ForgeRock® Access Management: Deep Dive

The aim of this course is to showcase the key features and capabilities of the versatile and powerful ForgeRock® Access Management (AM). It provides the student with the knowledge and confidence to...

Read More
$5,625 USD GSA  $5,100.76
Course Code AM-410
Duration 5 days
Available Formats Classroom, Virtual
7388 Reviews star_rate star_rate star_rate star_rate star_half

“The discussions and labs involving Federation and SAML were the most interesting to me, but I also enjoyed the presentations explaining the concepts of Realms, Policies, Web Agents, Identity Stores, etc.”

Course Image

The aim of this course is to showcase the key features and capabilities of the versatile and powerful ForgeRock® Access Management (AM). It provides the student with the knowledge and confidence to manage their own environment. It is accepted that this course is not able to demonstrate all the features and capabilities of AM. Further information and guidance can be found in the documentation and knowledge base in the online repositories at: Backstage

Note: This course revision is based on version 7 of AM.

Skills Gained

  • Start with an unprotected website and end up with a fully functional access management solution where every user trying to access the website is redirected to AM for authentication
  • Improve access management security in AM with multi-factor authentication (MFA), context-based risk analysis, and continuous risk checking
  • Implement OAuth 2.0 (OAuth2) based protocols; namely, OAuth2 and OpenID Connect 1.0 (OIDC), to enable low-level devices and mobile applications to make requests that access resources belonging to a subscriber. AM can be configured to function as an OIDC client and delegate authentication to social media OIDC providers
  • Demonstrate federation across entities using SAML2 with AM
  • Install a new AM instance configured with external directory server data stores as the foundation for an AM cluster

Who Can Benefit

  • ForgeRock Access Management Administrators
  • System Integrators
  • System Consultants
  • System Architects
  • System Developers


  • Completion of the ForgeRock® Access Management Essentials course available at:
  • Knowledge of UNIX/Linux commands
  • An understanding of HTTP and web applications
  • A basic understanding of how directory servers function
  • A basic understanding of REST
  • A basic knowledge of Java based environments would be beneficial, but no programming experience is required

Course Details

Chapter 1: Enhancing Intelligent Access

Lesson 1: Exploring Authentication Mechanisms

  • Introduce AM authentication
  • Understand realms
  • Describe authentication life cycle
  • Explain sessions
  • Examine session cookies
  • Prepare the lab environment
  • Examine an initial AM installation
  • Configure a realm and examine AM default authentication
  • Experiment with session cookies
  • Describe the authentication mechanisms of AM
  • Create and manage trees
  • Explore tree nodes
  • Create a login tree
  • Test the login tree

Lesson 2: Protecting a Website With IG

  • Present AM edge clients
  • Describe IG functionality as an edge client
  • Review the ForgeRock Entertainment Company (FEC) website protected by IG
  • Integrate the FEC website with AM
  • Observe the IG token cookie
  • (Optional) Review IG configuration
  • Authenticate identities with AM
  • Integrate identities in AM with an identity store
  • Create an authentication tree with an LDAP Decision node
  • Integrate an identity store with AM

Lesson 3: Controlling Access

  • Describe entitlements with AM authorization
  • Define AM policy components
  • Define policy environment conditions and response attributes
  • Describe the process of policy evaluation
  • Implement access control on a website

Chapter 2: Improving Access Management Security

Lesson 1: Increasing Authentication Security

  • Describe MFA
  • Register a device
  • Include recovery codes
  • Examine OATH authentication
  • Implement Time-based One-time Password (TOTP) authentication
  • (Optional) Implement HMAC-based One-time Password (HOTP) authentication
  • Examine Push notification authentication
  • (Optional) Implement Push notification authentication
  • Implement passwordless WebAuthn
  • (Optional) Implement passwordless WebAuthn
  • Examine HOTP authentication using email or SMS
  • (Optional) Implement HOTP authentication using email or SMS

Lesson 2: Modifying a User’s Authentication Experience Based on Context

  • Introduce context-based risk analysis
  • Describe device profile nodes
  • Determine the risk based on the context
  • Implement a browser context change script
  • Lock and unlock accounts
  • Implement account lockout

Lesson 3: Checking Risk Continuously

  • Introduce continuous contextual authorization
  • Describe step-up authentication
  • Implement step-up authentication flow
  • Describe transactional authorization
  • Implement transactional authorization
  • Prevent users from bypassing the default tree

Chapter 3: Extending Services Using OAuth2-Based Protocols

Lesson 1: Integrating Applications With OAuth2

  • Discuss OAuth2 concepts
  • Describe OAuth2 tokens and codes
  • Describe refresh tokens, macaroons, and token modification
  • Request OAuth2 access tokens with OAuth2 grant types
  • Explain OAuth2 scopes and consent
  • Configure OAuth2 in AM
  • Configure AM as an OAuth2 provider
  • Configure AM with an OAuth2 client
  • Test the OAuth2 Device Code grant type flow

Lesson 2: Integrating Applications With OIDC

  • Introduce OIDC
  • Describe OIDC tokens
  • Explain OIDC scopes and claims
  • List OIDC grant types
  • Create and use an OIDC script
  • Create an OIDC claims script
  • Register an OIDC client and configure the OAuth2 Provider settings
  • Test the OIDC Authorization Code grant type flow

Lesson 3: Authenticating OAuth2 Clients and using mTLS in OAuth2 for PoP

  • Examine OAuth2 client authentication
  • Examine OAuth2 client authentication using JSON Web Token (JWT) profiles
  • Examine OAuth2 client authentication using mTLS
  • Authenticate an OAuth2 client using mTLS
  • Examine certificate-bound proof-of-possession (PoP) when mTLS is configured
  • Obtain a certificate-bound access token

Lesson 4: Transforming OAuth2 Tokens

  • Describe OAuth2 token exchange
  • Explain token exchange types and purpose for exchange
  • Describe token scopes and claims
  • Implement a token exchange impersonation pattern
  • Implement a token exchange delegation pattern
  • Configure token exchange in AM
  • Configure AM for token exchange
  • Test token exchange flows

Lesson 5: (Optional) Implementing Social Authentication

  • Delegate registration and authentication to social media providers
  • Implement social registration and authentication with Google

Chapter 4: Federating Across Entities Using SAML2

Lesson 1: Implementing SSO Using SAML2

  • Discuss SAML2 entities and profiles
  • Explain the SAML2 flow from the identity provider (IdP) point of view
  • Examine SSO across service providers (SPs)
  • Configure AM as an IdP and integrate with third-party SPs
  • Examine SSO between SP and IdP and across SPs

Lesson 2: Delegating Authentication Using SAML2

  • Explain the SSO flow from the SP point of view
  • Describe the metadata content and purpose
  • Configure AM as a SAML2 SP and integrate with a third-party IdP

Chapter 5: Installing and deploying AM

Lesson 1: Installing and Upgrading AM

  • Plan deployment configurations
  • Prepare before installing AM
  • Deploy AM
  • Outline tasks and methods to install AM
  • Install AM with the web wizard
  • Install AM and manage configuration with Amster
  • Describe the AM bootstrap process
  • Install an AM instance with the web wizard
  • Install Amster
  • Upgrade an AM instance
  • Upgrade AM with the web wizard
  • (Optional) Upgrade AM with the configuration tool

Lesson 2: Hardening AM Security

  • Harden AM security
  • Adjust Default Settings
  • Harden AM security
  • Describe secrets, certificates, and keys
  • Describe keystores and secret stores
  • Manage the AM keystore
  • Configure and manage secret stores
  • Configure an HSM secret store to sign OIDC ID token
  • Audit logging
  • Debug and monitoring tools

Lesson 3: Clustering AM

  • Explore high availability solutions
  • Scale AM deployments
  • Describe AM cluster concepts
  • Create an AM cluster
  • Identify tuning tips for AM clusters
  • Prepare the initial AM cluster
  • Install another AM server in the cluster
  • Test AM cluster failover scenarios
  • (Optional) Modify the cluster to use client-based sessions

Lesson 4: Deploying the Identity Platform to the Cloud

  • Describe the Identity Platform
  • Prepare Your Deployment Environment
  • Deploy and access the Identity Platform
  • Access an authenticate your GCP account
  • Prepare to deploy the Identity Platform
  • Deploy the Identity Platform with the Cloud Development Kit (CDK)
  • Remove the Identity Platform deployment