Chapter 1: Enhancing Intelligent Access
Start with an unprotected website and end up with a fully functional access management solution where every user trying to access the website is redirected to AM for authentication.
Lesson 1: Exploring Authentication Mechanisms
Explore the AM admin UI, view the role of cookies used during and after authentication, and describe authentication trees and nodes:
- Introduce AM authentication
- Understand realms
- Describe authentication life cycle
- Explain sessions
- Examine session cookies
- Access the lab environment
- Examine an initial AM installation
- Configure a realm and examine AM default authentication
- Experiment with session cookies
- Describe the authentication mechanisms of AM
- Create and manage trees
- Explore tree nodes
- Create a login tree
- Test the login tree
Lesson 2: Protecting a Website With PingGateway
Show how PingGateway, formerly known as ForgeRock® Identity Gateway, integrated with AM, can protect a website:
- Present AM edge clients
- Describe PingGateway functionality as an edge client
- Review the FEC website protected by PingGateway
- Integrate the FEC website with AM
- Observe the PingGateway token cookie
- (Optional) Review PingGateway configuration
- Authenticate identities with AM
- Create an authentication tree with an LDAP Decision node
- Integrate identities in AM with an identity store
- Integrate an identity store with AM
Lesson 3: Controlling Access
Create security policies to control which users can access specific areas of the website:
- Describe entitlements with AM authorization
- Define AM policy components
- Define policy environment conditions and response attributes
- Describe the process of policy evaluation
- Implement access control on a website
Chapter 2: Improving Access Management Security
Improve access management security in AM with MFA, context-based risk analysis, and continuous risk checking.
Lesson 1: Increasing Authentication Security
Increase authentication security using MFA:
- Describe MFA
- Register a device
- Include recovery codes
- Examine OATH authentication
- Implement time-based one-time password (TOTP) authentication
- (Optional) Implement HMAC-based one-time password (HOTP) authentication
- Examine Push notification authentication
- (Optional) Implement Push notification authentication
- Implement passwordless WebAuthn
- (Optional) Implement passwordless WebAuthn
- Examine HOTP authentication using email or SMS
- (Optional) Implement HOTP authentication using email or SMS
Lesson 2: Modifying a User’s Authentication Experience Based on Context
Describe how AM can take into account the context of an authentication request in order to make access decisions:
- Introduce context-based risk analysis
- Describe device profile nodes
- Determine the risk based on the context
- Implement a browser context change script
- Lock and unlock accounts
- Implement account lockout
Lesson 3: Checking Risk Continuously
Review the AM tools used to check the risk level of requests continuously:
- Introduce continuous contextual authorization
- Describe step-up authentication
- Implement step-up authentication flow
- Describe transactional authorization
- Implement transactional authorization
- Prevent users from bypassing the default tree
Chapter 3: Extending Services Using OAuth2-Based Protocols
Implement OAuth2 based protocols; namely, OAuth2 and OIDC, to enable low-level devices and mobile applications to make requests that access resources belonging to a subscriber. AM can be configured to function as an OIDC client and delegate authentication to social media OIDC providers.
Lesson 1: Integrating Applications With OAuth2
Integrate clients using OAuth2 by demonstrating the use of the OAuth2 Device Code grant type flow with AM configured as the OAuth2 authorization server (AS):
- Discuss OAuth2 concepts
- Describe OAuth2 tokens and codes
- Describe refresh tokens, macaroons, and token modification
- Request OAuth2 access tokens with OAuth2 grant types
- Explain OAuth2 scopes and consent
- Configure OAuth2 in AM
- Configure AM as an OAuth2 provider
- Configure AM with an OAuth2 client
- Test the OAuth2 Device Code grant type flow
Lesson 2: Integrating Applications With OIDC
Integrate an application using OIDC and the Authorization grant type flow with AM as an OIDC provider:
- Introduce OIDC
- Describe OIDC tokens
- Explain OIDC scopes and claims
- List OIDC grant types
- Create and use an OIDC script
- Create an OIDC claims script
- Register an OIDC client and configure the OAuth2 Provider settings
- Test the OIDC Authorization Code grant type flow
Lesson 3: Authenticating OAuth2 Clients and using mTLS in OAuth2 for PoP
Authenticate OAuth2 clients with AM using various approaches and obtain certificate-bound access tokens using mutual TLS (mTLS) to provide token proof-of-possession (PoP):
- Examine OAuth2 client authentication
- Examine OAuth2 client authentication using JWT profiles
- Examine OAuth2 client authentication using mTLS
- Authenticate an OAuth2 client using mTLS
- Examine certificate-bound PoP when mTLS is configured
- Obtain a certificate-bound access token
Lesson 4: Transforming OAuth2 Tokens
Request and obtain security tokens from an OAuth2 authorization server, including security tokens that employ impersonation and delegation semantics:
- Describe OAuth2 token exchange
- Explain token exchange types and purpose for exchange
- Describe token scopes and claims
- Implement a token exchange impersonation pattern
- Implement a token exchange delegation pattern
- Configure token exchange in AM
- Configure AM for token exchange
- Test token exchange flows
Lesson 5: (Optional) Implementing Social Authentication
Provide a way for users to register and authenticate to AM using a social account:
- Delegate registration and authentication to social media providers
- Implement social registration and authentication with Google
Chapter 4: Federating Across Entities Using SAML2
Demonstrate federation across entities using SAML2 with AM.
Lesson 1: Implementing SSO Using SAML2
Demonstrate single sign-on (SSO) functionality across organizational boundaries:
- Discuss SAML2 entities and profiles
- Explain the SAML2 flow from the identity provider (IdP) point of view
- Examine SSO across SPs
- Configure AM as an IdP and integrate with third-party service providers (SPs)
- Examine SSO between an SP and IdP and across SPs
Lesson 2: Delegating Authentication Using SAML2
Delegate authentication to a third-party IdP using SAML2 and examine the metadata:
- Explain the SSO flow from the SP point of view
- Describe the metadata content and purpose
- Configure AM as a SAML2 SP and integrate with a third-party IdP
Chapter 5: Installing and Deploying AM
Install a new AM instance configured with external directory server data stores as the foundation for an AM cluster, modify the AM configuration to harden security, upgrade an AM instance to a new version, and deploy the Ping Identity Platform, formerly known as the ForgeRock® Identity Platform, to the Google Cloud Platform (GCP).
Lesson 1: Installing and Upgrading AM
Install AM using interactive and command-line methods creating the foundations for a cluster topology, and upgrade an AM 7.0.1 instance to AM 7.3:
- Plan deployment configurations
- Prepare before installing AM
- Deploy AM
- Outline tasks and methods to install AM
- Install AM with the web wizard
- Install an AM instance with the web wizard
- Install AM and manage configuration with Amster
- Install Amster
- Describe the AM bootstrap process
- Upgrade an AM instance
- Upgrade AM with the web wizard
- (Optional) Upgrade AM with the configuration tool
Lesson 2: Hardening AM Security
Explore a few default configuration and security settings that need to be modified before migrating to a production-ready solution:
- Harden AM security
- Adjust default settings
- Harden AM security
- Describe secrets, certificates, and keys
- Describe keystores and secret stores
- Manage the AM keystore, aliases, and passwords
- Configure and manage secret stores
- Configure an HSM secret store to sign OIDC ID tokens
- Describe the monitoring tools
- Describe the audit logging
- Describe debug logging
- Capture troubleshooting information
- Capture troubleshooting information
Lesson 3: Clustering AM
Create an AM cluster with a second AM instance added to the first AM instance that has already been installed:
- Explore high availability solutions
- Scale AM deployments
- Describe AM cluster concepts
- Create an AM cluster
- Prepare the initial AM cluster
- Install another AM server in the cluster
- Test AM cluster failover scenarios
- (Optional) Modify the cluster to use client-side sessions
Lesson 4: Deploying the Identity Platform to the Cloud
Deploy the Identity Platform into a cluster in a Google Kubernetes Environment (GKE):
- Describe the Identity Platform
- Prepare your deployment environment
- Deploy and access the Identity Platform
- Access and authenticate your GCP account
- Prepare to deploy the Identity Platform
- Deploy the Identity Platform with the Cloud Development Kit (CDK)
- Remove the Identity Platform deployment