ForgeRock® Access Management: Deep Dive

Chapter 1: Enhancing Intelligent Access

Lesson 1: Exploring Authentication Mechanisms

• Introduce AM authentication
• Understand realms
• Describe authentication life cycle
• Explain sessions
• Examine session cookies
• Prepare the lab environment
• Examine an initial AM installation
• Configure a realm and examine AM default authentication
• Experiment with session cookies
• Describe the authentication mechanisms of AM
• Create and manage trees
• Explore tree nodes
• Create a login tree
• Test the login tree

Lesson 2: Protecting a Website With IG

• Present AM edge clients
• Describe IG functionality as an edge client
• Review the ForgeRock Entertainment Company (FEC) website protected by IG
• Integrate the FEC website with AM
• Observe the IG token cookie
• (Optional) Review IG configuration
• Authenticate identities with AM
• Integrate identities in AM with an identity store
• Create an authentication tree with an LDAP Decision node
• Integrate an identity store with AM

Lesson 3: Controlling Access

• Describe entitlements with AM authorization
• Define AM policy components
• Define policy environment conditions and response attributes
• Describe the process of policy evaluation
• Implement access control on a website

Chapter 2: Improving Access Management Security

Lesson 1: Increasing Authentication Security

• Describe MFA
• Register a device
• Include recovery codes
• Examine OATH authentication
• Implement Time-based One-time Password (TOTP) authentication
• (Optional) Implement HMAC-based One-time Password (HOTP) authentication
• Examine Push notification authentication
• (Optional) Implement Push notification authentication
• Implement passwordless WebAuthn
• (Optional) Implement passwordless WebAuthn
• Examine HOTP authentication using email or SMS
• (Optional) Implement HOTP authentication using email or SMS

Lesson 2: Modifying a User’s Authentication Experience Based on Context

• Introduce context-based risk analysis
• Describe device profile nodes
• Determine the risk based on the context
• Implement a browser context change script
• Lock and unlock accounts
• Implement account lockout

Lesson 3: Checking Risk Continuously

• Introduce continuous contextual authorization
• Describe step-up authentication
• Implement step-up authentication flow
• Describe transactional authorization
• Implement transactional authorization
• Prevent users from bypassing the default tree

Chapter 3: Extending Services Using OAuth2-Based Protocols

Lesson 1: Integrating Applications With OAuth2

• Discuss OAuth2 concepts
• Describe OAuth2 tokens and codes
• Describe refresh tokens, macaroons, and token modification
• Request OAuth2 access tokens with OAuth2 grant types
• Explain OAuth2 scopes and consent
• Configure OAuth2 in AM
• Configure AM as an OAuth2 provider
• Configure AM with an OAuth2 client
• Test the OAuth2 Device Code grant type flow

Lesson 2: Integrating Applications With OIDC

• Introduce OIDC
• Describe OIDC tokens
• Explain OIDC scopes and claims
• List OIDC grant types
• Create and use an OIDC script
• Create an OIDC claims script
• Register an OIDC client and configure the OAuth2 Provider settings
• Test the OIDC Authorization Code grant type flow

Lesson 3: Authenticating OAuth2 Clients and using mTLS in OAuth2 for PoP

• Examine OAuth2 client authentication
• Examine OAuth2 client authentication using JSON Web Token (JWT) profiles
• Examine OAuth2 client authentication using mTLS
• Authenticate an OAuth2 client using mTLS
• Examine certificate-bound proof-of-possession (PoP) when mTLS is configured
• Obtain a certificate-bound access token

Lesson 4: Transforming OAuth2 Tokens

• Describe OAuth2 token exchange
• Explain token exchange types and purpose for exchange
• Describe token scopes and claims
• Implement a token exchange impersonation pattern
• Implement a token exchange delegation pattern
• Configure token exchange in AM
• Configure AM for token exchange
• Test token exchange flows

Lesson 5: (Optional) Implementing Social Authentication

• Delegate registration and authentication to social media providers
• Implement social registration and authentication with Google

Chapter 4: Federating Across Entities Using SAML2

Lesson 1: Implementing SSO Using SAML2

• Discuss SAML2 entities and profiles
• Explain the SAML2 flow from the identity provider (IdP) point of view
• Examine SSO across service providers (SPs)
• Configure AM as an IdP and integrate with third-party SPs
• Examine SSO between SP and IdP and across SPs

Lesson 2: Delegating Authentication Using SAML2

• Explain the SSO flow from the SP point of view
• Describe the metadata content and purpose
• Configure AM as a SAML2 SP and integrate with a third-party IdP

Chapter 5: Installing and deploying AM

Lesson 1: Installing and Upgrading AM

• Plan deployment configurations
• Prepare before installing AM
• Deploy AM
• Outline tasks and methods to install AM
• Install AM with the web wizard
• Install AM and manage configuration with Amster
• Describe the AM bootstrap process
• Install an AM instance with the web wizard
• Install Amster
• Upgrade an AM instance
• Upgrade AM with the web wizard
• (Optional) Upgrade AM with the configuration tool

Lesson 2: Hardening AM Security

• Harden AM security
• Adjust Default Settings
• Harden AM security
• Describe secrets, certificates, and keys
• Describe keystores and secret stores
• Manage the AM keystore
• Configure and manage secret stores
• Configure an HSM secret store to sign OIDC ID token
• Audit logging
• Debug and monitoring tools

Lesson 3: Clustering AM

• Explore high availability solutions
• Scale AM deployments
• Describe AM cluster concepts
• Create an AM cluster
• Identify tuning tips for AM clusters
• Prepare the initial AM cluster
• Install another AM server in the cluster
• Test AM cluster failover scenarios
• (Optional) Modify the cluster to use client-based sessions

Lesson 4: Deploying the Identity Platform to the Cloud

• Describe the Identity Platform
• Prepare Your Deployment Environment
• Deploy and access the Identity Platform
• Access an authenticate your GCP account
• Prepare to deploy the Identity Platform
• Deploy the Identity Platform with the Cloud Development Kit (CDK)
• Remove the Identity Platform deployment