Chapter 1: Administering Authentication Journeys
Recap authentication with Advanced Identity Cloud. Increase security by introducing MFA as well as context-based user journeys. Protect a website using PingGateway.
Lesson 1: (Recap) Exploring Authentication in Advanced Identity Cloud
- Provide a recap of authentication in Advanced Identity Cloud:
- Introduce the basic concepts of authentication
- Prepare the lab environment
- Describe the authentication mechanisms of Advanced Identity Cloud
- Examine Advanced Identity Cloud default authentication
- Create and manage journeys
- Explore journey nodes
- Create a login journey
- Test the login journey
Lesson 2: Increasing Authentication Security
Increase authentication security using MFA:
- Describe MFA
- Register a device
- Include recovery codes
- Examine OATH authentication
- Implement TOTP authentication
- Examine Push notification authentication
- Implement passwordless WebAuthn
- (Optional) Implement passwordless WebAuthn
Lesson 3: Modifying a User’s Journey Based on Context
Describe how Advanced Identity Cloud can take into account the context of an authentication request in order to take access decisions:
- Introduce context-based risk analysis
- Describe device profile nodes
- Determine the risk based on the context
- Implement a browser context change script
- Lock and unlock accounts
- (Optional) Implement account lockout
Lesson 4: Protecting a Website With PingGateway
Show how PingGateway, integrated with Advanced Identity Cloud, can protect a website:
- Present Advanced Identity Cloud edge clients
- Describe PingGateway functionality as an edge client
- Review the BXE website protected by PingGateway
- Integrate the BXE website with Advanced Identity Cloud
- Observe the PingGateway token cookie
- (Optional) Review PingGateway configuration
Chapter 2: Administering Authorization Policies
Implement and manage comprehensive authorization policies in Advanced Identity Cloud to control resource access and enable continuous contextual authorization.
Lesson 1: Controlling Access
Create security policies to control which users can access specific areas of the website:
- Describe entitlements with Advanced Identity Cloud authorization
- Define Advanced Identity Cloud policy components
- Define policy environment conditions and response attributes
- Process of Advanced Identity Cloud policy evaluation
- Implement access control on a website
Lesson 2: Checking Risk Continuously
Review the Advanced Identity Cloud tools used to check the risk level of requests continuously:
- Introduce continuous contextual authorization
- Describe step-up authentication
- Implement step-up authentication flow
- Describe transactional authorization
- Implement transactional authorization
- (Optional) Prevent users from bypassing the default journey
Chapter 3: Administering Managed Objects
Understand and configure Advanced Identity Cloud managed objects, their properties, and relationships to effectively model your identity data structures and implement delegated administration.
Lesson 1: Modeling an Identity Profile
Learn about the different object types in Advanced Identity Cloud, and how you can model a custom user profile onto an existing managed user object type in Advanced Identity Cloud:
- Review the Advanced Identity Cloud documentation
- Describe the different object types in Advanced Identity Cloud
- Map an identity object to a managed object
- Describe how to use placeholder attributes
- Model a managed user object in Advanced Identity Cloud
Lesson 2: Introducing Relationships
Describe relationships between managed objects:
- Describe the purpose of relationships
- Describe how relationships are stored in the schema
- Query an object relationship using the REST interface
Lesson 3: Managing Organizations
Set up managed organizations to delegate user administration based on the owner of hierarchical trees:
- Describe the roles and privileges within an organization
- Implement the organization example
Chapter 4: Administering Connectors, Synchronization, and Provisioning
Configure and manage connections between Advanced Identity Cloud and external resources to enable identity synchronization, reconciliation, and role-based provisioning.
Lesson 1: Connecting to External Resources Using Connectors
Describe the connectors supported in Advanced Identity Cloud, and how to create connector configurations to communicate with external resources:
- Describe how to connect external resources to Advanced Identity Cloud
- Configure communication between Advanced Identity Cloud and a remote connector server (RCS)
- Describe how to connect to external resources using ICF connectors
Lesson 2: Configuring Connectors Over the Identity Management Admin UI
- Describe the process for creating a connector configuration using the Identity Management admin UI
- Describe the object types and property mappings
- Add a connector configuration for an external LDAP resource
Lesson 3: Performing Basic Synchronization
Describe how to use the Identity Management admin UI to create synchronization mappings (sync mappings) to reconcile identities between Advanced Identity Cloud and an external resource:
- Describe how to create mappings to synchronize identity objects and properties
- Describe how to create a sync mapping from Advanced Identity Cloud to an external resource
- Describe how to add source and target properties to the sync mapping
- Describe how to add a correlation query and a situational event script
- Describe how to set the situational behaviors and run reconciliation
- Add a sync mapping from Advanced Identity Cloud to an LDAP server
- Describe the sync mapping from an LDAP server to Advanced Identity Cloud
- Add a sync mapping from an LDAP server to Advanced Identity Cloud
Lesson 4: Running Selective Synchronization and LiveSync
Filter objects that are synchronized and automate synchronization using LiveSync:
- Describe the different methods that you can use to filter entries
- Run selective synchronization using filters
- Describe how to use LiveSync to synchronize changes
- Trigger LiveSync on a connector
- Describe how to schedule LiveSync
- Schedule LiveSync with an external resource
Lesson 5: Configuring Role-Based Provisioning
Automatically provision users to a set of LDAP groups based on role membership:
- Describe how to provision attributes to a target system based on static role assignments
- Describe the steps to enable role-based provisioning
- Query the role assignment properties using the REST interface
- Provision attributes to a target resource based on static role assignments
- Describe how to provision attributes to a target system based on dynamic role assignments
- Provision attributes to a target resource based on dynamic role assignments
- Describe how to add temporal constraints to a role
- Add temporal constraints to a role
Chapter 5: Access Advanced Identity Cloud Over REST
Master the Advanced Identity Cloud REST interfaces to authenticate, query, and manage identity objects programmatically.
Lesson 1: Authenticating Over REST
Use Postman to access the Advanced Identity Cloud REST API and authenticate either using a simple (header-based) approach or a more complex approach, where the server may request additional information from the client using callback:
- Understand the REST authentication protocol
- Authenticate with REST
- Authenticate using header-based simple authentication
- Authenticate using callback-based complex authentication
Lesson 2: Querying Advanced Identity Cloud Objects Over REST
- Create security policies to control which users can access specific areas of the website:
- Describe how to query objects using the REST interface
- Describe how to use the Advanced Identity Cloud Postman collection
- Query Advanced Identity Cloud Identity objects using Postman