This structured course comprises a mix of instructor-led lessons and demonstrations with plenty of lab exercises to ensure an opportunity to fully understand each of the topics covered. It provides students with a strong foundation for the design, installation, configuration, and administration of a ForgeRock® Access Management (AM) solution. The objective of the course is to present the core concepts of access management, demonstrate the many features of AM, and provide hands-on experience that allows students to implement a full solution based on real-life use cases, including many ready-to-use features.
- Note: Revision B.1 of this course is built on version 6.5 of ForgeRock AM.
Skills Gained
Upon completion of this course, you should be able to:
- Implement default authentication with AM
- Configure web agents to control access
- Enable user self-service self-registration basic flow
- Configure intelligent authentication with trees
- Configure an identity store
- Retrieve user information with REST
- Configure policies to control access
- Extend entitlements using step-up authentication and transactional authorization
- Configure AM as an OIDC provider and an UMA authorization server
- Demonstrate OAuth2, OIDC, and UMA2 flows
- Configure social authentication with Google
- Customize AM themes for end-user pages
- Investigate the need to harden AM security
- Install, upgrade, and maintain an AM solution
- Discuss AM clustering
- Configure AM as a SAML2 entity
Who Can Benefit
This course is aimed at those responsible for overseeing various aspects of a successful deployment of ForgeRock AM. This includes, but is not limited to, those with the following responsibilities:
- System Integrators
- System Consultants
- System Architects
- System Developers
- System Administrators
Prerequisites
The following are the prerequisites to successfully completing this course:
- Knowledge of Unix/Linux commands and text editing
- An appreciation of HTTP and web applications
- A basic appreciation of how directory servers function
- A basic understanding of REST
- A basic knowledge of Java based environments would be beneficial. Programming experience is not required.
Chapter 1: Performing Basic Configuration
Lesson 1: Implementing Default Authentication
- Describe how to use AM to manage default authentication using cookies
- Implement default authentication with AM
- Understand the need for and the use of realms
- Implement separation of admins and users using realms
- Observe the function of cookies
Lesson 2: Protecting a Website
- List and describe AM authentication clients
- Describe web agent main functionality
- Implement policy enforcement using web agents
- Analyze the am-auth-jwt cookie
Lesson 3: Empowering Users Through Self-Service
- Describe the main capabilities of user self-service
- Configure user self-service self-registration basic flow
Chapter 2: Implementing Intelligent Authentication
Lesson 1: Extending Authentication Functionality
- Describe the authentication mechanisms of AM
- List the available nodes
- Compare tree and chain mechanisms
- Identify realm-level authentication settings
- Use the authentication tree designer and ForgeRock’s Marketplace
- Create and test an authentication tree containing an LDAP Decision node
- Use the recording tool for troubleshooting
Lesson 2: Retrieving User Information
- Understand the use of an identity store
- Explain the distinction between identity store and credentials store
- Implement user-specific features on the website
- Retrieve user profile information using REST
Lesson 3: Increasing Authentication Security
- Discuss the need to increase authentication security
- Implement account lockout
- Configure risk-based authentication
- Configure second-factor authentication
- Demonstrate push notification authentication
Chapter 3: Controlling Access Using Authorization
Lesson 1: Controlling Access
- Describe how AM manages entitlements through authorization
- Define policy components
- Explain how AM evaluates policies
- Implement access control policies on a website
Lesson 2: Extending Entitlements
- Define session upgrade
- Describe and implement step-up authentication
- Describe and implement transactional authorization
- Tighten access for the rest of the website
Chapter 4: Extending Services Using OAuth 2.0-Based protocols
Lesson 1: Integrating Low-Level Devices with OAuth 2.0 (OAuth2)
- Explain why OAuth2 protocol can be used to integrate various devices
- Discuss OAuth2 players and their roles
- Describe OAuth 2 access tokens, refresh tokens, and authorization codes
- List OAuth2 grants
- Configure AM as an OAuth2 authorization server
- Demonstrate OAuth2 device flow
Lesson 2: Integrating Mobile Applications with OpenID Connect 1.0 (OIDC)
- Explain how OIDC leverages an OAuth2 handshake to provide authentication and data sharing
- List OIDC grants
- Configure AM as an OIDC provider
- Observe the OIDC authorization grant profile
Lesson 3: Sharing Resources with UMA 2.0 (UMA2)
- Describe how UMA2 enriches OAuth2 to allow resource sharing
- Implement AM as an UMA2 authorization server and demonstrate resource sharing
Lesson 4: Implementing Social Authentication
- Explain how AM can delegate authentication to social media
- Configure social authentication using Google
Chapter 5: Preparing for Production
Lesson 1: Customizing AM End User Pages
- Describe the user interface areas that can be customized
- Theme the end user interface for a realm
Lesson 2: Hardening AM Security
- Highlight the areas where security needs hardening
- Adjust default settings
- Set up administration privileges
- Manage secrets
- Use a Hardware Security Management (HSM) secret store to sign OIDC ID token
Lesson 3: Administering an AM Solution
- Introduce the administration tools available
- Install Amster
- Export and explore configuration with Amster
- Identify tools to troubleshoot issues
- Record debugging information
- Outline the main features of audit logging
- List the available monitoring tools
- Discuss the areas that need tuning
Lesson 4: Installing and Upgrading AM
- Plan an AM installation
- Install a single instance of AM using the wizard
- Describe the bootstrap process
- Upgrade an AM instance using the wizard
Lesson 5: Clustering AM
- Discuss approaches to providing high availability
- Explain how to scale a deployment
- Add a server to a cluster using CTS-based sessions
- Modify the cluster to use client-based sessions
- Discuss deployment approaches
Chapter 6: Federating Across Entities Using SAML v.2 (SAML2)
Lesson 1: Implementing Single Sign-On Using SAML2
- Discuss federation entities and flows
- Explain the SSO flow from the Identity Provider (IdP) point of view
- Examine SSO between Service Provider (SP) and IdP and across SPs
Lesson 2: Delegating Authentication Using SAML2
- Explain the SSO flow from the SP point of view
- Describe the metadata content and use
- Configure AM as a SAML2 SP
