ForgeRock Access Management Customization and APIs

Chapter 1: Introducing Customization in AM

Lesson 1: Using Extension (Customization) Points

• Introduce Java APIs, REST API, and REST API versioning
• Introduce customizing authentication
• Introduce customizing authorization and policy evaluation
• Describe use cases related to OAuth 2.0 and UMA
• Describe use cases related to SAML2
• Describe the course environment architecture
• Understand the course ContactList application functionality and its role in this course
• Manage (starting, stopping) the AM and Directory Services servers
• Describe development tools and scripts provided with the course environment

Chapter 2: Custom Authentication

Lesson 1: Introducing Authentication Trees and Nodes

• Review the concept of authentication trees and nodes
• Create a basic authentication tree
• Add existing authentication nodes to an authentication tree
• Implement a choice collector authentication node
• Assign the user choice to a session property
• Configure the Session Property Whitelist Service for the realm
• Test the authentication tree in a web browser and with the REST API
• Run a REST API function to view the authenticated user’s session data
• Compare tree and chain authentication methods

Lesson 2: Customizing with Authentication Trees and Nodes

• Create a custom authentication node project using the Maven archetype from the command line
• Create a custom authentication node project using the Maven archetype within NetBeans
• Write the configuration interface for a custom authentication node
• Manage updates to the authentication node configuration interface
• Write the business logic for a custom authentication node
• Deploy a custom authentication node
• Modify an existing authentication tree to add the custom authentication node
• Test the custom authentication node using a web browser interface or its REST API

Lesson 3: Developing Scripts with Scripting APIs

• Explore client-side scripting with authentication nodes
• Deploy a custom authentication node that runs specific client-side scripts
• Include a client-side script with the custom authentication node in an authentication tree
• Create a script for use by a Scripted Decision node in an authentication tree to process the client-side data and return an authentication decision
• Receive and process data from the client-side script in a server-side script with a Scripted Decision node
• Understand client-side scripting with authentication trees by examining source code
• Configure the scripting engine properties and manage the APIs available to server-side scripts
• Test the script-based authentication with authentication trees and nodes

Lesson 4: Migrating Authentication Modules to Authentication Trees and Nodes

• Migrate a server-side authentication script to be used in a Scripted Decision node of an authentication tree
• Modify the server-side script to receive client-side data in the authentication tree context
• Design the server-side authentication script outcome values for use in the authentication tree
• Migrate a client-side authentication (module-based) script to be used by a custom authentication node
• Write the client-side logic to send client data to the custom authentication node in the context of an authentication tree

Chapter 3: Custom Authorization

Lesson 1: Customizing Authorization

• Review the main elements of the AM policy API
• Discuss the concept of resource types and policy sets (formerly applications)
• Describe the concept of application types
• Illustrate the policy structure
• Review the main groups of built-in policy conditions and their important members
• Discuss where an EntitlementCondition and a script condition can be used
• Implement, build, and deploy an EntitlementCondition
• Implement, create, and deploy a scripted condition
• Review the execution flow of the scripted condition
• Discuss the variables available to the scripted condition
• Use a scripted condition through the administration interface and the REST API
• Develop a custom policy condition for the ContactList application
• Modify the policy condition to return information about the maintenance mode
• Complete the policy set

Chapter 4: Customizing with REST Clients

Lesson 1: Using the REST API

• Explore AM services available through the REST API
• Describe the ForgeRock Common REST API
• Review the main characteristics of the REST API
• Discuss the verbs available in the REST API
• Review the status codes returned by the REST API
• Describe filtering, paging, sorting, and pretty printing
• Explain the REST API versioning
• Access the REST API from the administration interface by using a web browser
• Use the REST API from jQuery
• Use the REST API from AngularJS
• Describe and enable CORS
• List the configuration options for the CORSFilter
• Configure the CORSFilter in AM
• Modify the ContactList application to use AM for authentication
• Examine the client-side and server-side components of the ContactList application
• Modify an AngularJS module in ContactList that uses AM authentication services

Lesson 2: Authentication with REST

• Use the REST API to authenticate a user (sign in)
• Compare the simplified (username/password) and full authentication APIs
• Discuss application callback types
• Use the simplified and full authentication API
• Describe advanced authentication options (realm, authentication attributes, session upgrade)
• Use the REST API to log out
• Validate tokens and manage sessions
• Describe the session REST API
• Discuss the identity management REST API
• Read user attributes
• Create a realm
• Modify the ContactList application to use AM for all authentication functions
• Complete the AngularJS service interfacing AM to cover all authentication functions
• Modify the login service to use the testSelectRole authentication tree in AM

Lesson 3: Working with RESTful User Self-Service API

• Review the characteristics of the self-service API
• Illustrate the flow of password reset
• Enable the password reset functionality
• Perform a password reset through the REST API
• Discuss the flow of user self-registration
• Enable the user self-registration functionality
• Perform user self-registration
• Describe the concept of a user dashboard
• List dashboard applications through the REST API
• Implement password reset in the ContactList application
• Configure AM to use a local email server
• Emulate password reset using the command line
• Add password reset functionality to the ContactList application

Lesson 4: Authorizing with REST

• Describe how to protect URL-based resources
• Explain how to protect non-URL-based resources
• List the main elements of the policy management API
• Discuss the entities of the policy service
• Describe the policy evaluation REST API
• Explain the concept of policy sets
• Request policy evaluation for a set of resources
• Demonstrate how policy evaluation can be used to determine which user interface components to show in a JavaScript client
• Modify the ContactList application to use AM for authorization
• Create and test policy sets tailored to the ContactList application
• Extend the backend of ContactList to use the authorization REST API
• Extend the front end of ContactList to use the authorization REST API

Chapter 5: Federating with OAuth 2.0

Lesson 1: Implementing OAuth Custom Scopes

• Explain the benefits of OAuth 2.0
• List the main elements of OAuth 2.0
• Illustrate the authorization code flow
• Describe the OAuth 2.0-related HTTP services available in AM
• Explain the benefits of OpenID Connect
• List the main elements of OpenID Connect
• Illustrate the authorization code flow extended with OpenID Connect
• Describe the TokenInfo endpoint
• Describe the UserInfo endpoint
• Discuss the OpenID Connect HTTP services
• Explain how scope validation is implemented in AM
• Implement and register a custom scope validation implementation
• Describe the default OpenID Connect script
• Create a custom OpenID Connect script
• Modify the ContactList application to use OAuth 2.0/ OpenID Connect for authentication and authorization
• Configure OAuth 2.0 and OpenID Connect in AM
• Create a customized scope validator and token response
• Modify the ContactList example application to use OpenID Connect for authentication
• Modify ContactList to behave as an OAuth 2.0 resource server

Chapter 6: Using User-Managed Access

Lesson 1: Customizing with UMA

• Explain the benefits and list the elements of UMA
• Describe the various tokens and tickets used in UMA
• Illustrate the UMA protocol flow
• Enable and configure an UMA Provider in AM
• Configure UMA stores
• Use the UMA discovery endpoint
• Manage resources on the UMA administration page
• Understand the UMA REST API
• Describe the resource set and user label endpoints
• Discuss the policy endpoint
• Explain the permission request, requesting party token, and pending request endpoints
• Understand UMA customization points
• Register UMA filters
• Implement resource sharing in the example application