrating chains to trees

• Understand the policy concepts in AM
• Identify the situation when a custom condition is needed
• Customize policy evaluation with a plugin and an Entitlement Condition class
• Implement a scripted condition
• Quiz Questions
• Explore the ContactList REST APIs and policy design
• Create resource types and a policy set
• Write a policy condition checking for maintenance mode
• Modify the policy condition script to provide additional information

• Describe AM REST API services and the Common REST API
• Understand the Common REST API
• Explore REST API sorting, versioning, and status codes
• Use AM services from a browser-based application
• Enable CORS
• Quiz questions
• Study the ContactList application architecture
• Configure the CORS filter in AM
• Create a login service that uses AM authentication

• Review authentication and introduce RESTful authentication
• Implement authentication with the simple REST API
• Implement authentication with the full REST API
• Describe callback types available in AM
• Handle session upgrade and logout with the REST API
• Implement RESTful token and session management
• Use REST to manage identities
• Manage realms with the REST API
• Lesson Quiz
• Implement a fully functional AM-based authentication in ContactList
• Modify the login service to use the authentication tree

• Describe the self-service REST API
• Configure AM for self-service
• Implement password reset with REST
• Self-register a user via REST
• Lesson quiz
• Prepare AM for the password reset functionality
• Examine the password reset protocol
• Extend ContactList with a password reset feature

• Understand how to use the policy engine to protect resources other than URLs
• Describe the policy management REST API
• Describe the policy evaluator REST API
• Implement fine-grained authorization using policies and the REST API
• Lesson quiz
• Prepare AM for ContactList authorization
• Extend the backend to use the authorization REST API
• Extend the front-end application to use AM

• Understand OAuth2 and use its HTTP endpoints
• Examine the flow of the OAuth2 Authorization Code grant type
• Understand OIDC and use its HTTP endpoints
• Examine the flow of the OIDC Authorization Code grant type
• Understand the scope validation mechanism and customize its default behavior
• Use the Scripting API to customize the handling of OIDC claims
• Set up the OAuth2/OIDC service in AM
• Study and complete the ContactListTokenResponseTypeHandler code
• Enable OAuth2 federation in the ContactList front-end
• Turn ContactList RESTful backend into an OAuth2 resource server

The aim of this course is to showcase the key features and capabilities of the versatile and powerful PingAM (AM), formerly known as ForgeRock® Access Management. It provides the student with the knowledge and confidence to manage their own environment. It is accepted that this course is not able to demonstrate all the features and capabilities of AM. Further information and guidance can be found in the documentation and knowledge base in the online repositories at: Backstage https://backstage.forgerock.com.

Note: This course revision is based on version 7 of AM.

Upon completion of this course, you should be able to:

• Start with an unprotected website and end up with a fully functional access management solution where every user trying to access the website is redirected to AM for authentication
• Improve access management security in AM with multi-factor authentication (MFA), context-based risk analysis, and continuous risk checking
• Implement OAuth 2.0 (OAuth2) based protocols; namely, OAuth2 and OpenID Connect 1.0 (OIDC), to enable low-level devices and mobile applications to make requests that access resources belonging to a subscriber. AM can be configured to function as an OIDC client and delegate authentication to social media OIDC providers
• Demonstrate federation across entities using SAML v2.0 (SAML2) with AM
• Install a new AM instance configured with external directory server data stores as the foundation for an AM cluster

The following are the prerequisites for successfully completing this course:

• Completion of the PingAM Essentials course available at: https://backstage.forgerock.com/university/forgerock/on-demand/path/TGVhcm5pbmdQYXRoOjI%3D/chapter/Q291cnNlOjE1NzIy
• Knowledge of UNIX/Linux commands
• An understanding of HTTP and web applications
• A basic understanding of how directory servers function
• A basic understanding of REST
• A basic knowledge of Java based environments would be beneficial, but no programming experience is required

• Introduce AM authentication
• Understand realms
• Describe authentication life cycle
• Explain sessions
• Examine session cookies
• Access the lab environment
• Examine an initial AM installation
• Configure a realm and examine AM default authentication
• Experiment with session cookies
• Describe the authentication mechanisms of AM
• Create and manage trees
• Explore tree nodes
• Create a login tree
• Test the login tree

• Present AM edge clients
• Describe PingGateway functionality as an edge client
• Review the FEC website protected by PingGateway
• Integrate the FEC website with AM
• Observe the PingGateway token cookie
• (Optional) Review PingGateway configuration
• Authenticate identities with AM
• Create an authentication tree with an LDAP Decision node
• Integrate identities in AM with an identity store
• Integrate an identity store with AM

• Describe entitlements with AM authorization
• Define AM policy components
• Define policy environment conditions and response attributes
• Describe the process of policy evaluation
• Implement access control on a website

• Describe MFA
• Register a device
• Include recovery codes
• Examine OATH authentication
• Implement time-based one-time password (TOTP) authentication
• (Optional) Implement HMAC-based one-time password (HOTP) authentication
• Examine Push notification authentication
• (Optional) Implement Push notification authentication
• Implement passwordless WebAuthn
• (Optional) Implement passwordless WebAuthn
• Examine HOTP authentication using email or SMS
• (Optional) Implement HOTP authentication using email or SMS

• Introduce context-based risk analysis
• Describe device profile nodes
• Determine the risk based on the context
• Implement a browser context change script
• Lock and unlock accounts
• Implement account lockout

• Introduce continuous contextual authorization
• Describe step-up authentication
• Implement step-up authentication flow
• Describe transactional authorization
• Implement transactional authorization
• Prevent users from bypassing the default tree

• Discuss OAuth2 concepts
• Describe OAuth2 tokens and codes
• Describe refresh tokens, macaroons, and token modification
• Request OAuth2 access tokens with OAuth2 grant types
• Explain OAuth2 scopes and consent
• Configure OAuth2 in AM
• Configure AM as an OAuth2 provider
• Configure AM with an OAuth2 client
• Test the OAuth2 Device Code grant type flow

• Introduce OIDC
• Describe OIDC tokens
• Explain OIDC scopes and claims
• List OIDC grant types
• Create and use an OIDC script
• Create an OIDC claims script
• Register an OIDC client and configure the OAuth2 Provider settings
• Test the OIDC Authorization Code grant type flow

• Examine OAuth2 client authentication
• Examine OAuth2 client authentication using JWT profiles
• Examine OAuth2 client authentication using mTLS
• Authenticate an OAuth2 client using mTLS
• Examine certificate-bound PoP when mTLS is configured
• Obtain a certificate-bound access token

• Describe OAuth2 token exchange
• Explain token exchange types and purpose for exchange
• Describe token scopes and claims
• Implement a token exchange impersonation pattern
• Implement a token exchange delegation pattern
• Configure token exchange in AM
• Configure AM for token exchange
• Test token exchange flows

• Delegate registration and authentication to social media providers
• Implement social registration and authentication with Google

• Discuss SAML2 entities and profiles
• Explain the SAML2 flow from the identity provider (IdP) point of view
• Examine SSO across SPs
• Configure AM as an IdP and integrate with third-party service providers (SPs)
• Examine SSO between an SP and IdP and across SPs

• Explain the SSO flow from the SP point of view
• Describe the metadata content and purpose
• Configure AM as a SAML2 SP and integrate with a third-party IdP

• Plan deployment configurations
• Prepare before installing AM
• Deploy AM
• Outline tasks and methods to install AM
• Install AM with the web wizard
• Install an AM instance with the web wizard
• Install AM and manage configuration with Amster
• Install Amster
• Describe the AM bootstrap process
• Upgrade an AM instance
• Upgrade AM with the web wizard
• (Optional) Upgrade AM with the configuration tool

• Harden AM security
• Adjust default settings
• Harden AM security
• Describe secrets, certificates, and keys
• Describe keystores and secret stores
• Manage the AM keystore, aliases, and passwords
• Configure and manage secret stores
• Configure an HSM secret store to sign OIDC ID tokens
• Describe the monitoring tools
• Describe the audit logging
• Describe debug logging
• Capture troubleshooting information
• Capture troubleshooting information

• Explore high availability solutions
• Scale AM deployments
• Describe AM cluster concepts
• Create an AM cluster
• Prepare the initial AM cluster
• Install another AM server in the cluster
• Test AM cluster failover scenarios
• (Optional) Modify the cluster to use client-side sessions

• Describe the Identity Platform
• Prepare your deployment environment
• Deploy and access the Identity Platform
• Access and authenticate your GCP account
• Prepare to deploy the Identity Platform
• Deploy the Identity Platform with the Cloud Development Kit (CDK)
• Remove the Identity Platform deployment

This course provides the foundation to design, build, and integrate identity orchestration flows using PingOne DaVinci (DaVinci). You will create user interactions, extend flows with APIs, and integrate these solutions into applications. You will also leverage core PingOne services like SSO, identity management, and analytics. Through hands-on labs and instruction, you will gain the skills to deploy real-world orchestration solutions with confidence.

Upon completion of this course, you should be able to:

• Build basic user interactions with DaVinci flows
• Integrate a DaVinci flow into an application
• Integrate PingOne single sign-on (SSO) and identities in DaVinci flows
• Build an authentication flow in DaVinci
• Provide custom analytics in a DaVinci flow

The following are the prerequisites for successfully completing this course:

• Basic understanding of JavaScript, HTML, CSS, and the PingOne Platform
• Completion of the Introduction to PingOne DaVinci course available at:
  • https://backstage.forgerock.com/university/ping/on-demand/category/PING

Chapter 1: Building Basic User Interactions With DaVinci Flows

Build basic user interactions with DaVinci flows.

Lesson 1: Defining the Basic Flow and Interaction Steps

Define the basic flow and provide an introduction to the foundational concepts of DaVinci:

• Introduce the PingOne Platform and DaVinci
• Access and launch the DaVinci admin console
• Understand Flows
• Build basic user interaction in a flow

Lesson 2: Using Functions and API Calls
Define the basic flow and provide an introduction to the foundational concepts of DaVinci:

• Extend DaVinci flows
• Verify the age of the user
• Make an API callCollect the user’s email and password
• Implement a robot check
• Document the flow

Lesson 3: Improving the User Experience
Use more advanced concepts in DaVinci to implement your flows:

• Improve the UI
• Convert user interactions to use HTML templates

Lesson 4: Using Variables and Form Validation
Expand further the functionality of your existing flow by using flow variables and improving interaction with the user:

• Incorporate variables
• Understand localizing flows
  
• Use flow variables and form validation
  
• Incorporate form validation
  
• Improve form validation inputs
  
• Troubleshoot issues

Lesson 5: Using Subflows to Manage Complexity
Externalize functionality that is often reused or complex to its own flow; for example, if the flow needed to connect to an API that isn’t available as a native connector, CRUD operations could be built in a new flow that could be leveraged by many:

• Create and use subflows
  
• Implement the subflow
  
• Replace the API call with the subflow

Chapter 2: Integrating a DaVinci Flow Into an Application

Integrate a DaVinci flow into an application.

Lesson 1: Integrating an Application to Launch a Flow
Integrate the flow into a web application which allows the application to provide the CSS (look and feel). Other flows can also be integrated to enable a richer user experience:

• Add a flow to a web application
  
• Create and customize the application

Lesson 2: Using a CSS in Flows vs Applications
Review how CSS is leveraged in a flow vs an application, and determine the advantages of leaving the presentation layer controlled by your application rather than using a CSS in your flow:

• Leverage a CSS
  
• Determine how a custom CSS in a flow is embedded with a web application

Lesson 3: Adding a Flow to an Existing Applicatio
Take the flow and integrate it into a web application:

• Embed flows using the widget method
  
• Import the DaVinci JavaScript library
  
• Create a JavaScript method to call the flow

Lesson 4: Integrating Non-UI Flows
Explore how DaVinci can accelerate development when integrating with backend services and APIs, enriching the overall user experience:

• Integrate a non-UI flow
  
• Build out your flow
  
• Integrate the flow

Lesson 5: Passing Data Into a Flow From an Application
Run through the process of passing data into a flow, whether it has user interaction or not:

• Enable dynamic flows
• Create and integrate a DaVinci subflow

Lesson 6: Performing A/B Testing
Define a flow that deals with age first, instead of name, during registration:

• Understand A/B testing
  
• Define a new flow
  
• Incorporate flow policies
  
• Build out a flow policy

Chapter 3: Integrating PingOne SSO and Identities in DaVinci Flows

Integrate PingOne SSO and identities in DaVinci flows.

Lesson 1: Setting Up Parallel Processing

Set up a flow that has two paths that execute in parallel and then come to their own conclusion:

• Implement parallel processing
  
• Leverage the PingOne Notification service

Lesson 2: Automating Flows With DaVinci Admin APIs

Learn how to manage DaVinci programmatically using the DaVinci Admin APIs:

• Understand DaVinci Admin APIs
  
• Explain administrator roles

Lesson 3: Creating Registered Accounts
Take the information collected during the registration process and create a user account in PingOne, which is the first step to expanding the capabilities of the application to support authentication:

• Create registered accounts
  
• Review your PingOne setup
  
• Build out a new registration flow
  
• Verify if an account already exists

Lesson 4: Verifying an Email Address

Establish a process to verify the email address of the user:

• Configure email verification
  
• Create an email verification subflow
  
• Complete the subflow

Chapter 4: Building an Authentication Flow in DaVinci

Build an authentication flow in DaVinci.

Lesson 1: Handling Authentication

Handle authentication for the application:

• Design and implement the authentication flow
  
• Design the flow logic
  
• Implement teleports for flow efficiency
  
• Authenticate and validate user identity

Lesson 2: Handling Forgotten Passwords

Handle forgotten password in the authentication flow:

• Manage password recovery flows
  
• Develop the end-to-end forgot password flow

Lesson 3: Adding an Authentication Method

Add another method of authentication, an email magic link, for the users of the application:

• Implement magic link authentication
  
• Add a magic link authentication method

Chapter 5: Providing Custom Analytics in a DaVinci Flow

Provide custom analytics in a DaVinci flow.

Lesson 1: Leveraging analytics to monitor flow usage

Implement custom analytics to track key business milestones and user behavior across DaVinci flows:

• Understand and apply flow analytics
  
• Configure authentication analysis
  
  

This course is designed to provide students with the knowledge and concepts necessary to install, configure, and maintain a PingDS (DS), formerly known as ForgeRock® Directory Services, deployment.

Note: Revision A of this course is based on version 8.0.0 of DS.

Upon completion of this course, you should be able to:

• Understand how to deploy directory servers, and directory proxy servers, manage replication, upgrade DS servers, and configure the DS password synchronization plugin
• Measure performance, tune, and troubleshoot DS
• Use the HTTP Directory Access Protocol (HDAP) APIs for REST-based HTTP(S) access to directory services

The following are the prerequisites for successfully completing this course:

• Knowledge of Lightweight Directory Access Protocol (LDAP).
• An understanding of how directory servers function.
• An understanding of REST and HTTP.
• Knowledge of UNIX/Linux commands.
• A basic knowledge of Java based environments would be beneficial, but no programming experience is required.

Completion of the PDS-100: Introduction to PingDS and PDS-330: Getting Started with PingDS on-demand courses.

Chapter 1: Deploying Directory Services

Understand how to deploy directory servers, and directory proxy servers, manage replication, upgrade DS servers, and configure the DS password synchronization plugin.

• Install directory servers for custom and Ping Identity Platform (Identity Platform) product deployments:
• Prepare for a directory server installation
• Access your lab environment
• Prepare the lab environment
• Install a directory server
• Prepare directory servers for Identity Platform installations
• Set up directory servers for AM
• Set up a directory server as an IDM repository
• Synchronize passwords with IDM
• Configure password synchronization

Lesson 2: Replicating Data

• Implement high availability for directory servers and maintain, monitor, and restore a replicated directory server topology:
• Plan for replication
• Install a replicated topology
• Manage a replicated topology
• Monitor and maintain replication

• Prepare for and perform an upgrade of directory servers in a DS 7 replicated topology to DS 8:
• Describe upgrade options
• Upgrade DS 7 servers to DS 8

• Understand the role of DS directory proxy and install DS directory proxy to provide a single point of entry to directory servers:
• Introduce DS directory proxy
• Install DS directory proxy
• Provide a single point of access to replicas

• Understand performance requirements and settings that may be tuned to improve directory server performance:
• Explain settings that affect performance
• Prepare the lab environment
• Tune the JE DB cache and generate performance tests

• Configure log files, collect troubleshooting data for Support, and monitor a DS deployment with Prometheus and Grafana:
• Explain how to collect data for support
• Collect data for support
• Explore log files
• Manage log files
• Monitor a DS deployment
• Observe monitoring metrics

• Access directory servers and perform operations over HTTP(S):
• Describe REST-based HTTP access
• Prepare the lab environment
• Examine HTTP and HDAP configuration properties
• Verify HDAP authentication
• Explain HDAP operations
• Manage resources with HDAP

• Manage passwords and display account usability information and resource schema:
• Manage passwords
• Update passwords
• View JSON Schema
• Get JSON schema

Upon completion of this course, you should be able to:

• Describe how to access an Advanced Identity Cloud tenant as an administrator and understand UI integration options
• Manage identities with the Advanced Identity Cloud admin UI and implement delegated administration to manage organizations and reset user passwords
• Manage journeys, email templates used in journeys, and authentication sessions as an Advanced Identity Cloud administrator
• Understand the use of Applications, synchronize identities between Advanced Identity Cloud and external applications, and explore how Identity Gateway can protect web applications when it is integrated with Advanced Identity Cloud
• Manage the configuration, monitor tenant activities, and perform common administration tasks for Advanced Identity Cloud tenants

The following are the prerequisites for successfully completing this course:

• Completion of the Product Essentials courses available at: https://backstage.forgerock.com/university/cloud-learning
• Introduction to PingAM
• PingIDM Essentials
• PingGateway Essentials
• Introduction to PingDS

• Introduce the Advanced Identity Cloud admin UI
• Manage administrators
• Invite an administrator

• Explain UI integration options
• Configure themes for the Alpha and Bravo realms

Chapter 2: Administering Identities

• Introduce managed objects
• Manage a user profile

• Describe bulk import
• Import test users

• Describe roles and privileges within an organization
• Implement delegated administration for an organization model

• Delegate administration privileges
• Delegate password reset

• Introduce journeys
• Modify journeys
• Describe how to export and import journeys
• Export and import journeys
• Describe how to debug a journey
• Enable debug mode on a user journey

• Describe server-side sessions
• Invalidate server-side sessions

• Explore email templates and nodes
• Configure email templates
• Use email templates in user journeys

• Introduce applications
• Register a Bookmark app

• Explain how to connect to external resources
• Configure an RCS cluster
• Configure debug logging
• Add an authoritative application
• Explain synchronization
• Create inbound mappings and run reconciliation
• Synchronize passwords
• Create a target Application with outbound mappings

• Introduce PingGateway
• Integrate PingGateway with Advanced Identity Cloud
• Integrate the PingGateway sample application with Advanced Identity Cloud

• Introduce Service Accounts
• Create and manage a service account
• Introduce the Advanced Identity Cloud REST API
• Display Advanced Identity Cloud identities using the REST API
• Introduce configuration management
• Create a baseline configuration repository
• Describe how to manage ESVs
• Create and call ESV variables
• Promote your configuration

• Explore Logs
• Retrieve log data using the REST API
• Retrieve log data using the Frodo CLI
• Monitor your tenant
• Monitor tenant health and visualize monitoring metrics
• Explore the Advanced Identity Cloud analytics dashboard

• Manage realm password policies
• Configure password policies

• Introduce outbound static IP addresses
• View outbound static IP addresses
• Manage tenant certificates
• Add a custom domain name

Upon completion of this course, you should be able to:

• Describe how to access an Advanced Identity Cloud tenant as an administrator and understand UI integration options
• Manage identities with the Advanced Identity Cloud admin UI and implement delegated administration to manage organizations and reset user passwords
• Manage journeys, email templates used in journeys, and authentication sessions as an Advanced Identity Cloud administrator
• Understand the use of Applications, synchronize identities between Advanced Identity Cloud and external applications, and explore how Identity Gateway can protect web applications when it is integrated with Advanced Identity Cloud
• Manage the configuration, monitor tenant activities, and perform common administration tasks for Advanced Identity Cloud tenants

The following are the prerequisites for successfully completing this course:

• Completion of the Product Essentials courses available at: https://backstage.forgerock.com/university/cloud-learning
• Introduction to PingAM
• PingIDM Essentials
• PingGateway Essentials
• Introduction to PingDS

• Introduce the Advanced Identity Cloud admin UI
• Manage administrators
• Invite an administrator

• Explain UI integration options
• Configure themes for the Alpha and Bravo realms

Chapter 2: Administering Identities

• Introduce managed objects
• Manage a user profile

• Describe bulk import
• Import test users

• Describe roles and privileges within an organization
• Implement delegated administration for an organization model

• Delegate administration privileges
• Delegate password reset

• Introduce journeys
• Modify journeys
• Describe how to export and import journeys
• Export and import journeys
• Describe how to debug a journey
• Enable debug mode on a user journey

• Describe server-side sessions
• Invalidate server-side sessions

• Explore email templates and nodes
• Configure email templates
• Use email templates in user journeys

• Introduce applications
• Register a Bookmark app

• Explain how to connect to external resources
• Configure an RCS cluster
• Configure debug logging
• Add an authoritative application
• Explain synchronization
• Create inbound mappings and run reconciliation
• Synchronize passwords
• Create a target Application with outbound mappings

• Introduce PingGateway
• Integrate PingGateway with Advanced Identity Cloud
• Integrate the PingGateway sample application with Advanced Identity Cloud

• Introduce Service Accounts
• Create and manage a service account
• Introduce the Advanced Identity Cloud REST API
• Display Advanced Identity Cloud identities using the REST API
• Introduce configuration management
• Create a baseline configuration repository
• Describe how to manage ESVs
• Create and call ESV variables
• Promote your configuration

• Explore Logs
• Retrieve log data using the REST API
• Retrieve log data using the Frodo CLI
• Monitor your tenant
• Monitor tenant health and visualize monitoring metrics
• Explore the Advanced Identity Cloud analytics dashboard

• Manage realm password policies
• Configure password policies

• Introduce outbound static IP addresses
• View outbound static IP addresses
• Manage tenant certificates
• Add a custom domain name

The aim of this course is to showcase the key features and capabilities of the versatile and powerful PingAM (AM), formerly known as ForgeRock® Access Management. It provides the student with the knowledge and confidence to manage their own environment. It is accepted that this course is not able to demonstrate all the features and capabilities of AM. Further information and guidance can be found in the documentation and knowledge base in the online repositories at: Backstage https://backstage.forgerock.com.

Note: This course revision is based on version 7 of AM.

Upon completion of this course, you should be able to:

• Start with an unprotected website and end up with a fully functional access management solution where every user trying to access the website is redirected to AM for authentication
• Improve access management security in AM with multi-factor authentication (MFA), context-based risk analysis, and continuous risk checking
• Implement OAuth 2.0 (OAuth2) based protocols; namely, OAuth2 and OpenID Connect 1.0 (OIDC), to enable low-level devices and mobile applications to make requests that access resources belonging to a subscriber. AM can be configured to function as an OIDC client and delegate authentication to social media OIDC providers
• Demonstrate federation across entities using SAML v2.0 (SAML2) with AM
• Install a new AM instance configured with external directory server data stores as the foundation for an AM cluster

The following are the prerequisites for successfully completing this course:

• Completion of the PingAM Essentials course available at: https://backstage.forgerock.com/university/forgerock/on-demand/path/TGVhcm5pbmdQYXRoOjI%3D/chapter/Q291cnNlOjE1NzIy
• Knowledge of UNIX/Linux commands
• An understanding of HTTP and web applications
• A basic understanding of how directory servers function
• A basic understanding of REST
• A basic knowledge of Java based environments would be beneficial, but no programming experience is required

• Introduce AM authentication
• Understand realms
• Describe authentication life cycle
• Explain sessions
• Examine session cookies
• Access the lab environment
• Examine an initial AM installation
• Configure a realm and examine AM default authentication
• Experiment with session cookies
• Describe the authentication mechanisms of AM
• Create and manage trees
• Explore tree nodes
• Create a login tree
• Test the login tree

• Present AM edge clients
• Describe PingGateway functionality as an edge client
• Review the FEC website protected by PingGateway
• Integrate the FEC website with AM
• Observe the PingGateway token cookie
• (Optional) Review PingGateway configuration
• Authenticate identities with AM
• Create an authentication tree with an LDAP Decision node
• Integrate identities in AM with an identity store
• Integrate an identity store with AM

• Describe entitlements with AM authorization
• Define AM policy components
• Define policy environment conditions and response attributes
• Describe the process of policy evaluation
• Implement access control on a website

• Describe MFA
• Register a device
• Include recovery codes
• Examine OATH authentication
• Implement time-based one-time password (TOTP) authentication
• (Optional) Implement HMAC-based one-time password (HOTP) authentication
• Examine Push notification authentication
• (Optional) Implement Push notification authentication
• Implement passwordless WebAuthn
• (Optional) Implement passwordless WebAuthn
• Examine HOTP authentication using email or SMS
• (Optional) Implement HOTP authentication using email or SMS

• Introduce context-based risk analysis
• Describe device profile nodes
• Determine the risk based on the context
• Implement a browser context change script
• Lock and unlock accounts
• Implement account lockout

• Introduce continuous contextual authorization
• Describe step-up authentication
• Implement step-up authentication flow
• Describe transactional authorization
• Implement transactional authorization
• Prevent users from bypassing the default tree

• Discuss OAuth2 concepts
• Describe OAuth2 tokens and codes
• Describe refresh tokens, macaroons, and token modification
• Request OAuth2 access tokens with OAuth2 grant types
• Explain OAuth2 scopes and consent
• Configure OAuth2 in AM
• Configure AM as an OAuth2 provider
• Configure AM with an OAuth2 client
• Test the OAuth2 Device Code grant type flow

• Introduce OIDC
• Describe OIDC tokens
• Explain OIDC scopes and claims
• List OIDC grant types
• Create and use an OIDC script
• Create an OIDC claims script
• Register an OIDC client and configure the OAuth2 Provider settings
• Test the OIDC Authorization Code grant type flow

• Examine OAuth2 client authentication
• Examine OAuth2 client authentication using JWT profiles
• Examine OAuth2 client authentication using mTLS
• Authenticate an OAuth2 client using mTLS
• Examine certificate-bound PoP when mTLS is configured
• Obtain a certificate-bound access token

• Describe OAuth2 token exchange
• Explain token exchange types and purpose for exchange
• Describe token scopes and claims
• Implement a token exchange impersonation pattern
• Implement a token exchange delegation pattern
• Configure token exchange in AM
• Configure AM for token exchange
• Test token exchange flows

• Delegate registration and authentication to social media providers
• Implement social registration and authentication with Google

• Discuss SAML2 entities and profiles
• Explain the SAML2 flow from the identity provider (IdP) point of view
• Examine SSO across SPs
• Configure AM as an IdP and integrate with third-party service providers (SPs)
• Examine SSO between an SP and IdP and across SPs

• Explain the SSO flow from the SP point of view
• Describe the metadata content and purpose
• Configure AM as a SAML2 SP and integrate with a third-party IdP

• Plan deployment configurations
• Prepare before installing AM
• Deploy AM
• Outline tasks and methods to install AM
• Install AM with the web wizard
• Install an AM instance with the web wizard
• Install AM and manage configuration with Amster
• Install Amster
• Describe the AM bootstrap process
• Upgrade an AM instance
• Upgrade AM with the web wizard
• (Optional) Upgrade AM with the configuration tool

• Harden AM security
• Adjust default settings
• Harden AM security
• Describe secrets, certificates, and keys
• Describe keystores and secret stores
• Manage the AM keystore, aliases, and passwords
• Configure and manage secret stores
• Configure an HSM secret store to sign OIDC ID tokens
• Describe the monitoring tools
• Describe the audit logging
• Describe debug logging
• Capture troubleshooting information
• Capture troubleshooting information

• Explore high availability solutions
• Scale AM deployments
• Describe AM cluster concepts
• Create an AM cluster
• Prepare the initial AM cluster
• Install another AM server in the cluster
• Test AM cluster failover scenarios
• (Optional) Modify the cluster to use client-side sessions

• Describe the Identity Platform
• Prepare your deployment environment
• Deploy and access the Identity Platform
• Access and authenticate your GCP account
• Prepare to deploy the Identity Platform
• Deploy the Identity Platform with the Cloud Development Kit (CDK)
• Remove the Identity Platform deployment

Upon completion of this course, you should be able to:

• Describe how to access an Advanced Identity Cloud tenant as an administrator and understand UI integration options
• Manage identities with the Advanced Identity Cloud admin UI and implement delegated administration to manage organizations and reset user passwords
• Manage journeys, email templates used in journeys, and authentication sessions as an Advanced Identity Cloud administrator
• Understand the use of Applications, synchronize identities between Advanced Identity Cloud and external applications, and explore how Identity Gateway can protect web applications when it is integrated with Advanced Identity Cloud
• Manage the configuration, monitor tenant activities, and perform common administration tasks for Advanced Identity Cloud tenants

The following are the prerequisites for successfully completing this course:

• Completion of the Product Essentials courses available at: https://backstage.forgerock.com/university/cloud-learning
• Introduction to PingAM
• PingIDM Essentials
• PingGateway Essentials
• Introduction to PingDS

• Introduce the Advanced Identity Cloud admin UI
• Manage administrators
• Invite an administrator

• Explain UI integration options
• Configure themes for the Alpha and Bravo realms

Chapter 2: Administering Identities

• Introduce managed objects
• Manage a user profile

• Describe bulk import
• Import test users

• Describe roles and privileges within an organization
• Implement delegated administration for an organization model

• Delegate administration privileges
• Delegate password reset

• Introduce journeys
• Modify journeys
• Describe how to export and import journeys
• Export and import journeys
• Describe how to debug a journey
• Enable debug mode on a user journey

• Describe server-side sessions
• Invalidate server-side sessions

• Explore email templates and nodes
• Configure email templates
• Use email templates in user journeys

• Introduce applications
• Register a Bookmark app

• Explain how to connect to external resources
• Configure an RCS cluster
• Configure debug logging
• Add an authoritative application
• Explain synchronization
• Create inbound mappings and run reconciliation
• Synchronize passwords
• Create a target Application with outbound mappings

• Introduce PingGateway
• Integrate PingGateway with Advanced Identity Cloud
• Integrate the PingGateway sample application with Advanced Identity Cloud

• Introduce Service Accounts
• Create and manage a service account
• Introduce the Advanced Identity Cloud REST API
• Display Advanced Identity Cloud identities using the REST API
• Introduce configuration management
• Create a baseline configuration repository
• Describe how to manage ESVs
• Create and call ESV variables
• Promote your configuration

• Explore Logs
• Retrieve log data using the REST API
• Retrieve log data using the Frodo CLI
• Monitor your tenant
• Monitor tenant health and visualize monitoring metrics
• Explore the Advanced Identity Cloud analytics dashboard

• Manage realm password policies
• Configure password policies

• Introduce outbound static IP addresses
• View outbound static IP addresses
• Manage tenant certificates
• Add a custom domain name

This course helps prepare students to take the Certified Professional - PingOne Advanced Identity Cloud exam, formerly known as the ForgeRock® Identity Cloud Certified Professional exam. This is accomplished by presenting students with information concerning exam contents, logistics, tips for preparing to take the exam, lab exercises to cover exam contents, and a sample exam that is representative of the exam, itself.

Upon completion of this course, you should be able to:

• Register to take the exam
• Prepare for the exam using recommended study materials
• Take the exam either remotely or at a Pearson Testing Center

The following are the prerequisites for successfully completing this course:

• Successful completion of the AIC-300 Getting Started With PingOne Advanced Identity Cloud for Administrators course
• Thorough understanding of all PingOne Advanced Identity Cloud documentation and Knowledge Base articles on Backstage
• 3-6 months of experience configuring and administering PingOne Identity tenants
• Working knowledge of OAuth 2.0, OpenID Connect and SAML v2.0

Course Contents

• Explain exam metrics and passing scores
• Provide an approach for responding to test questions
• Identify options for registering and taking the exam
• Describe testing center requirements
• Describe requirements for taking the exam online
• Show how to access exam results

• Review the exam details and requirements
• Explain exam topics and study areas
• Present the objectives covered in the exam
• Review important concepts associated with exam objectives
• Review sample questions associated with objectives
• Provide applicable materials for review

• Research topics which will be covered in the exam
• Navigate the PingOne Advanced Identity Cloud admin UI
• Describe PingOne Advanced Identity Cloud configuration settings
• Explain how to perform PingOne Advanced Identity Cloud related tasks
• Configure PingOne Advanced Identity Cloud related services

• Test a student’s knowledge of PingOne Advanced Identity Cloud
• Provide students with a representative exam experience

This course provides a hands-on technical introduction to PingOne Advanced Identity Cloud Identity Governance (Identity Governance). Further information and guidance can be found in the documentation and knowledge base in the online repositories at: Backstage https://backstage.forgerock.com.

Note: This course is based on PingOne Advanced Identity Cloud (Advanced Identity Cloud) with the Identity Governance functionality added.

Upon completion of this course, you should be able to:

• Discover how to access, manage, and work with Identity Governance capabilities
• Create target applications and configure their mapping with Advanced Identity Cloud, reconcile entitlements from the applications, and provision accounts to the applications
• Create and manage workflows, access requests for resources (entitlements, applications, roles), forms for access requests, and governance glossary items
• Create and start scheduled and event-based certification campaigns to verify user access, and manage compliance by implementing Segregation of Duties (SoD) policies and rules

The following are the prerequisites for successfully completing this course:

• Completion of the Getting Started With PingOne Advanced Identity Cloud for Administrators course.
• Recommended completion of the PingOne Advanced Identity Cloud Administration course.
• Knowledge of basic Windows/PowerShell commands
• An understanding of HTTP and web applications
• A basic understanding of how directory servers function
• A basic understanding of REST
• A familiarity with the Advanced Identity Cloud admin and end-user UIs

Chapter 1: Introducing Identity Governance

Discover how to access, manage, and work Identity Governance capabilities.

Lesson 1: Introducing Identity Governance

Describe Identity Governance and the related capabilities available in Advanced Identity Cloud:

• Describe the purpose of Identity GovernanceIntroduce Identity Governance
• Access Advanced Identity CloudDescribe the course environment and architecture
• Access your CloudShare environment
• Access your Advanced Identity Cloud tenant
• Access and explore your PingOne tenant environment

Lesson 2: Onboarding Applications and Identities

Create applications for onboarding users:

• Explain Identity Governance terminology
• Describe application typesRegister and manage applications
• Connect an application with an identity source
• Configure application provisioning
• Onboard and provision users, roles, and entitlements
• Create a connector server in Advanced Identity Cloud
• Connect the RCS with Advanced Identity Cloud
• Customize the Advanced Identity Cloud user schema
• Register an authoritative application and onboard identities

Chapter 2: Managing Identity Lifecycle and Entitlements

Create target applications and configure their mapping with Advanced Identity Cloud, reconcile entitlements from the applications, and provision accounts to the applications.

Lesson 1: Reconciling Entitlements

Load and manage entitlements from target applications in Advanced Identity Cloud:

• Describe entitlements
• Manage entitlements
• Assign and revoke entitlements to/from users and roles
• Request access for an entitlement
• Reconcile entitlements from Active Directory (AD)
• Reconcile entitlements from PingOne

Lesson 2: Synchronizing Identity Data

Describe synchronization as a foundation of identity lifecycle management in Identity Governance, and provision and manage application accounts:

• Describe the need for synchronization
• Explore synchronization in Identity Governance
• Describe how changes are managed during synchronization
• Provision and manage application accounts
• Provision an account to AD
• Provision an account and entitlement to PingOne

Chapter 3: Creating and Managing Workflows and Access Requests

Create and manage workflows, access requests for resources (entitlements, applications, roles), forms for access requests, and governance glossary items.

Lesson 1: Managing Access Requests for Resources

Create, review, and manage access requests for resources, such as applications, entitlements, and roles:

• Explain access request conceptsAccess request administration
• Request access to resources
• Review and handle access requests
• Request to provision an AD account with entitlements
• Request to provision PingOne accounts with entitlements
• Define a conditional provisioning role
• Define and request a provisioning role

Lesson 2: Managing Glossary Items and Scopes

Create and manage governance glossary items and scopes to manage what can be requested:

• Describe the governance glossary
• Define and populate glossary attribute values
• Use glossary attribute values as filters
• Request access to entities for others
• Create scopes to control what can be requested
• Define glossary items for use in workflows and scopes
• Create access requests for others and add scopes

Lesson 3: Creating Workflows, Request Types, and Forms

Manage workflows, request types, and forms for customizing access requests, and schedule a task scanner job:

• Create and manage workflows
• Build a workflow with nodes
• Create and manage request types
• Create and manage forms for customized user-interaction
• Designing forms in the form editorCreate and manage a task scanner
• Create new workflows and update default workflows
• Create and manage forms to customize user interaction

Chapter 4: Managing Certifications and Compliance

Create and start scheduled and event-based certification campaigns to verify user access, and manage compliance by implementing SoD policies and rules.

Lesson 1: Configuring and Running Certifications

Prepare and perform certification of access to applications:

• Certify access in Identity Governance
• Create certification templates
• Configure the certification templateManage certification templates
• Create certification campaigns
• Perform access reviews
• Certify access based on events
• Configure and initiate entitlement certifications
• Certify entitlements for the certification campaign
• Configure an event that triggers certification
• Configure an event that initiates a workflow
• Manage approvals for triggered events

Lesson 2: Managing Compliance With SoD

Manage compliance and implement SoD policies:

• Describe SoDDefine policy rules
• Configure compliance policies
• Run compliance scans
• Manage violations and exceptions
• Create an SoD rule and policy
• Run a compliance scan
• Make a request that violates compliance

This course gives learners the tools to get started with PingOne administration. It covers initial setup tasks, including creating and managing PingOne environments, application integration, and customization. This course also provides information on most common administration tasks, including user and group management, managing access policies, best practices, and troubleshooting of common issues.

Upon completion of this course, you should be able to:

• Summarize PingOne capabilities and key features, describe PingOne support resources, and create a new PingOne environment
• Demonstrate administration of PingOne user populations, user roles, attributes, and groups
• Demonstrate integration and troubleshooting of PingOne applications
• Demonstrate how to use access control policies within PingOne
• Describe how to manage the process of establishing a person’s identity and then using this identity in later transactions within PingOne
• Demonstrate troubleshooting techniques and best practices within PingOne

The following are the prerequisites for successfully completing this course:

• Completion of the following courses available at: https://backstage.forgerock.com/university/ping/on-demand/category/PING
• PingOne Fundamentals
• Introduction to PingOne MFA
• Getting Started With PingOne MFA
• Getting Started With PingOne SSO
• (Optional) Introduction to PingOne DaVinci

• Describe PingOne as a cloud-based IDaaS solution
• Describe PingOne environment solutions
• Create a new environment

• Locate Ping Identity support resources

Lesson 1: Managing Users and Populations
Describe how to manage users in PingOne, including how to create populations and add individual users:

• Review default users
• Edit default users
• Create populations
• Create a new population
• Create new users
• Create a new user

• Manage administrator roles
• Assign roles to administrators
• Understand user attributes
• Manage user attributes
• Manage user groups
• Manage user group memberships

• Understand federation protocols
• Add an application from the catalog
• Understand SAML2
• Add a custom SAML2 application
• Understand OAuth2
• Understand OIDC
• Add a custom OIDC application
• Administer the Application Portal

• Describe authentication failures
• Define SSO failures
• Describe attribute mapping errors
• Determine certificate issues
• Define group membership issues
• Describe application integration issues
• Define gateway access issues
• Describe best practices

• Describe authentication policies
• Create an authentication policy

• Define password policies
• Edit a password policy

• Describe MFA and FIDO policies
• Create an MFA policy
• Create a FIDO policy

• Onboard users
• Create users manually

• Provision users

• Administer user accounts
• Manage a user account

• Offboard users

• Monitor activity and view reports

Chapter 6: Troubleshooting and Best Practices

Demonstrate troubleshooting techniques and best practices within PingOne.

• Introduce the troubleshooting process
• Understand common troubleshooting techniques

• Maintain a healthy PingOne environment

The aim of this course is to showcase the key features and capabilities of the versatile and powerful edge security solution with the PingGateway environment, formerly known as ForgeRock® Identity Gateway. It provides the student with the knowledge and confidence to manage their own environment. It is accepted that this course is not able to demonstrate all the features and capabilities of PingGateway. Further information and guidance can be found in the documentation and knowledge base documents in the online repositories at: Backstage https://backstage.forgerock.com.

Note: Revision A of this course is based on version 7.2 of PingGateway.

Upon completion of this course, you should be able to:

• Integrate and protect web applications, APIs, legacy applications, and microservices with the Ping Identity Platform (Identity Platform), formerly known as ForgeRock® Identity Platform, by using PingGateway
• Add authentication to the ForgeRock Entertainment Company (FEC) solution using PingOne Advanced Identity Cloud (Advanced Identity Cloud), formerly known as ForgeRock® Identity Cloud, or PingAM (AM), formerly known as ForgeRock® Access Management, as the access manager, OpenID Connect (OIDC) provider, and Security Assertion Markup Language (SAML2) identity provider (IdP)
• Demonstrate how to use PingGateway to manage access to a website using Advanced Identity Cloud (or AM) policies and policies with advice
• Protect a REST API with PingGateway and extend PingGateway functionality with scripting
• Highlight various areas that must be taken into account when preparing PingGateway for a production environment. Topics discussed include auditing, monitoring, tuning, security, and deployment

The following are the prerequisites for successfully completing this course:

• Completion of the PingGateway Essentials course available at: https://backstage.forgerock.com/university/forgerock/on-demand/path/TGVhcm5pbmdQYXRoOjQ%3D/chapter/Q291cnNlOjE1NzI2

Chapter 1: Integrating Applications With PingGateway

• Introduce PingGateway
• Describe PingGateway features
• Compare PingGateway with policy agents
• Explore PingGateway integration with web applications
• Describe PingGateway integration with OIDC and SAML
• Explore PingGateway policy enforcement and second-factor authentication (2FA)
• Describe PingGateway protection of APIs
• Access your CloudShare VM
• Examine the lab environment
• Access the FEC and DVD4U websites

• Examine the PingGateway configuration structure
• Describe required PingGateway configuration
• Configure PingGateway for secure connections
• Configure PingGateway routes
• Creating and managing routes in PingGateway Studio
• Protect a website by using PingGateway Studio
• Upgrade a route to use WebSockets
• Configure PingGateway for development mode and TLS connections
• Protect the FEC website with PingGateway by using PingGateway Studio
• Manage routes in PingGateway Studio and examine PingGateway log files

• Describe the PingGateway object model
• Examine objects available in routes
• Retrieve context data and configure sessions
• Route requests depending on conditions
• Describe route handlers
• Manage requests and responses with a route handler
• Process requests and responses with filters
• Create a route to allow access to a public area of FEC
• Add a page not found route
• Create a route to access the legacy DVD4U application
• Add password replay for the DVD4U application

• Manage PingGateway logs
• Introduce Decorators
• Configure route activity logs
• Capture inbound and outbound communication
• Retrieve credentials from a file
• Observe requests and responses in PingGateway logs
• Test different capture configuration settings
• Centralize PingGateway logging configuration
• Modify the DVD4U route to get credentials from a file
• Use Logback configuration for troubleshooting

• Create a route by using the PingGateway Studio Freeform Designer
• Configure Advanced Identity Cloud or AM as a service
• Describe how to use the SSO Filter
• Retrieve user data from the authentication provider
• Configure PingGateway as an HTTPS client
• Create a route with the PingGateway Studio Freeform Designer
• Redirect requests to AM for authentication
• Configure PingGateway for client-side HTTPS
• Access properties in SSO token context
• Retrieve user profile data for display in a web page
• Store information in a PingGateway HTTP session
• Configure capture decorators in Freeform Designer

• Describe the CDSSO Filter
• Configure the CDSSO Filter Solution
• Configure CDSSO redirect endpoints
• Integrate the legacy application with CDSSO
• Create a new route to protect DVD4U with CDSSO and AM
• Update the DVD4U route to automatically log in the authenticated user
• Prepare the Advanced Identity Cloud tenant
• Protect the DVD4U and FEC websites using CDSSO with Advanced Identity Cloud

• Describe basic OIDC concepts
• Configure PingGateway as an OIDC client
• Examine the flow of OIDC redirects for authentication and consent
• Explore the flow of OIDC callbacks and data injection
• Configure an OIDC relying party route
• Examine the OIDC relying party solution

• Authenticate with a SAML2 identity provider (IdP)
• Describe the use of the SAML federation handler
• Describe the use of the dispatch handler
• Describe the SAML2 implementation flow
• Set up SAML2 configuration files for PingGateway
• Configure a SAML2 route for the trial section
• Examine the SAML2 solution (optional)

• Describe the use of the Policy Enforcement Filter
• Illustrate the use of the Policy Enforcement Filter
• Configure a policy enforcement point (PEP) route for the premium section of FEC
• Examine the PEP solution (optional)

• Describe step-up authentication
• Illustrate how PingGateway handles step-up authentication
• Describe transactional authorization
• Illustrate how PingGateway handles transactional authorization
• Configure a PEP route for the on demand and profile sections of FEC
• Examine the profile solution (optional)
• Examine the on-demand solution (optional)

Lesson 1: Configuring PingGateway as an OAuth2 Resource Server
Configure PingGateway to act as an OAuth2 resource server that protects a REST API:

• Describe the use of the OAuth2 resource server filter
• List access token resolvers
• Validate certificate-bound access tokens
• Observe the flow with the token introspection resolver
• Prepare the OAuth2 solution to protect the FEC REST API
• Configure PingGateway to protect the FEC REST APIs
• Examine the REST API solution (optional)

• Describe the scripting functionality for extending PingGateway
• Explore scriptable objects
• Examine dynamic scopes solution
• Describe OAuth2 token swapping in PingGateway
• Configure a scriptable filter to log the content of the OAuth2 context
• Configure a dynamic scopes script
• Configure a scriptable filter to retrieve the correct favorite list

• Describe the audit framework
• Excluding sensitive data from audit logs
• Accessing the Common REST API monitoring endpoint
• Decreasing the number of requests through caching

• Discuss PingGateway best practices regarding security
• Examine the common secrets
• Explore secret store types
• Describe throttling
• Create common secret stores
• Configure throttling

• Describe property value substitution
• Set up multiple PingGateway instances
• Integrate configuration tokens in the solution
• Deploy a second PingGateway instance

Learn how to install and deploy PingIDM (IDM) in an on-prem or self-managed cloud environment to manage the lifecycle and relationship of digital identities. Topics include how to model identity objects in IDM, create connector configurations and synchronization mappings to manage the flow identity objects and properties with various external identity resources, manage workflows, and deploy IDM within a cluster. This course explores the identity management-related features in depth, how they work, and the configuration options available during implementation.

Note: Revision A of this course is based on version 8.0.1 of PingIDM.

Upon completion of this course, you should be able to:

• Provide an overview of the lab environment, model objects and identities, and set up the end-user UI with IDM
• Create and configure connections between external resources and IDM
• Synchronize identity data across multiple external resources, in real-time or by scheduling reconciliation events, and consolidate multiple identity data stores into one centralized identity store
• Install and deploy IDM in an on-prem or cloud provider Linux environment

The following are the prerequisites for successfully completing this course:

• Completion of the PingIDM Essentials course available at: https://backstage.pingidentity.com/university/on-demand/category/PING
• Basic knowledge and skills using the Linux operating system will be required to complete the labs.
• Basic knowledge of JSON, JavaScript, REST, Java, Groovy, SQL and LDAP would be helpful for understanding the examples; however, programming experience is not required.

Chapter 1: Building and Configuring the Prerequisites

Provide an overview of the lab environment, model objects and identities, and set up the end-user UI with IDM.

Lesson 1: Setting Up the Lab
Provide an overview of how to set up the lab environment:

• Install IDM
• Explore the auxiliary software

Lesson 2: Modeling Objects and Identities
Describe how to model objects and identities via REST:

• Introduce the Postman collection
• Run the Postman collection

Lesson 3: Setting Up the End-User UI
Describe how to configure the end-user UI:

• Install and configure the end-user UI
• Retrieve, compile and deploy the end-user UI
• Access the end-user UI

Chapter 2: Managing Connectors

Create and configure connections between external resources and IDM.

Lesson 1: Configuring Connectors With the IDM Admin UI
Create a connector configuration to connect to an external resource using the IDM admin UI:

• Connect external resources to IDM
• Create a connector configuration using the IDM admin UI
• Add a connector configuration for an external LDAP resource
• Add a CSV connector configuration
• Add a connector configuration to import device identities

Lesson 2: Configuring Connectors Over REST
Create a connector configuration in IDM over the REST interface:

• Create a connector configuration over REST
• Describe the core connector configuration settings
• Describe the object types and property mappings
• Use the scripted SQL connector
• Create a scripted SQL connector configuration

Chapter 3: Managing Synchronization and Reconciliation

Synchronize identity data across multiple external resources, in real-time or by scheduling reconciliation events, and consolidate multiple identity data stores into one centralized identity store.

Lesson 1: Performing Basic Synchronization
Describe how to use the IDM admin UI to create sync mappings to reconcile identities between IDM and an external resource:

• Create mappings to synchronize identity objects and properties
• Create a sync mapping from IDM to an external resource
• Add source and target properties to the sync mapping
• Add a correlation query and a situational event script
• Set the situational behaviors and run reconciliation
• Add a sync mapping from IDM to an LDAP server
• Describe the sync mapping from an LDAP server to IDM
• Add a sync mapping from an LDAP server to IDM
• Create a sync mapping to provision devices to the IDM repository

Lesson 2: Running Selective Synchronization and LiveSync
Filter objects that are synchronized and automate synchronization using LiveSync:

• Filter entries
• Run selective synchronization using filters
• Use LiveSync to synchronize changes
• Trigger LiveSync on a connector
• Schedule LiveSync
• Schedule LiveSync with an external resource
• Control synchronization to multiple targets

Lesson 3: Configuring Role-Based Provisioning
Automatically provision users to a set of LDAP groups based on role membership:

• Provision attributes to a target system based on static role assignments
• Enable role-based provisioning
• Query the role assignment properties using the REST interface
• Provision attributes to a target resource based on static role assignments
• Provision attributes to a target system based on dynamic role assignments
• Provision attributes to a target resource based on dynamic role assignments
• Add temporal constraints to a role
• Set temporal constraints on a role

Lesson 4: Configuring a Custom Endpoint
Describe how to configure a custom endpoint:

• Use a custom endpoint
• Create a custom endpoint (optional)

Chapter 4: Installing and Deploying IDM

Install and deploy IDM in an on-prem or cloud provider Linux environment.

Lesson 1: Installing an IDM instance
Install a stand-alone IDM instance for development and test the IDM sample configurations:

• Describe the basic IDM installation requirements
• Install and start IDM
• Install IDM
• Select MariaDB as a backend repository
• Describe how to start IDM with a sample configuration
• Start IDM with a sample configuration
• Describe how to configure IDM to run as a background process or service
• Configure IDM to run as a background process

Lesson 2: Monitoring and Troubleshooting
Describe how to set up monitoring and perform basic troubleshooting:

• Describe the monitoring options available for IDM
• Set up monitoring in IDM
• Describe the different IDM log files
• Examine the different log files in IDM (optional)

Lesson 3: Managing Passwords
Describe how to set up and fine-tune password policies and synchronizations in an IDM deployment:

• Describe password policies in IDM
• Set up password policies in IDM
• Describe password synchronization from DS into IDM
• Set up password synchronization from DS into IDM

This course provides the knowledge you need to install and administer each component of the PingDirectory platform which includes: PingDirectory server, PingDirectoryProxy server, PingDataSync server, the PingData Software Development Kit (SDK), and Delegated User Administration. This course references real-world scenarios driven by recurring use cases. You learn how to install each PingDirectory platform component, perform basic maintenance, using the monitoring and troubleshooting tools. While, hands-on lab exercises provide the first-hand experience installing, configuring, tuning, and using the troubleshooting tools

This course is built on version 10.

Upon completion of this course, you should be able to:

• Describe the PingDirectory capabilities and key features, summarize the installation procedures, and review the initial configuration tasks
• Deploy, fine tune, and configure the PingDirectory server to meet the needs of your production environment
• Describe how to install and manage the PingDirectoryProxy server
• Describe the functions provided by the PingDataSync server, and how to install, configure, and synchronize the PingDataSync server
• Describe common maintenance and necessary troubleshooting tasks needed to optimize PingDirectory performance.

The following are the prerequisites for successfully completing this course:

• Knowledge of UNIX/Linux commands.
• A basic understanding of how directory servers function.
• A basic understanding of REST and HTTP.
• A basic knowledge of Java based environments would be beneficial, but no programming experience is required.
• Completion of the Introduction to PingDirectory available at: https://backstage.pingidentity.com/university/

Chapter 1: Installing PingDirectory

Describe the PingDirectory capabilities and key features, summarize the installation procedures, and review the initial configuration tasks.

• Describe the key features of PingDirectory

• Perform pre-installation procedures
• Install PingDirectory
• Describe post-installation procedures

• Use server profiles
• (Optional) Install PingDirectory

Chapter 2: Deploying PingDirectory

• Describe the schema
  
• Modify the schema
• Modify the schema
• Modify object classes
• Create auxiliary object classes
• Load custom schema elements

• Search entries
• Manage entries
• Create objects

• Prevent data vulnerability
• Keep data secure
• Configure encryption settings

• Define virtual attributes
• Administer virtual attributes

• Describe password policies
• Create a password policy

• Manage JSON attributes
• Create JSON attributes
• Manage the Password Policy State JSON
• Administer JSON Attributes

• Understand the Rest APIs
• Use the SCIM 2.0 REST API
• Administer the Directory REST API

• Manage log publishers
• Configure logging
• Create a log publisher

• Understand replication
• Enable replication
• Resolve conflicts
• Understand the replication protocol
• Use replication over WAN
• Plan deployment
• Configure replication
• Scale replication
• Enable the replication process

• Define the topology registry
• Administer the server topology

• Describe the key features

• Describe the installation process
• Install the PingDirectoryProxy server
• Lesson 3: Managing the PingDirectoryProxy Server
• Describe the key advanced PingDirectoryProxy server transformation features:
• Describe the proxy transformations
• Understand entry balancing
• Create transformations

• Describe the key features

• Install the PingDataSync server
• Use the start, stop, and restart commands
• Describe the failover server
• Install the failover server
• Install the PingDataSync server

• Define Sync Pipe components
• Create the synchronization flow
• Use the retry mechanism
• Configure the PingDataSync server
• Configure and synchronize the PingDataSync server

• Synchronize with a relational database
  
• Synchronize with AD

• Describe the key features of the Server SDK

• Use the start, stop, and restart server commands
• Understand common maintenance tasks
• Perform maintenance tasks
• Understand Delegated Admin
• Configure Delegated Admin
• Administer Delegated Admin
• Understand data recovery
• Perform data recovery

• Monitor the PingDirectory server

• Understand how to troubleshoot issues
• Repair a conflict resolution
• Use troubleshooting tools

The aim of this course is to showcase the key features and capabilities of the versatile and powerful edge security solution with the PingGateway environment, formerly known as ForgeRock® Identity Gateway. It provides the student with the knowledge and confidence to manage their own environment. It is accepted that this course is not able to demonstrate all the features and capabilities of PingGateway. Further information and guidance can be found in the documentation and knowledge base documents in the online repositories at: Backstage https://backstage.forgerock.com.

Note: Revision A of this course is based on version 7.2 of PingGateway.

Upon completion of this course, you should be able to:

• Integrate and protect web applications, APIs, legacy applications, and microservices with the Ping Identity Platform (Identity Platform), formerly known as ForgeRock® Identity Platform, by using PingGateway
• Add authentication to the ForgeRock Entertainment Company (FEC) solution using PingOne Advanced Identity Cloud (Advanced Identity Cloud), formerly known as ForgeRock® Identity Cloud, or PingAM (AM), formerly known as ForgeRock® Access Management, as the access manager, OpenID Connect (OIDC) provider, and Security Assertion Markup Language (SAML2) identity provider (IdP)
• Demonstrate how to use PingGateway to manage access to a website using Advanced Identity Cloud (or AM) policies and policies with advice
• Protect a REST API with PingGateway and extend PingGateway functionality with scripting
• Highlight various areas that must be taken into account when preparing PingGateway for a production environment. Topics discussed include auditing, monitoring, tuning, security, and deployment

The following are the prerequisites for successfully completing this course:

• Completion of the PingGateway Essentials course available at: https://backstage.forgerock.com/university/forgerock/on-demand/path/TGVhcm5pbmdQYXRoOjQ%3D/chapter/Q291cnNlOjE1NzI2

Chapter 1: Integrating Applications With PingGateway

• Introduce PingGateway
• Describe PingGateway features
• Compare PingGateway with policy agents
• Explore PingGateway integration with web applications
• Describe PingGateway integration with OIDC and SAML
• Explore PingGateway policy enforcement and second-factor authentication (2FA)
• Describe PingGateway protection of APIs
• Access your CloudShare VM
• Examine the lab environment
• Access the FEC and DVD4U websites

• Examine the PingGateway configuration structure
• Describe required PingGateway configuration
• Configure PingGateway for secure connections
• Configure PingGateway routes
• Creating and managing routes in PingGateway Studio
• Protect a website by using PingGateway Studio
• Upgrade a route to use WebSockets
• Configure PingGateway for development mode and TLS connections
• Protect the FEC website with PingGateway by using PingGateway Studio
• Manage routes in PingGateway Studio and examine PingGateway log files

• Describe the PingGateway object model
• Examine objects available in routes
• Retrieve context data and configure sessions
• Route requests depending on conditions
• Describe route handlers
• Manage requests and responses with a route handler
• Process requests and responses with filters
• Create a route to allow access to a public area of FEC
• Add a page not found route
• Create a route to access the legacy DVD4U application
• Add password replay for the DVD4U application

• Manage PingGateway logs
• Introduce Decorators
• Configure route activity logs
• Capture inbound and outbound communication
• Retrieve credentials from a file
• Observe requests and responses in PingGateway logs
• Test different capture configuration settings
• Centralize PingGateway logging configuration
• Modify the DVD4U route to get credentials from a file
• Use Logback configuration for troubleshooting

• Create a route by using the PingGateway Studio Freeform Designer
• Configure Advanced Identity Cloud or AM as a service
• Describe how to use the SSO Filter
• Retrieve user data from the authentication provider
• Configure PingGateway as an HTTPS client
• Create a route with the PingGateway Studio Freeform Designer
• Redirect requests to AM for authentication
• Configure PingGateway for client-side HTTPS
• Access properties in SSO token context
• Retrieve user profile data for display in a web page
• Store information in a PingGateway HTTP session
• Configure capture decorators in Freeform Designer

• Describe the CDSSO Filter
• Configure the CDSSO Filter Solution
• Configure CDSSO redirect endpoints
• Integrate the legacy application with CDSSO
• Create a new route to protect DVD4U with CDSSO and AM
• Update the DVD4U route to automatically log in the authenticated user
• Prepare the Advanced Identity Cloud tenant
• Protect the DVD4U and FEC websites using CDSSO with Advanced Identity Cloud

• Describe basic OIDC concepts
• Configure PingGateway as an OIDC client
• Examine the flow of OIDC redirects for authentication and consent
• Explore the flow of OIDC callbacks and data injection
• Configure an OIDC relying party route
• Examine the OIDC relying party solution

• Authenticate with a SAML2 identity provider (IdP)
• Describe the use of the SAML federation handler
• Describe the use of the dispatch handler
• Describe the SAML2 implementation flow
• Set up SAML2 configuration files for PingGateway
• Configure a SAML2 route for the trial section
• Examine the SAML2 solution (optional)

• Describe the use of the Policy Enforcement Filter
• Illustrate the use of the Policy Enforcement Filter
• Configure a policy enforcement point (PEP) route for the premium section of FEC
• Examine the PEP solution (optional)

• Describe step-up authentication
• Illustrate how PingGateway handles step-up authentication
• Describe transactional authorization
• Illustrate how PingGateway handles transactional authorization
• Configure a PEP route for the on demand and profile sections of FEC
• Examine the profile solution (optional)
• Examine the on-demand solution (optional)

Lesson 1: Configuring PingGateway as an OAuth2 Resource Server
Configure PingGateway to act as an OAuth2 resource server that protects a REST API:

• Describe the use of the OAuth2 resource server filter
• List access token resolvers
• Validate certificate-bound access tokens
• Observe the flow with the token introspection resolver
• Prepare the OAuth2 solution to protect the FEC REST API
• Configure PingGateway to protect the FEC REST APIs
• Examine the REST API solution (optional)

• Describe the scripting functionality for extending PingGateway
• Explore scriptable objects
• Examine dynamic scopes solution
• Describe OAuth2 token swapping in PingGateway
• Configure a scriptable filter to log the content of the OAuth2 context
• Configure a dynamic scopes script
• Configure a scriptable filter to retrieve the correct favorite list

• Describe the audit framework
• Excluding sensitive data from audit logs
• Accessing the Common REST API monitoring endpoint
• Decreasing the number of requests through caching

• Discuss PingGateway best practices regarding security
• Examine the common secrets
• Explore secret store types
• Describe throttling
• Create common secret stores
• Configure throttling

• Describe property value substitution
• Set up multiple PingGateway instances
• Integrate configuration tokens in the solution
• Deploy a second PingGateway instance

This course builds upon the Getting Started With PingOne Advanced Identity Cloud for Administrators training to provide advanced techniques for managing and configuring PingOne Advanced Identity Cloud (Advanced Identity Cloud). Students will master advanced authentication journeys with multi-factor authentication (MFA), implement context-based authorization policies, and learn to model complex identity objects with relationships between managed objects. The course covers essential synchronization techniques, including connector configuration, reconciliation, LiveSync, and role-based provisioning to manage identity flow between Advanced Identity Cloud and external resources. Participants will gain hands-on experience with the REST API for programmatic access to identity management features, enabling automation and integration with external systems. Through practical exercises, students will learn to deploy and configure PingGateway to protect websites, implement continuous contextual authorization, and create comprehensive identity management solutions.

Upon completion of this course, you should be able to:

• Recap authentication with Advanced Identity Cloud. Increase security by introducing MFA as well as context-based user journeys. Protect a website using PingGateway
• Implement and manage comprehensive authorization policies in Advanced Identity Cloud to control resource access and enable continuous contextual authorization
• Understand and configure Advanced Identity Cloud managed objects, their properties, and relationships to effectively model your identity data structures and implement delegated administration
• Configure and manage connections between Advanced Identity Cloud and external resources to enable identity synchronization, reconciliation, and role-based provisioning
• Master the Advanced Identity Cloud REST interfaces to authenticate, query, and manage identity objects programmatically

The following are the prerequisites for successfully completing this course:

• Completion of the Getting Started With PingOne Advanced Identity Cloud for Administrators course available at: https://backstage.pingidentity.com/university/
• Experience with Identity and Access Management
• Working knowledge of REST communication