ForgeRock Access Management Customization and APIs

  • Tuition USD $4,750
  • Reviews star_rate star_rate star_rate star_rate star_half 839 Ratings
  • Course Code AM-421
  • Duration 5 days
  • Available Formats Classroom, Virtual

This course provides a hands-on technical introduction to ForgeRock® Access Management (AM) APIs and customization use cases. Students examine AM extension points and gain the skills required to extend and integrate an AM deployment in a real-world context. Development best practices are demonstrated in a series of labs. Note that Revision B.2 of this course is built on version 6.5.2 of AM.

Skills Gained

Upon completion of this course, you should be able to:

  • List the extension points of AM
  • List which customizable components are affected in common AM use cases
  • Understand the basic concepts of scripting
  • Use the administration interface to look up, edit, and configure scripts
  • Describe how AM performs authentication
  • Review authentication nodes and authentication trees
  • Design and implement a custom authentication node
  • Describe how scripted authentication works
  • Explore how client-side scripts are used with authentication nodes and trees
  • Describe how server-side scripted authentication operates with authentication nodes and trees
  • Use the administration interface to create and test authentication trees containing scripted nodes
  • Discuss the policy concepts in AM
  • Implement an EntitlementCondition or a scripted condition
  • Describe the ForgeRock® Common REST API (Common REST)
  • Enable Cross-Origin Resource Sharing (CORS) in AM
  • Authenticate users through the REST API
  • Manage identities and realms through the REST API
  • mplement password reset and user self-registration by using the REST API
  • Query the list of dashboard applications through the REST API
  • Use the policy engine to protect non-URL-based resources
  • Describe the policy management and evaluation REST APIs
  • Describe OAuth 2.0 and OpenID Connect, including how to use their HTTP endpoints
  • Demonstrate scope validation and customize the default behavior
  • Explain the basic concepts of User-Managed Access (UMA)
  • Configure AM as an UMA authorization server
  • Manage UMA resource sets
  • Demonstrate how to customize the UMA workflow

Who Can Benefit

The following are the target audiences for this course:

  • Application Developers, adapting client applications to use AM capabilities
  • Software Developers, extending and integrating AM services for their organizations
  • System Consultants
  • System Architects


The following are prerequisites to successfully completing this course:

  • Completion of the AM-400 Rev B course
  • Basic knowledge and skills using the Linux operating system to complete labs
  • Knowledge of JSON, JavaScript, AngularJS, REST, Java, Groovy, and XML is important for mastering an understanding of material and examples
  • Basic knowledge of LDAP may be helpful for understanding code and some examples

Course Details

Chapter 1: Introducing Customization in AM

Lesson 1: Using Extension (Customization) Points

  • Introduce Java APIs, REST API, and REST API versioning
  • Introduce customizing authentication
  • Introduce customizing authorization and policy evaluation
  • Describe use cases related to OAuth 2.0 and UMA
  • Describe use cases related to SAML2
  • Describe the course environment architecture
  • Understand the course ContactList application functionality and its role in this course
  • Manage (starting, stopping) the AM and Directory Services servers
  • Describe development tools and scripts provided with the course environment

Chapter 2: Custom Authentication

Lesson 1: Introducing Authentication Trees and Nodes

  • Review the concept of authentication trees and nodes
  • Create a basic authentication tree
  • Add existing authentication nodes to an authentication tree
  • Implement a choice collector authentication node
  • Assign the user choice to a session property
  • Configure the Session Property Whitelist Service for the realm
  • Test the authentication tree in a web browser and with the REST API
  • Run a REST API function to view the authenticated user’s session data
  • Compare tree and chain authentication methods

Lesson 2: Customizing with Authentication Trees and Nodes

  • Create a custom authentication node project using the Maven archetype from the command line
  • Create a custom authentication node project using the Maven archetype within NetBeans
  • Write the configuration interface for a custom authentication node
  • Manage updates to the authentication node configuration interface
  • Write the business logic for a custom authentication node
  • Deploy a custom authentication node
  • Modify an existing authentication tree to add the custom authentication node
  • Test the custom authentication node using a web browser interface or its REST API

Lesson 3: Developing Scripts with Scripting APIs

  • Explore client-side scripting with authentication nodes
  • Deploy a custom authentication node that runs specific client-side scripts
  • Include a client-side script with the custom authentication node in an authentication tree
  • Create a script for use by a Scripted Decision node in an authentication tree to process the client-side data and return an authentication decision
  • Receive and process data from the client-side script in a server-side script with a Scripted Decision node
  • Understand client-side scripting with authentication trees by examining source code
  • Configure the scripting engine properties and manage the APIs available to server-side scripts
  • Test the script-based authentication with authentication trees and nodes

Lesson 4: Migrating Authentication Modules to Authentication Trees and Nodes

  • Migrate a server-side authentication script to be used in a Scripted Decision node of an authentication tree
  • Modify the server-side script to receive client-side data in the authentication tree context
  • Design the server-side authentication script outcome values for use in the authentication tree
  • Migrate a client-side authentication (module-based) script to be used by a custom authentication node
  • Write the client-side logic to send client data to the custom authentication node in the context of an authentication tree

Chapter 3: Custom Authorization

Lesson 1: Customizing Authorization

  • Review the main elements of the AM policy API
  • Discuss the concept of resource types and policy sets (formerly applications)
  • Describe the concept of application types
  • Illustrate the policy structure
  • Review the main groups of built-in policy conditions and their important members
  • Discuss where an EntitlementCondition and a script condition can be used
  • Implement, build, and deploy an EntitlementCondition
  • Implement, create, and deploy a scripted condition
  • Review the execution flow of the scripted condition
  • Discuss the variables available to the scripted condition
  • Use a scripted condition through the administration interface and the REST API
  • Develop a custom policy condition for the ContactList application
  • Modify the policy condition to return information about the maintenance mode
  • Complete the policy set

Chapter 4: Customizing with REST Clients

Lesson 1: Using the REST API

  • Explore AM services available through the REST API
  • Describe the ForgeRock Common REST API
  • Review the main characteristics of the REST API
  • Discuss the verbs available in the REST API
  • Review the status codes returned by the REST API
  • Describe filtering, paging, sorting, and pretty printing
  • Explain the REST API versioning
  • Access the REST API from the administration interface by using a web browser
  • Use the REST API from jQuery
  • Use the REST API from AngularJS
  • Describe and enable CORS
  • List the configuration options for the CORSFilter
  • Configure the CORSFilter in AM
  • Modify the ContactList application to use AM for authentication
  • Examine the client-side and server-side components of the ContactList application
  • Modify an AngularJS module in ContactList that uses AM authentication services

Lesson 2: Authentication with REST

  • Use the REST API to authenticate a user (sign in)
  • Compare the simplified (username/password) and full authentication APIs
  • Discuss application callback types
  • Use the simplified and full authentication API
  • Describe advanced authentication options (realm, authentication attributes, session upgrade)
  • Use the REST API to log out
  • Validate tokens and manage sessions
  • Describe the session REST API
  • Discuss the identity management REST API
  • Read user attributes
  • Create a realm
  • Modify the ContactList application to use AM for all authentication functions
  • Complete the AngularJS service interfacing AM to cover all authentication functions
  • Modify the login service to use the testSelectRole authentication tree in AM

Lesson 3: Working with RESTful User Self-Service API

  • Review the characteristics of the self-service API
  • Illustrate the flow of password reset
  • Enable the password reset functionality
  • Perform a password reset through the REST API
  • Discuss the flow of user self-registration
  • Enable the user self-registration functionality
  • Perform user self-registration
  • Describe the concept of a user dashboard
  • List dashboard applications through the REST API
  • Implement password reset in the ContactList application
  • Configure AM to use a local email server
  • Emulate password reset using the command line
  • Add password reset functionality to the ContactList application

Lesson 4: Authorizing with REST

  • Describe how to protect URL-based resources
  • Explain how to protect non-URL-based resources
  • List the main elements of the policy management API
  • Discuss the entities of the policy service
  • Describe the policy evaluation REST API
  • Explain the concept of policy sets
  • Request policy evaluation for a set of resources
  • Demonstrate how policy evaluation can be used to determine which user interface components to show in a JavaScript client
  • Modify the ContactList application to use AM for authorization
  • Create and test policy sets tailored to the ContactList application
  • Extend the backend of ContactList to use the authorization REST API
  • Extend the front end of ContactList to use the authorization REST API

Chapter 5: Federating with OAuth 2.0

Lesson 1: Implementing OAuth Custom Scopes

  • Explain the benefits of OAuth 2.0
  • List the main elements of OAuth 2.0
  • Illustrate the authorization code flow
  • Describe the OAuth 2.0-related HTTP services available in AM
  • Explain the benefits of OpenID Connect
  • List the main elements of OpenID Connect
  • Illustrate the authorization code flow extended with OpenID Connect
  • Describe the TokenInfo endpoint
  • Describe the UserInfo endpoint
  • Discuss the OpenID Connect HTTP services
  • Explain how scope validation is implemented in AM
  • Implement and register a custom scope validation implementation
  • Describe the default OpenID Connect script
  • Create a custom OpenID Connect script
  • Modify the ContactList application to use OAuth 2.0/ OpenID Connect for authentication and authorization
  • Configure OAuth 2.0 and OpenID Connect in AM
  • Create a customized scope validator and token response
  • Modify the ContactList example application to use OpenID Connect for authentication
  • Modify ContactList to behave as an OAuth 2.0 resource server

Chapter 6: Using User-Managed Access

Lesson 1: Customizing with UMA

  • Explain the benefits and list the elements of UMA
  • Describe the various tokens and tickets used in UMA
  • Illustrate the UMA protocol flow
  • Enable and configure an UMA Provider in AM
  • Configure UMA stores
  • Use the UMA discovery endpoint
  • Manage resources on the UMA administration page
  • Understand the UMA REST API
  • Describe the resource set and user label endpoints
  • Discuss the policy endpoint
  • Explain the permission request, requesting party token, and pending request endpoints
  • Understand UMA customization points
  • Register UMA filters
  • Implement resource sharing in the example application

How do I enroll?

A comprehensive listing of ExitCertified courses can be found here. You can register directly for the required course/location when you select "register". If you have any questions or prefer to speak with an ExitCertified education consultant directly, please submit your query here. A representative will contact you shortly.

How do I pay for a class?

You can pay at the time of registration using credit card (Mastercard/Visa/American Express) cheque or PO.

What if I have training credits?

ExitCertified honors all savings programs from the partners we work with. ExitCertified also offers training credits across multiple partners through our FLEX Account.

When does class start/end?

Classes begin promptly at 9:00 am, and typically end at 5:00 pm.

Does the course schedule include a Lunchbreak?

Lunch is normally an hour long and begins at noon. Coffee, tea, hot chocolate and juice are available all day in the kitchen. Fruit, muffins and bagels are served each morning. There are numerous restaurants near each of our centers, and some popular ones are indicated on the Area Map in the Student Welcome Handbooks - these can be picked up in the lobby or requested from one of our ExitCertified staff.

How can someone reach me during class?

If someone should need to contact you while you are in class, please have them call the center telephone number and leave a message with the receptionist.

What languages are used to deliver training?

Most courses are conducted in English, unless otherwise specified. Some courses will have the word "FRENCH" marked in red beside the scheduled date(s) indicating the language of instruction.

What does GTR stand for?

GTR stands for Guaranteed to Run; if you see a course with this status, it means this event is confirmed to run. View our GTR page to see our full list of Guaranteed to Run courses.

Very good training! The instructor is a specialist and the material is great!

I like the instructor teaching method and well preparedness for the course.

Everything about this course went very smoothly. AWS materials and the laps were well presented and integrated. Thomas Canino and Ruben Lopez did a great job as instructor / moderator respectively. Loved the presentation style of Thomas together with his depth of knowledge of the topics and materials. Very Well Done!

Tommy was a great instructor. We relied on this class to develop our understanding, and we were very happy with the result.

Very organized. I like how they keep me informed and prepared for training. I would certainly go to ExitCertified (Tech Data) as a training delivery platform/company again.

4 options available

  • GTR Oct 19, 2020 Oct 23, 2020 (5 days)
    9:00AM 5:00PM EDT
  • Nov 30, 2020 Dec 4, 2020 (5 days)
    10:00 AM 6:00 PM EDT
  • Nov 30, 2020 Dec 4, 2020 (5 days)
    Tampa, FL
    10:00 AM 6:00 PM EDT
  • Dec 14, 2020 Dec 18, 2020 (5 days)
    9:00AM 5:00PM EST
Contact Us 1-800-803-3948
Contact Us Live Chat
FAQ Get immediate answers to our most frequently asked qestions. View FAQs arrow_forward