ForgeRock Access Management Customization and APIs

Course Details
Code: AM-421
Tuition (USD): $4,375.00 • Classroom (5 days)
$4,375.00 • Virtual (5 days)

This course provides a hands-on technical introduction to ForgeRock® Access Management (AM) APIs and customization use cases. Students examine AM extension points and gain the skills required to extend and integrate an AM deployment in a real world context. Development best practices are demonstrated in a series of labs.

Note that Revision B.1 of this course is built on version 6.0.0.3 of AM.

Skills Gained

Upon completion of this course, you should be able to:

  • List the extension points of AM
  • List which customizable components are affected in common AM use cases
  • Understand the basic concepts of scripting
  • Use the administration interface to look up, edit, and configure scripts
  • Describe how AM performs authentication
  • Review authentication nodes and authentication trees
  • Design and implement a custom authentication node
  • Describe how scripted authentication works
  • Explore how client-side scripts are used with authentication nodes and trees
  • Describe how server-side scripted authentication operates with authentication nodes and trees
  • Use the administration interface to create and test authentication trees containing scripted nodes
  • Discuss the policy concepts in AM
  • Implement an EntitlementCondition or a scripted condition
  • Describe the ForgeRock® Common REST API (Common REST)
  • Enable Cross-Origin Resource Sharing (CORS) in AM
  • Authenticate users through the REST API
  • Manage identities and realms through the REST API
  • Implement password reset and user self-registration by using the REST API
  • Query the list of dashboard applications through the REST API
  • Use the policy engine to protect non-URL-based resources
  • Describe the policy management and evaluation REST APIs
  • Describe OAuth 2.0 and OpenID Connect, including how to use their HTTP endpoints
  • Demonstrate scope validation and customize the default behavior
  • Explain the basic concepts of user-managed access (UMA)
  • Configure AM as an UMA authorization server
  • Manage UMA resource sets
  • Demonstrate how to customize the UMA workflow

Who Can Benefit

The following are the target audiences for this course:

  • Application Developers, adapting client applications to use AM capabilities
  • Software Developers, extending and integrating AM services for their organizations
  • System Consultants
  • System Architects

Prerequisites

The following are prerequisites to successfully completing this course:

  • Completion of the AM-400 Rev B course
  • Basic knowledge and skills using the Linux operating system to complete labs
  • Knowledge of JSON, JavaScript, AngularJS, REST, Java, Groovy, and XML is important for mastering understanding of material and examples
  • Basic knowledge of LDAP may be helpful for understanding code and some examples

Course Details

Chapter 1: Introducing Customization in AM

Lesson 1: Using Extension (Customization) Points

  • Introduce Java APIs, REST API, and Scripting APIs
  • Introduce customizing authentication
  • Introduce customizing authorization and policy evaluation
  • Describe use cases related to SAML2
  • Describe use cases related to OAuth 2.0 and UMA
  • Describe the course development environment
  • Understand the course ContactList application functionality and its role in this course
  • Manage (starting, stopping) the AM server and ForgeRock® Directory Services servers
  • Describe development tools and scripts provided with the course environment

Chapter 2: Custom Authentication

Lesson 1: Authenticating with Trees and Nodes: An Introduction

  • Review the concept of authentication trees and nodes
  • Create a basic authentication tree
  • Add existing authentication nodes to an authentication tree
  • Implement a choice collector authentication node
  • Assign the user choice to a session property
  • Configure the Session Property Whitelist Service for the realm
  • Test the authentication tree in a web browser and with the REST API
  • Run a REST API function to view the authenticated user’s session data

Lesson 2: Customizing Authentication Trees and Nodes

  • Create a custom authentication node project using the Maven archetype from the command line
  • Create a custom authentication node project using the Maven archetype within NetBeans
  • Write the configuration interface for a custom authentication node
  • Manage updates to the authentication node configuration interface
  • Write the business logic for a custom authentication node
  • Deploy a custom authentication node
  • Modify an existing authentication tree to add the custom authentication node
  • Test the custom authentication node using a web browser interface or its REST API

Lesson 3: Developing Scripts with Scripting APIs

  • Explore client-side scripting with authentication nodes
  • Deploy a custom authentication node that runs specific client-side scripts
  • Include a client-side script with the custom authentication node in an authentication tree
  • Create a Decision node script for authentication trees to process the client-side data and return an authentication decision
  • Receive and process data from the client-side script in a server-side script with a Scripted Decision node
  • Understand client-side scripting with authentication trees by examining source code
  • Configure the scripting engine properties and manage the APIs available to server-side scripts
  • Test the script-based authentication with authentication trees and nodes

Lesson 4: Migrating Authentication Modules to Authentication Trees and Nodes

  • Migrate a server-side authentication script to be used as a Decision node script for authentication trees
  • Modify the server-side script to receive client-side data in from the authentication tree context
  • Design the server-side authentication script outcome values for use in the authentication tree
  • Migrate a client-side authentication (module-based) script to be used by a custom authentication node
  • Write the client-side logic to send client data to the custom authentication node in the context of an authentication tree

Chapter 3: Custom Authorization

Lesson 1: Customizing Authorization

  • Review the main elements of the AM policy API
  • Discuss the concept of resource types and policy sets (formerly applications)
  • Describe the concept of application types
  • Illustrate the policy structure
  • Review the main groups of built-in policy conditions and their important members
  • Discuss where an EntitlementCondition and a script condition can be used
  • Implement, build, and deploy an EntitlementCondition
  • Implement, create, and deploy a scripted condition
  • Review the execution flow of the scripted condition
  • Discuss the variables available to the scripted condition
  • Use a scripted condition through the administration interface and the REST API
  • Develop a custom policy condition for the ContactList application
  • Modify the policy condition to return information about the maintenance mode
  • Complete the policy set

Chapter 4: Customizing with REST Clients

Lesson 1: Using the REST API

  • Explore AM services available through the REST API
  • Describe the ForgeRock Common REST API (CREST)
  • Review the main characteristics of the REST API
  • Discuss the verbs available in the REST API
  • Review the status codes returned by the REST API
  • Describe filtering, paging, sorting, and pretty printing
  • Explain the REST API versioning
  • Access the REST API from the administration interface by using a web browser
  • Use the REST API from jQuery
  • Use the REST API from AngularJS
  • Describe and enable Cross-Origin Resource Sharing (CORS)
  • List the configuration options for the CORSFilter
  • Configure the CORSFilter in AM
  • Modify the ContactList application to use AM for authentication
  • Examine the client-side and server-side components of the ContactList application
  • Modify an AngularJS module in ContactList that uses AM authentication services

Lesson 2: Authentication with REST

  • Use the REST API to authenticate a user (sign in)
  • Compare the simplified (username/password) and full authentication APIs
  • Discuss application callback types
  • Use the simplified and full authentication API
  • Describe advanced authentication options (realm, authentication attributes, session upgrade)
  • Use the REST API to log out
  • Validate tokens and manage sessions
  • Describe the session REST API
  • Discuss the identity management REST API
  • Read user attributes
  • Create a realm
  • Modify the ContactList application to use AM for all authentication functions
  • Complete the AngularJS service interfacing AM to cover all authentication functions
  • Modify the login service to use the testSelectRole authentication tree in AM

Lesson 3: Implementing with RESTful User Self-Service APIs

  • Review the characteristics of the self-service API
  • Illustrate the flow of password reset
  • Enable the password reset functionality
  • Perform a password reset through the REST API
  • Discuss the flow of user self-registration
  • Enable the user self-registration functionality
  • Perform user self-registration
  • Describe the concept of user dashboard
  • List dashboard applications through the REST API
  • Implement password reset in the ContactList application
  • Configure AM to use a local email server
  • Emulate password reset using the command line
  • Add password reset functionality to the ContactList application

Lesson 4: Authorizing with REST

  • Describe how to protect URL-based resources
  • Explain how to protect non-URL-based resources
  • List the main elements of the policy management API
  • Discuss the entities of the policy service
  • Describe the policy evaluation REST API
  • Explain the concept of policy sets
  • Request policy evaluation for a set of resources
  • Demonstrate how policy evaluation can be used to determine which user interface components to show in a JavaScript client
  • Modify the ContactList application to use AM for authorization
  • Create and test policy sets tailored to the ContactList application
  • Extend the back end of ContactList to use the authorization REST API
  • Extend the front end of ContactList to use the authorization REST API

Chapter 5: Federating with OAuth 2.0

Lesson 1: Implementing OAuth Custom Scopes

  • Explain the benefits of OAuth 2.0
  • List the main elements of OAuth 2.0
  • Illustrate the authorization code flow
  • Describe the OAuth 2.0-related HTTP services available in AM
  • Explain the benefits of OpenID Connect
  • List the main elements of OpenID Connect
  • Illustrate the authorization code flow extended with OpenID Connect
  • Describe the TokenInfo endpoint
  • Describe the UserInfo endpoint
  • Discuss the OpenID Connect HTTP services
  • Explain how scope validation is implemented in AM
  • Implement and register a custom scope validation implementation
  • Describe the default OpenID Connect script
  • Create a custom OpenID Connect script
  • Modify the ContactList application to use OAuth 2.0/ OpenID Connect for authentication and authorization
  • Configure OAuth 2.0 and OpenID Connect in AM
  • Create a customized scope validator and token response
  • Modify the ContactList example application to use OpenID Connect for authentication
  • Modify ContactList to behave as an OAuth 2.0 resource server

Chapter 6: Using User-Managed Access

Lesson 1: Customizing with UMA

  • Explain the benefits and list the elements of UMA
  • Describe the various tokens and tickets used in UMA
  • Illustrate the UMA protocol flow
  • Enable and configure an UMA Provider in AM
  • Configure UMA stores
  • Use the UMA discovery endpoint
  • Manage resources on the UMA administration page
  • Understand the UMA REST API
  • Describe the resource set and user label endpoints
  • Discuss the policy endpoint
  • Explain the permission request, requesting party token, and pending request endpoints
  • Understand UMA customization points
  • Register UMA filters
  • Implement resource sharing in the example application