Summary

The aim of this course is to showcase the key features and capabilities of the versatile and powerful access management solution in a PingOne Advanced Identity Cloud (Advanced Identity Cloud) environment, formerly known as ForgeRock® Identity Cloud. It provides the student with the knowledge and confidence to manage their environment. It is accepted that this course is not able to demonstrate all the features and capabilities of the access management component of Advanced Identity Cloud. Further information and guidance can be found in the documentation and knowledge base in the online repositories at: Backstage https://backstage.forgerock.com.

Prerequisites

The following are the prerequisites for successfully completing this course:

• Completion of the PingAM Essentials course available at: https://backstage.forgerock.com/university/forgerock/on-demand/path/TGVhcm5pbmdQYXRoOjI%3D/chapter/Q291cnNlOjE1NzIy

• Completion of the Getting Started With PingOne Advanced Identity Cloud for Administrators course available at: https://www.forgerock.com/support/university/forgerock-university/getting-started-forgerock-identity-cloud

Topics

• Introduce Advanced Identity Cloud authentication
• Describe authentication life cycle
• Explain sessions
• Examine session cookies
• Prepare the lab environment
• Examine Advanced Identity Cloud default authentication
• Experiment with session cookies
• Describe the authentication mechanisms of Advanced Identity Cloud
• Create and manage journeys
• Explore journey nodes
• Create a login journey
• Test the login journey

• Present Advanced Identity Cloud edge clients
• Describe Gateway functionality as an edge client
• Review the FEC website protected by Gateway
• Integrate the FEC website with Advanced Identity Cloud
• Observe the Gateway token cookie
• (Optional) Review Gateway configuration

• Describe entitlements with Advanced Identity Cloud authorization
• Define Advanced Identity Cloud policy components
• Define policy environment conditions and response attributes
• Process of Advanced Identity Cloud policy evaluation
• Implement access control on a website

Chapter 2: Improving Access Management Security

Improve access management security in Advanced Identity Cloud with MFA, context-based risk analysis, and continuous risk checking.

• Describe MFA
• Register a device
• Include recovery codes
• Examine OATH authentication
• Implement Time-based one-time password (TOTP) authentication
• (Optional) Implement HMAC-based one-time password (HOTP) authentication
• Examine Push notification authentication
• Implement passwordless WebAuthn
• (Optional) Implement passwordless WebAuthn
• Examine HOTP authentication using email or SMS
• (Optional) Implement HOTP authentication using email or SMS

• Introduce context-based risk analysis
• Describe device profile nodes
• Determine the risk based on the context
• Implement a browser context change script
• Lock and unlock accounts
• Implement account lockout

• Introduce continuous contextual authorization
• Describe step-up authentication
• Implement step-up authentication flow
• Describe transactional authorization
• Implement transactional authorization
• Prevent users from bypassing the default journey

Lesson 1: Integrating Applications With OAuth2
Integrate clients using OAuth2 by demonstrating the use of the OAuth2 Device Code grant type flow with Advanced Identity Cloud configured as the OAuth2 authorization server:

• Discuss OAuth2 concepts
• Describe OAuth2 tokens and codes
• Describe refresh tokens, macaroons, and token modification
• Request OAuth2 access tokens with OAuth2 grant types
• Explain OAuth2 scopes and consent
• Configure OAuth2 in Advanced Identity Cloud
• Configure Advanced Identity Cloud with an OAuth2 client
• Test the OAuth2 Device Code grant type flow

• Introduce OIDC
• Describe OIDC tokens
• Explain OIDC scopes and claims
• List OIDC grant types
• Create and use an OIDC script
• Create an OIDC claims script
• Register an OIDC client and configure the OIDC Provider settings
• Test the OIDC Authorization Code grant type flow

• Describe OAuth2 token exchange
• Explain token exchange types and purpose for exchange
• Describe token scopes and claims
• Implement a token exchange impersonation pattern
• Implement a token exchange delegation pattern
• Configure token exchange in Advanced Identity Cloud
• Configure Advanced Identity Cloud for token exchange
• Test token exchange flows

• Discuss SAML2 entities and profiles
• Explain the SAML2 flow from the identity provider (IdP) point of view
• Examine SSO across service providers (SPs)
• Configure Advanced Identity Cloud as an IdP and integrate with third-party SPs
• Examine SSO between SP and IdP and across SPs

• Explain the SSO flow from the SP point of view
• Describe the metadata content and use
• Configure Advanced Identity Cloud as a SAML2 SP and integrate with a third-party IdP

Benefits

Upon completion of this course, you should be able to:

• Start with an unprotected website and end up with a fully functional access management solution where every user trying to access the website is redirected to Advanced Identity Cloud for authentication
• Improve access management security in Advanced Identity Cloud with multi-factor authentication (MFA), context-based risk analysis, and continuous risk checking
• Implement OAuth 2.0 (OAuth2) based protocols; namely, OAuth2 and OpenID Connect 1.0 (OIDC), to enable low-level devices and mobile applications to make requests that access resources belonging to a subscriber.
• Demonstrate federation across entities using SAML v2.0 (SAML2) with Advanced Identity Cloud