ForgeRock Training Courses & Certifications

ForgeRock Outstanding Authorized Training Partner Award For 2018 & 2021, Including Global Outstanding Instructor Achievement Award Three Times - 2018, 2019 & 2020

Learn how to architect, build, and deploy your Identity solution

Got a question let us know! You’ve come to the right place.

We cover ForgeRock’s training portfolio and our trainers bring to the classroom decades of extensive experience. All ForgeRock training courses we deliver consist of Lectures, Labs, and Discussions and are available either in a classroom setting or as virtual live courses. We can guarantee that you will leave feeling compete to leverage technology successfully.

ForgeRock Access Management Training Courses

ForgeRock® Access Management: Deep Dive (AM410)
ForgeRock Access Management Customization and APIs (AM-421)

ForgeRock® Access Management: Deep Dive (AM410)

Course Overview

The aim of this course is to showcase the key features and capabilities of the versatile and powerful ForgeRock® Access Management (AM). It provides the student with the knowledge and confidence to manage their own environment. It is accepted that this course is not able to demonstrate all the features and capabilities of AM.

Duration – 5 Days

Course Outline

Who Can Benefit

The target audiences for this course include:

ForgeRock Access Management Administrators
System Integrators
System Consultants
System Architects
System Developers

Skills Gained

Upon completion of this course, you should be able to:

Start with an unprotected website and end up with a fully functional access management solution where every user trying to access the website is redirected to AM for authentication
Improve access management security in AM with multi-factor authentication (MFA), context-based risk analysis, and continuous risk checking
Implement OAuth 2.0 (OAuth2) based protocols; namely, OAuth2 and OpenID Connect 1.0 (OIDC), to enable low-level devices and mobile applications to make requests that access resources belonging to a subscriber
Demonstrate federation across entities using SAML2 with AM
Install a new AM instance configured with external directory server data stores as the foundation for an AM cluster

Prerequisites

The following are the prerequisites for successfully completing this course:

Completion of the ForgeRock® Access Management Essentials course
Knowledge of UNIX/Linux commands
An understanding of HTTP and web applications
A basic understanding of how directory servers function
A basic understanding of REST
A basic knowledge of Java based environments would be beneficial, but no programming experience is required

Course Details

Chapter 1: Enhancing Intelligent Access

Start with an unprotected website and end up with a fully functional access management solution where every user trying to access the website is redirected to AM for authentication.

Lesson 1: Exploring Authentication Mechanisms

Explore the AM Admin UI and view the role of cookies used during and after authentication:

Introduce AM authentication
Understand realms
Describe authentication life cycle
Explain sessions
Examine session cookies
Prepare the lab environment
Examine an initial AM installation
Configure a realm and examine AM default authentication
Experiment with session cookies
Describe the authentication mechanisms of AM
Create and manage trees
Explore tree nodes
Create a login tree
Test the login tree

Lesson 2: Protecting a Website With IG

Show how ForgeRock® Identity Gateway (IG), integrated with AM, can protect a website:

Present AM edge clients
Describe IG functionality as an edge client
Review the ForgeRock Entertainment Company (FEC) website protected by IG
Integrate the FEC website with AM
Observe the IG token cookie
(Optional) Review IG configuration
Authenticate identities with AM
Integrate identities in AM with an identity store
Create an authentication tree with an LDAP Decision node
Integrate an identity store with AM

Lesson 3: Controlling Access

Create security policies to control which users can access specific areas of the website:

Describe entitlements with AM authorization
Define AM policy components
Define policy environment conditions and response attributes
Describe the process of policy evaluation
Implement access control on a website

Chapter 2: Improving Access Management Security

Improve access management security in AM with multi-factor authentication (MFA), context-based risk analysis, and continuous risk checking.

Lesson 1: Increasing Authentication Security

Increase authentication security using MFA:

Describe MFA
Register a device
Include recovery codes
Examine OATH authentication
Implement Time-based One-time Password (TOTP) authentication
(Optional) Implement HMAC-based One-time Password (HOTP) authentication
Examine Push notification authentication
(Optional) Implement Push notification authentication
Implement passwordless WebAuthn
(Optional) Implement passwordless WebAuthn
Examine HOTP authentication using email or SMS
(Optional) Implement HOTP authentication using email or SMS

Lesson 2: Modifying a User’s Authentication Experience Based on Context

Describe how AM can take into account the context of an authentication request in order to take access decisions:

Introduce context-based risk analysis
Describe device profile nodes
Determine the risk based on the context
Implement a browser context change script
Lock and unlock accounts
Implement account lockout

Lesson 3: Checking Risk Continuously

Review the AM tools used to check the risk level of requests continuously:

Introduce continuous contextual authorization
Describe step-up authentication
Implement step-up authentication flow
Describe transactional authorization
Implement transactional authorization
Prevent users from bypassing the default tree

Chapter 3: Extending Services Using OAuth2-Based Protocols

Implement OAuth2 based protocols; namely, OAuth2 and OIDC, to enable low-level devices and mobile applications to make requests that access resources belonging to a subscriber. AM can be configured to function as an OIDC client and delegate authentication to social media OIDC providers.

Lesson 1: Integrating Applications With OAuth2

Integrate clients using OAuth2 by demonstrating the use of the OAuth2 Device Code grant type flow with AM configured as the OAuth2 authorization server:

Discuss OAuth2 concepts
Describe OAuth2 tokens and codes
Describe refresh tokens, macaroons, and token modification
Request OAuth2 access tokens with OAuth2 grant types
Explain OAuth2 scopes and consent
Configure OAuth2 in AM
Configure AM as an OAuth2 provider
Configure AM with an OAuth2 client
Test the OAuth2 Device Code grant type flow

Lesson 2: Integrating Applications With OIDC

Integrate an application using OIDC and the Authorization grant type flow with AM as an OIDC provider:

Introduce OIDC
Describe OIDC tokens
Explain OIDC scopes and claims
List OIDC grant types
Create and use an OIDC script
Create an OIDC claims script
Register an OIDC client and configure the OAuth2 Provider settings
Test the OIDC Authorization Code grant type flow

Lesson 3: Authenticating OAuth2 Clients and using mTLS in OAuth2 for PoP

Authenticate OAuth2 clients with AM using various approaches and obtain certificate-bound access tokens using mutual TLS (mTLS) to prove token possession:

Examine OAuth2 client authentication
Examine OAuth2 client authentication using JSON Web Token (JWT) profiles
Examine OAuth2 client authentication using mTLS
Authenticate an OAuth2 client using mTLS
Examine certificate-bound proof-of-possession (PoP) when mTLS is configured
Obtain a certificate-bound access token

Lesson 4: Transforming OAuth2 Tokens

Request and obtain security tokens from an OAuth2 authorization server, including security tokens that employ impersonation and delegation semantics:

Describe OAuth2 token exchange
Explain token exchange types and purpose for exchange
Describe token scopes and claims
Implement a token exchange impersonation pattern
Implement a token exchange delegation pattern
Configure token exchange in AM
Configure AM for token exchange
Test token exchange flows

Lesson 5: (Optional) Implementing Social Authentication

Provide a way for users to register and authenticate to AM using a social account:

Delegate registration and authentication to social media providers
Implement social registration and authentication with Google

Chapter 4: Federating Across Entities Using SAML2

Demonstrate federation across entities using SAML2 with AM.

Lesson 1: Implementing SSO Using SAML2

Demonstrate single sign-on (SSO) functionality across organizational boundaries:

Discuss SAML2 entities and profiles
Explain the SAML2 flow from the identity provider (IdP) point of view
Examine SSO across service providers (SPs)
Configure AM as an IdP and integrate with third-party SPs
Examine SSO between SP and IdP and across SPs

Lesson 2: Delegating Authentication Using SAML2

Delegate authentication to a third-party IdP using SAML2 and examine the metadata:

Explain the SSO flow from the SP point of view
Describe the metadata content and purpose
Configure AM as a SAML2 SP and integrate with a third-party IdP

Chapter 5: Installing and deploying AM

Install a new AM instance configured with external directory server data stores as the foundation for an AM cluster, modify the AM configuration to harden security, upgrade an AM instance to a new version, and deploy the ForgeRock® Identity Platform (Identity Platform) to the Google Cloud Platform (GCP).

Lesson 1: Installing and Upgrading AM

Install AM using interactive and command-line methods creating the foundations for a cluster topology, and upgrade an AM 7.0.1 instance to AM 7.1:

Plan deployment configurations
Prepare before installing AM
Deploy AM
Outline tasks and methods to install AM
Install AM with the web wizard
Install AM and manage configuration with Amster
Describe the AM bootstrap process
Install an AM instance with the web wizard
Install Amster
Upgrade an AM instance
Upgrade AM with the web wizard
(Optional) Upgrade AM with the configuration tool

Lesson 2: Hardening AM Security

Explore a few default configuration and security settings that need to be modified before migrating to a production-ready solution:

Harden AM security
Adjust Default Settings
Harden AM security
Describe secrets, certificates, and keys
Describe keystores and secret stores
Manage the AM keystore
Configure and manage secret stores
Configure an HSM secret store to sign OIDC ID token
Audit logging
Debug and monitoring tools

Lesson 3: Clustering AM

Create an AM cluster with a second AM instance added to the first AM instance that has already been installed:

Explore high availability solutions
Scale AM deployments
Describe AM cluster concepts
Create an AM cluster
Identify tuning tips for AM clusters
Prepare the initial AM cluster
Install another AM server in the cluster
Test AM cluster failover scenarios
(Optional) Modify the cluster to use client-based sessions

Lesson 4: Deploying the Identity Platform to the Cloud

Deploy the Identity Platform into a cluster in a Google Kubernetes Environment (GKE):

Describe the Identity Platform
Prepare Your Deployment Environment
Deploy and access the Identity Platform
Access an authenticate your GCP account
Prepare to deploy the Identity Platform
Deploy the Identity Platform with the Cloud Development Kit (CDK)
Remove the Identity Platform deployment

ForgeRock Access Management Customization and APIs (AM-421)

Course Overview

This course provides a hands-on technical introduction to ForgeRock^® Access Management (AM) APIs and customization use cases. Students examine AM extension points and gain the skills required to extend and integrate an AM deployment in a real-world context. Development best practices are demonstrated in a series of labs.

Note that Revision B.2 of this course is built on version 6.5.2 of AM.

Duration – 5 Days

Course Outline

Who Can Benefit

The following are the target audiences for this course:

Application Developers, adapting client applications to use AM capabilities
Software Developers, extending and integrating AM services for their organizations
System Consultants
System Architects

Skills Gained

Upon completion of this course, you should be able to:

List the extension points of AM
List which customizable components are affected in common AM use cases
Understand the basic concepts of scripting
Use the administration interface to look up, edit, and configure scripts
Describe how AM performs authentication
Review authentication nodes and authentication trees
Design and implement a custom authentication node
Describe how scripted authentication works
Explore how client-side scripts are used with authentication nodes and trees
Describe how server-side scripted authentication operates with authentication nodes and trees
Use the administration interface to create and test authentication trees containing scripted nodes
Discuss the policy concepts in AM
Implement an EntitlementCondition or a scripted condition
Describe the ForgeRock® Common REST API (Common REST)
Enable Cross-Origin Resource Sharing (CORS) in AM
Authenticate users through the REST API
Manage identities and realms through the REST API
Implement password reset and user self-registration by using the REST API
Query the list of dashboard applications through the REST API
Use the policy engine to protect non-URL-based resources
Describe the policy management and evaluation REST APIs
Describe OAuth 2.0 and OpenID Connect, including how to use their HTTP endpoints
Demonstrate scope validation and customize the default behavior
Explain the basic concepts of user-managed access (UMA)
Configure AM as an UMA authorization server
Manage UMA resource sets
Demonstrate how to customize the UMA workflow

Prerequisites

The following are prerequisites to successfully completing this course:

Basic knowledge and skills using the Linux operating system to complete labs
Knowledge of JSON, JavaScript, AngularJS, REST, Java, Groovy, and XML is important for mastering understanding of material and examples
Basic knowledge of LDAP may be helpful for understanding code and some examples

Course Details

Chapter 1: Introducing Customization in AM

Introduce customization with AM and identify the main functional areas where customization and extending of AM is possible. The course environment and application are discussed as the context wherein customizations are done.

Lesson 1: Using Extension (Customization) Points

Provide an overview of AM extension points where customizations are done. Discuss the main components of the AM architecture and related APIs through which AM services can be accessed:

Introduce Java APIs, REST API, and REST API versioning
Introduce customizing authentication
Introduce customizing authorization and policy evaluation
Describe use cases related to OAuth 2.0 and UMA
Describe use cases related to SAML2
Describe the course environment architecture
Understand the course ContactList application functionality and its role in this course
Manage (starting, stopping) the AM and Directory Services servers
Describe development tools and scripts provided with the course environment

Chapter 2: Customizing Authentication

Implement custom authentication services by using authentication trees and nodes provided by AM. Learn to create a custom authentication node and use the node in an authentication tree to provide authentication services for the ContactList application. Explore customization of authentication with client-side and server-side scripts. Cover migration of authentication modules and chains to authentication nodes and trees.

Lesson 1: Introducing Authentication Trees and Nodes

Learn to create an authentication tree comprised of several authentication nodes, provided with AM without any customization, as the proof of concept use case for the course ContactList application. Test the tree implementation within a web browser and use command-line REST API requests to examine the HTTP request-response and data information exchanged between the client web browser and AM:

Review the concept of authentication trees and nodes
Create a basic authentication tree
Add existing authentication nodes to an authentication tree
Implement a choice collector authentication node
Assign the user choice to a session property
Configure the Session Property Whitelist Service for the realm
Test the authentication tree in a web browser and with the REST API
Run a REST API function to view the authenticated user’s session data
Compare tree and chain authentication methods

Lesson 2: Customizing with Authentication Trees and Nodes

Present the AM authentication node API to develop a custom authentication node for use in authentication trees. Implement a custom authentication node to replace the functionality of the choice collector, and to set session property nodes used in the initial authentication tree:

Create a custom authentication node project using the Maven archetype from the command line
Create a custom authentication node project using the Maven archetype within NetBeans
Write the configuration interface for a custom authentication node
Manage updates to the authentication node configuration interface
Write the business logic for a custom authentication node
Deploy a custom authentication node
Modify an existing authentication tree to add the custom authentication node
Test the custom authentication node using a web browser interface or its REST API

Lesson 3: Developing Scripts with Scripting APIs

Learn to execute client-side and server-side scripts in the context of an authentication tree. Explore how client-side scripts can be run by using a custom authentication node. Process client-side data with a server-side script created for use in a Scripted Decision node in an authentication tree:

Explore client-side scripting with authentication nodes
Deploy a custom authentication node that runs specific client-side scripts
Include a client-side script with the custom authentication node in an authentication tree
Create a script for use by a Scripted Decision node in an authentication tree to process the client-side data and return an authentication decision
Receive and process data from the client-side script in a server-side script with a Scripted Decision node
Understand client-side scripting with authentication trees by examining source code
Configure the scripting engine properties and manage the APIs available to server-side scripts
Test the script-based authentication with authentication trees and nodes

Lesson 4: Migrating Authentication Modules to Authentication Trees and Nodes

Explore the source code of a custom authentication module and chain implemented for AM versions prior to version 5.0 and the course application. Explore how it is migrated in this course to create custom authentication trees to meet the ContactList application requirements. Examine the use case with a client-side and server-side scripted module in a chain that is migrated for use with a custom authentication node (for the client-side script), and the standard Scripted Decision node (for the server-side scripts) to be implemented in authentication trees:

Migrate a server-side authentication script to be used in a Scripted Decision node of an authentication tree
Modify the server-side script to receive client-side data in the authentication tree context
Design the server-side authentication script outcome values for use in the authentication tree
Migrate a client-side authentication (module-based) script to be used by a custom authentication node
Write the client-side logic to send client data to the custom authentication node in the context of an authentication tree

Chapter 3: Customizing Authorization

Create and test a set of policies enforcing the security constraints to enable users to access REST endpoints provided by the course ContactList application.

Lesson 1: Customizing Authorization

Learn to write and test a custom policy condition script (using JavaScript) which queries the maintenance mode state of the ContactList application:

Review the main elements of the AM policy API
Discuss the concept of resource types and policy sets (formerly applications)
Describe the concept of application types
Illustrate the policy structure
Review the main groups of built-in policy conditions and their important members
Discuss where an EntitlementCondition and a script condition can be used
Implement, build, and deploy an EntitlementCondition
Implement, create, and deploy a scripted condition
Review the execution flow of the scripted condition
Discuss the variables available to the scripted condition
Use a scripted condition through the administration interface and the REST API
Develop a custom policy condition for the ContactList application
Modify the policy condition to return information about the maintenance mode
Complete the policy set

Chapter 4: Customizing with REST Clients

Modify the sample ContactList application’s authentication mechanism to use the AM authentication tree service instead of its proprietary REST service.

Lesson 1: Using the REST API

Learn to access AM services though the REST API by using the REST API Explorer in the administration interface and in the ContactList application written in AngularJS. Enable the CORS functionality in AM:

Explore AM services available through the REST API
Describe the ForgeRock Common REST API
Review the main characteristics of the REST API
Discuss the verbs available in the REST API
Review the status codes returned by the REST API
Describe filtering, paging, sorting, and pretty printing
Explain the REST API versioning
Access the REST API from the administration interface by using a web browser
Use the REST API from jQuery
Use the REST API from AngularJS
Describe and enable CORS
List the configuration options for the CORSFilter
Configure the CORSFilter in AM
Modify the ContactList application to use AM for authentication
Examine the client-side and server-side components of the ContactList application
Modify an AngularJS module in ContactList that uses AM authentication services

Lesson 2: Authenticating with REST

Use the REST API to perform authentication with AM services implemented as authentication trees:

Use the REST API to authenticate a user (sign in)
Compare the simplified (username/password) and full authentication APIs
Discuss application callback types
Use the simplified and full authentication API
Describe advanced authentication options (realm, authentication attributes, session upgrade)
Use the REST API to log out
Validate tokens and manage sessions
Describe the session REST API
Discuss the identity management REST API
Read user attributes
Create a realm
Modify the ContactList application to use AM for all authentication functions
Complete the AngularJS service interfacing AM to cover all authentication functions
Modify the login service to use the testSelectRole authentication tree in AM

Lesson 3: Woking with RESTful User Self-Service API

Explore how to implement a password-reset function with the REST API:

Review the characteristics of the self-service API
Illustrate the flow of password reset
Enable the password reset functionality
Perform a password reset through the REST API
Discuss the flow of user self-registration
Enable the user self-registration functionality
Perform user self-registration
Describe the concept of a user dashboard
List dashboard applications through the REST API
Implement password reset in the ContactList application
Configure AM to use a local email server
Emulate password reset using the command line
Add password reset functionality to the ContactList application

Lesson 4: Authorizing with REST

Learn to implement authorization in applications by using the REST API:

Describe how to protect URL-based resources
Explain how to protect non-URL-based resources
List the main elements of the policy management API
Discuss the entities of the policy service
Describe the policy evaluation REST API
Explain the concept of policy sets
Request policy evaluation for a set of resources
Demonstrate how policy evaluation can be used to determine which user interface components to show in a JavaScript client
Modify the ContactList application to use AM for authorization
Create and test policy sets tailored to the ContactList application
Extend the backend of ContactList to use the authorization REST API
Extend the front end of ContactList to use the authorization REST API

Chapter 5: Federating with OAuth 2.0

Learn how to federate a client application with AM using the OAuth 2.0/OpenID Connect protocol.

Lesson 1: Implementing OAuth Custom Scopes

Implement a Custom OAuth 2.0 Scope Validator:

Explain the benefits of OAuth 2.0
List the main elements of OAuth 2.0
Illustrate the authorization code flow
Describe the OAuth 2.0-related HTTP services available in AM
Explain the benefits of OpenID Connect
List the main elements of OpenID Connect
Illustrate the authorization code flow extended with OpenID Connect
Describe the TokenInfo endpoint
Describe the UserInfo endpoint
Discuss the OpenID Connect HTTP services
Explain how scope validation is implemented in AM
Implement and register a custom scope validation implementation
Describe the default OpenID Connect script
Create a custom OpenID Connect script
Modify the ContactList application to use OAuth 2.0/ OpenID Connect for authentication and authorization
Configure OAuth 2.0 and OpenID Connect in AM
Create a customized scope validator and token response
Modify the ContactList example application to use OpenID Connect for authentication
Modify ContactList to behave as an OAuth 2.0 resource server

Chapter 6: Using User-Managed Access

Introduce the UMA architecture and the UMA flows, and use UMA to add sharing functionality to an OAuth 2.0-secured application. Implement an UMA-compatible resource server and implement an UMA client.

Lesson 1: Customizing with UMA

Implement contact group sharing by using UMA:

Explain the benefits and list the elements of UMA
Describe the various tokens and tickets used in UMA
Illustrate the UMA protocol flow
Enable and configure an UMA Provider in AM
Configure UMA stores
Use the UMA discovery endpoint
Manage resources on the UMA administration page
Understand the UMA REST API
Describe the resource set and user label endpoints
Discuss the policy endpoint
Explain the permission request, requesting party token, and pending request endpoints
Understand UMA customization points
Register UMA filters
Implement resource sharing in the example application

ForgeRock Identity Management Training Courses

ForgeRock® Identity Management Deep Dive (IDM-420)

ForgeRock® Identity Management Deep Dive (IDM-420)

Course Overview

Learn how to install and deploy ForgeRock® Identity Management (IDM) in an on-prem or self-managed cloud environment to manage the lifecycle and relationship of digital identities. Topics include how to model identity objects in IDM, create connector configurations and synchronization mappings to manage the flow identity objects and properties with various external identity resources, manage workflows, and deploy IDM within a cluster. This course explores the identity management-related features in-depth, how they work, and the configuration options available during implementation.

Duration – 5 Days

Course Outline

Who Can Benefit

The target audiences for this course include:

System Administrators
System Integrators
System Consultants
System Architects
System Developers

Skills Gained

Upon completion of this course, you should be able to:

Model identity objects, their identity properties, and the relationships between objects, onto existing or new managed objects within IDM
Create and configure connections between external resources and IDM
Synchronize identity data across multiple external resources, in real-time or by scheduling reconciliation events, and consolidate multiple identity data stores into one centralized identity store
Use the sample workflows included with IDM to learn how to introduce business logic into the provisioning process
Install and deploy IDM in an on-prem or cloud provider Linux environment

Prerequisites

The following are the prerequisites for successfully completing this course:

Completion of the ForgeRock® Identity Management Essentials course
Basic knowledge and skills using the Linux operating system will be required to complete the labs.
Basic knowledge of JSON, JavaScript, REST, Java, Groovy, SQL and LDAP would be helpful for understanding the examples; however, programming experience is not required.

Course Details

Chapter 1: Modeling Objects and Identities

Model identity objects, their identity properties, and the relationships between objects, onto existing or new managed objects within IDM.

Lesson 1: Modeling an Identity Profile

Learn about the different object types in IDM, and how you can model a custom identity profile onto a managed object in IDM:

Describe an IDM deployment and the UIs
Access and explore the IDM deployment and UIs
Review the IDM documentation
Describe the different object types in IDM
Map an identity object to a managed object
Describe how to model a managed user object
Model a managed user object in IDM
Describe how to create a new device managed object
Create a new device managed object

Lesson 2: Querying IDM Objects

Use the IDM REST interface to query IDM objects:

Describe how to query objects using the REST interface
Configure Postman to query IDM
Query IDM objects using Postman

Lesson 3: Managing Relationships

Create and manage the relationship between managed objects:

Describe the purpose of relationships
Create and query an object relationship
Describe the visualization of relationships
Create a dashboard to visualize relationships (optional)
Describe the relationship properties
Describe how relationships are configured
Create a new relationship between managed user objects (optional)
Describe the relationship between device managed objects and user managed objects
Set up a relationship between device managed objects and user managed objects

Lesson 4: Managing Organizations

Set up managed organizations to delegate user administration based on the owner of hierarchical trees:

Describe the roles and privileges within an organization
Implement the organization example (optional)

Chapter 2: Managing Connectors

Create and configure connections between external resources and IDM.

Lesson 1: Configuring Connectors With the IDM Admin UI

Describe how to connect external resources to IDM
Describe the process for creating a connector configuration using the IDM Admin UI
Add a connector configuration for an external LDAP resource
Describe how to add a CSV connector configuration
Add a connector configuration to import device identities

Lesson 2: Configuring Connectors Over REST

Describe the process for creating a connector configuration over REST
Describe the core connector configuration settings
Describe the object types and property mappings
Generate a full connector configuration JSON object over REST (optional)

Lesson 3: Connecting to Databases

Describe the ICF connectors for connecting to databases, and how to create connector configurations to access identity data stored in SQL databases:

Describe how to use the Database Table Connector
Configure the Database Table Connector (optional)
Describe how to use the Scripted SQL Connector
Create a scripted SQL connector configuration (optional)

Lesson 4: Connecting to External Resources Using a Scripted REST Connector Configuration

Describe the use cases for using a scripted REST connector
Connect to DS using the scripted REST connector (optional)

Chapter 3: Managing Synchronization and Reconciliation

Synchronize identity data across multiple external resources, in real-time or by scheduling reconciliation events, and consolidate multiple identity data stores into one centralized identity store.

Lesson 1: Performing Basic Synchronization

Describe how to use the IDM Admin UI to create sync mappings to reconcile identities between IDM and an external resource:

Describe how to create mappings to synchronize identity objects and properties
Describe how to create a sync mapping from IDM to an external resource
Describe how to add source and target properties to the sync mapping
Describe how to add a correlation query and a situational event script
Describe how to set the situational behaviors and run reconciliation
Add a sync mapping from IDM to an LDAP server
Describe the sync mapping from an LDAP server to IDM
Add a sync mapping from an LDAP server to IDM
Describe how to create a sync mapping to provision devices to the IDM repository
Create a sync mapping to provision devices to the IDM repository (optional)

Lesson 2: Running Selective Synchronization and LiveSync

Filter objects that are synchronized and automate synchronization using LiveSync:

Describe the different methods that you can use to filter entries
Run selective synchronization using filters
Describe how to use LiveSync to synchronize changes
Trigger LiveSync on a connector
Describe how to schedule LiveSync
Schedule LiveSync with an external resource
Describe how to control synchronization to multiple targets

Lesson 3: Configuring Role-Based Provisioning

Automatically provision users to a set of LDAP groups based on role membership:

Describe how to provision attributes to a target system based on static role assignments
Describe the steps to enable role-based provisioning
Query the role assignment properties using the REST interface
Provision attributes to a target resource based on static role assignments
Describe how to provision attributes to a target system based on dynamic role assignments
Provision attributes to a target resource based on dynamic role assignments
Describe how to add temporal constraints to a role
Add temporal constraints to a role

Chapter 4: Getting Started With Workflow

Use the sample workflows included with IDM to learn how to introduce business logic into the provisioning process.

Lesson 1: Deploying and Starting a Workflow

Enable the workflow engine in IDM and deploy a sample workflow to learn how to manage workflow tasks and processes in the IDM Admin UI, IDM End User UI, and REST interface:

Describe use cases for workflows
Prepare IDM to run the sample workflow
Run the sample workflow
Describe how workflows are implemented
Describe workflow related tasks
Describe workflow instances
Enable the workflow service and examine a sample workflow

Lesson 2: Deploying and Creating a Workflow

Examine, deploy, change, and start the contractor onboarding workflow process that provisions a new user:

Describe the structure of workflow files
Describe how to model workflows
Examine the Flowable UI
Examine the contractor onboarding workflow
Describe how to use forms in workflows
Examine a manual interaction form
Create and deploy a simple workflow
Create and deploy a new workflow from scratch
Describe how to start an approval workflow
Call a workflow from a sync mapping

Chapter 5: Installing and Deploying IDM

Install and deploy IDM in an on-prem or cloud provider Linux environment.

Lesson 1: Installing IDM

Install a stand-alone IDM instance for development and testing the IDM sample configurations:

Describe the basic IDM installation requirements
Describe how to install and start IDM
Install and start IDM (optional)
Describe how to start IDM with a sample
Start IDM with a sample configuration (optional)
Describe how to configure IDM to run as a background process or service
Configure IDM to run as a background process (optional)

Lesson 2: Deploying IDM in a Cluster

Deploy multiple IDM instances in a cluster:

Describe deploying IDM in a cluster
Describe how to manage nodes in a cluster
Add an IDM instance to a cluster

Lesson 3: Monitoring and Troubleshooting

Describe how to set up monitoring and perform basic troubleshooting:

Describe the monitoring options available for IDM
Set up monitoring in IDM
Describe the different IDM log files
Examine the different log files in IDM (optional)
Describe the additional help troubleshooting outside of IDM
Get additional help troubleshooting outside of IDM (optional)

Lesson 4: Implementing Explicit Mapping

Explore the differences between generic and explicit mapping, and implement each in an external ForgeRock® Directory Service (DS) and JDBC repository:

Describe the differences between generic and explicit mapping
Describe how to implement explicit mapping with a JDBC repository
Implement generic mappings with a JDBC repository
Implement explicit mappings with a JDBC repository
Describe how to implement explicit mappings with a DS repository
Implement explicit mappings with a DS repository

Lesson 5: Managing IDM in a Cluster

Manage IDM in a cluster environment:

Describe how to distribute reconciliation operations across a cluster
Enable clustered reconciliation on a sync mapping
Schedule tasks across the cluster
Review sizing and scaling resources

Lesson 6: Delegating Administration

Delegate the administrative privileges to a group of managed users for managing end user identities in IDM:

Describe how to set up delegated administration
Describe the privilege model
Add a new internal role and set up privileges to delegate administration

Lesson 7: Upgrading IDM

Upgrade an IDM instance:

Describe how to upgrade a stand-alone IDM instance
Describe how to migrate an IDM configuration
Describe how to update the IDM repository
Describe how to migrate IDM data
Describe how to upgrade a cluster deployment
Upgrade a stand-alone IDM instance

ForgeRock Directory Services Training Courses

ForgeRock Directory Services Core Concepts (DS-440)

ForgeRock Directory Services Core Concepts (DS-440)

Course Overview

This course takes students from a high-level understanding of how the ForgeRock^® Directory Services (DS) works to a fully functional directory deployment, where they learn how to implement the many features of DS. It provides students with the knowledge and concepts necessary to successfully manage their own deployment. It is accepted that this course is not able to demonstrate all the features and capabilities of DS.

Duration – 5 Days

Course Outline

Who Can Benefit

The target audiences for this course include:

ForgeRock Directory Service Administrators
ForgeRock Access Management Administrators
ForgeRock Identity Management Administrators
System Integrators
System Consultants
System Architects
System Developers

Skills Gained

Upon completion of this course, you should be able to:

Provide a technical introduction to the infrastructure, concepts, features, and components of DS.
Create and manage data stores, measure performance, and troubleshoot directory servers

Prerequisites

The following are the prerequisites to successfully completing this course:

Knowledge of UNIX/Linux commands.
A basic understanding of how directory servers function.
A basic understanding of REST and HTTP.
A basic knowledge of Java based environments would be beneficial, but no programming experience is required.
Completion of the ForgeRock^® Product Essentials courses for Directory Services, Access Management, and Identity

Course Details

Chapter 1: Accessing Directory Services

A technical introduction to the infrastructure, concepts, features, and components of DS.

Lesson 1: Introducing ForgeRock Directory Services

Explore DS components and understand the LDAP data model:

Describe ForgeRock Directory Services

Lesson 2: Interacting With Directory Servers

Access directory servers and perform operations over LDAP and HTTP:

Send LDAP requests
Prepare the lab environment
Perform LDAP operations
Introduce REST to LDAP
Explore the API configuration
Configure REST access
Explain common REST operations
Use the REST API to manage directory data

Chapter 2: Maintaining Directory Servers

Create and manage data stores, measure performance, and troubleshoot directory servers.

Lesson 1: Managing the Configuration

Locate the DS configuration data and use directory server tools to manage configuration data:

Explore configuration data
Prepare the lab environment
Explore the configuration and manage the server state
Manage data stores
Configure backends
Manage indexes
Configure indexes

Lesson 2: Populating Data Stores

Customise directory server schema to add custom attributes, and then import entries to populate a data store:

Extend the schema
Implement custom schema
Import entries
Populate a backend data store
Manage virtual attributes
Configure virtual attributes

Lesson 3: Protecting DS Data

Understand DS security features, implement access control, manage password policies, and delegate administration:

Describe security features
Replace server certificates
Describe access control
Configure access control
Delegate administration
Configure delegated administration
Explore password policies
Configure password policies

Lesson 4: Backing Up and Restoring Data

Back up and restore directory server data:

Explain how to back up and restore data
Back up and restore data

Lesson 5: Measuring Performance

Understand performance requirements and settings that may be tuned to improve directory server performance:

Explain settings that affect performance
Tune the JE DB cache and generate performance tests

Lesson 6: Troubleshooting

Configure log files, collect troubleshooting data for ForgeRock Support, and monitor a DS deployment with Prometheus and Grafana:

Explore log files
Manage log files
Explain how to collect data for support
Collect data for support
Monitor a DS deployment
Observe monitoring metrics

Chapter 3: Deploying Directory Services

Understand how to deploy directory servers, and directory proxy servers, manage replication, upgrade DS servers, and configure the DS password synchronization plugin.

Lesson 1: Installing Directory Servers

Install directory servers for custom and ForgeRock® Identity Platform (Identity Platform) product deployments:

Prepare for a directory server installation
Prepare the lab environment
Install a directory server
Prepare directory servers for Identity Platform installations
Prepare directory servers for ForgeRock® Access Management (AM)
Set up a directory server as a ForgeRock® Identity Management (IDM) repository
Optional Synchronize passwords with IDM
Optional Synchronize DS passwords with IDM

Lesson 2: Replicating Data

Implement high availability for directory servers and maintain, monitor, and restore a replicated directory server topology:

Plan for replication
Install a replicated topology
Monitor and maintain a replicated topology
Monitor replication

Lesson 3: Upgrading DS Servers

Prepare for and perform an upgrade of directory servers in a DS 6.5.5 replicated topology to version DS 7.2:

Describe upgrade options
Upgrade DS 6 servers to DS 7

Lesson 4: Installing Directory Proxy

Understand the role of directory proxy (DP) servers and install DP servers to provide a single point of entry to directory servers:

Introduce DP servers
Install DP servers
Provide a single point of access to replicas

ForgeRock Identity Gateway Training Courses

ForgeRock Identity Gateway Core Concepts (IG-400)

ForgeRock Identity Gateway Core Concepts (IG-400)

Course Overview

The ForgeRock^® Identity Gateway Core Concepts course is for students who want to examine core concepts and implement key use cases and features of ForgeRock Identity Gateway (IG) to help extend access to and protect web applications, legacy applications, and application programming interfaces (APIs), within an access management solution.

This course comprises a mix of instructor-led lessons and demonstrations with plenty of lab exercises to ensure an opportunity to fully understand each of the topics covered. It provides students with the necessary skills to plan, install, configure, and administer an IG deployment. The main goal of the course is to provide a thorough understanding of, and hands-on experience with IG, so students can control the most important functions of and manage a successful production deployment.

Note that Revision B of this course is built on version 6.5 of ForgeRock Identity Gateway.

Duration – 4 Days

Course Outline

Who Can Benefit

The following are the target audiences for this course:

System Integrators
System Consultants
System Architects
System Administrators
Web Developers

Skills Gained

Upon completion of this course, you should be able to:

Describe the role and use cases where IG fits within a ForgeRock Identity Platform™ solution, the basic concepts of IG, and how to perform a basic installation and configuration of IG.
Use IG to protect a legacy application.
Configure agentless single sign-on with IG, where authentication can be delegated to AM, including cross-domain, to an OIDC provider, or to a SAML2 Identity provider.
Extend IG to support the retrieval of user profile attributes.
Use IG as a policy enforcement point to protect a given web application, where AM is the policy decision point, and configure authentication step-up and transactional authorization.
Protect a REST API using OAuth2-based solutions.
Extend the solution using scripting.
Prepare for production of an IG project by addressing maintenance, tuning, security, and deployment questions.

Prerequisites

The following are the prerequisites to successfully completing this course:

Basic knowledge and skills using the Linux operating system to complete labs
Basic knowledge of HTTP and communications between clients and web applications is critical to understanding and working with IG
Basic knowledge of JSON, JavaScript, REST, Java, Groovy, SQL, and XML helpful in understanding examples, especially Groovy for scripting within IG
Attendance at AM400 ForgeRock Access Management Core Concepts course or equivalent knowledge

Course Details

Chapter 1: Integrating a web site and a legacy application with IG

Describe the role and use cases where IG fits within a ForgeRock Identity Platform solution, basic concepts of IG, and how to perform a basic installation and configuration of IG.

Lesson 1: Introducing ForgeRock Identity Gateway

Provide an overview of IG
Discuss IG use cases
Present IG features

Lesson 2: Fronting a website with IG

Show how IG acts as a reverse proxy
Discuss proxying WebSocket traffic
Describe installation requirements and install IG
Use IG Studio to protect a website
Examine IG configuration structure

Lesson 3: Routing and processing requests and responses

Understand how IG routes requests depending on external conditions
Describe how Handlers direct requests and responses within a route
Explain how filters process requests and responses
Implement password replay

Lesson 4: Understanding IG object model and logging

Understand the IG object model
Examine request, response, context, and session
Use a CaptureDecorator to perform logging
Configure the FileAttributesFilter

Chapter 2: Configuring Agentless Single Sign-On

Demonstrate how to integrate single sign-on in an IG solution by delegating authentication to either an AM solution, including cross-domain, an OIDC provider, or a SAML2 Identity provider.

Lesson 1: Implementing authentication with the SingleSignOnFilter

Use Freeform technology preview to protect a website
Configure an AM Service
Describe the use of the SingleSignOnFilter
Retrieve information from AM using the UserProfileFilter and SessionInfoFilter

Lesson 2: Configuring CDSSO for the legacy application

Describe and implement a CrossDomainSingleSignOnFilter

Lesson 3: Performing SSO with IG as an OpenID Connect relying party

Describe and implement an OAuth2ClientFilter

Lesson 4: Providing SSO with IG as a SAML2 service provider

Describe and implement a SAML2FederationHandler
Describe and implement a DispatchHandler

Chapter 3: Controlling access with IG as Policy Enforcement Point

Use IG as a policy enforcement point to protect a given web application, where AM is the policy decision point, using policies and policies with advice to provide authentication step-up and transactional authorization.

Lesson 1: Implementing authorization with a PolicyEnforcementFilter

Describe and implement a PolicyEnforcementFilter

Lesson 2: Providing step-up authentication and transactional authorization

Describe and implement step-up authentication
Describe and implement transactional authorization

Chapter 4: Protecting a REST API

Use IG as an OAuth2 resource server to protect a REST API and demonstrate how the solution can be extended by using scripting

Lesson 1: Configuring IG as an OAuth2 resource server

Describe and implement an OAuth2ResourceServerFilter
List access token resolvers
Observe the flow with the TokenIntrospectionAccessTokenResolver

Lesson 2: Extending functionality with scripts

Describe the scripting framework for extending IG functionality
Examine and implement dynamic scopes solution

Chapter 5: Preparing for production with IG

Highlight various areas that must be taken into account when preparing to go to production with an IG solution, such as maintenance, tuning, security, and deployment.

Lesson 1: Auditing, monitoring, and tuning an IG solution

Describe and implement auditing
Discuss monitoring
Examine tuning questions

Lesson 2: Developing awareness of security questions with IG

Discuss IG best practices regarding security
Examine and implement common secrets
Describe and implement throttling

Lesson 3: Deploying IG

Describe and implement property value substitution
Set up multiple IG instances

ForgeRock DevOps Training Courses

Configuring the ForgeRock Identity Platform™ in a DevOps Environment (FR-523)

Configuring the ForgeRock Identity Platform™ in a DevOps Environment (FR-523)

Course Overview

his expert-led workshop guides students through the deployment of the ForgeRock Identity Platform^™ (the Platform) on a Kubernetes cluster running in Google Kubernetes Environment (GKE).

The workshop initially describes how to use the ForgeRock Cloud Developer’s Kit (CDK) to deploy a sample configuration of the Platform, which includes ForgeRock^® Access Management (AM) and ForgeRock^® Identity Management (IDM), which share ForgeRock^® Directory Service (DS) as an identity store.

The CDK is used to configure the Platform and redeploy the updated configuration in an existing Kubernetes cluster.

Students then create a new cluster deploy the Platform by following the Cloud Deployment Model (CDM). Monitoring add-ons tools are included with the CDM example. The skills gained by performing deployments with the CDK and CDM reference examples, help you identify the Kubernetes cluster and the Platform configuration requirements needed for preparation to move deployments into other environments, such as test and production.

The last chapter of the workshop explores the challenges of migrating an existing on-prem ForgeRock deployment to Kubernetes.

This workshop uses the ForgeRock DevOps documentation set as a reference for the hands-on labs.

Also, it is important that you have already successfully completed the relevant ForgeRock Core Concepts courses before attending this workshop. It is beneficial that you also have experience working with DevOps technology such as Kubernetes, Skaffold, Kustomize, Git, among other related tools.

Duration – 3 Days

Who Can Benefit

The target audiences for this course include:

Developers who customize and deploy ForgeRock® Access Management (AM), ForgeRock^® Directory Server (DS), and ForgeRock^® Identity Management (IDM) components.
Deployment engineers who routinely set up Kubernetes clusters and deploy integrated software in the cloud.
Site engineers who configure the Kubernetes cluster and who launch the Platform into production.

Skills Gained

Upon completion of this course, you should be able to:

Introduce the ForgeOps toolset and documentation, get familiar with DevOps tools and deploy the ForgeRock^® Identity Platform (Identity Platform) using the Cloud Deployment Kit (CDK)
Configure the ForgeRock^® Identity Platform (Identity Platform) using the Cloud Deployment Model (CDM)
Use the provided ForgeRock scripts to add monitoring, run benchmarks, and explore the backup and restore tools for the ForgeRock^® Identity Platform (Identity Platform). Build your custom base Docker images. Manage Secrets
Migrate the FEC Portal sample application to Kubernetes

Prerequisites

The following are the prerequisites for successfully completing this course:

Successful completion of the ForgeRock University core concepts courses:
- — DS-400: ForgeRock^® Directory Services Core Concepts
- — AM-410: ForgeRock^® Access Management: Deep Dive
- – IDM-420: ForgeRock^® Identity Management Core Concepts
Knowledge of Linux, working in a Linux environment, using the command-line, and knowledge of shell scripting is expected.
DevOps experience and experience with Kubernetes and Docker are recommended.

Course Details

Chapter 1: Introducing ForgeRock DevOps and the CDK

Introduce the ForgeOps toolset and documentation, get familiar with DevOps tools and deploy the ForgeRock^® Identity Platform (Identity Platform) using the Cloud Deployment Kit (CDK).

Lesson 1: Introducing ForgeRock DevOps Documentation and Examples

Introduce the Identity Platform, describe how to use the ForgeRock DevOps documentation to deploy the Identity Platform to a shared cluster, and introduce the DevOps techniques and tools required for a successful deployment:

Describe the Identity Platform and related DevOps techniques for deploying the Identity Platform to Kubernetes
Access your CloudShare lab environment and developer desktop
Access your associated GCP account for deploying the Identity Platform
Describe the ForgeRock DevOps documentation and the CDK and CDM methods of deployment
Describe the DevOps tools for deployment and deploy a simple application to validate the environment
Deploy a simple application to validate the tools and environment

Lesson 2: Deploying the Identity Platform to GKE using the CDK

Use the DevOps Developer’s Guide: CDK documentation to prepare the Kubernetes cluster, clone the forgeops repository, and deploy the Identity Platform to the Kubernetes cluster running in GKE:

Prepare your DevOps environment
Prepare to use an existing cluster for the Identity Platform
Deploy the Identity Platform to a GKE cluster
Verify the Identity Platform is deployed and accessible
Work with basic DevOps commands to explore the Identity Platform
Remove the Identity Platform deployment and clean up the environment
Compare deployment of the Identity Platform on other cloud providers

Lesson 3: Troubleshooting When Problems Arise

Provide some troubleshooting tips to help diagnose issues that might occur while performing the hands-on portion of this workshop:

Approaching troubleshooting of common issues in Kubernetes systematically
Locating DevOps related troubleshooting references
Running commands for troubleshooting environment issues
Running commands for troubleshooting containerization issues
Running commands for troubleshooting orchestration issues
Identifying resources for getting additional support

Lesson 4: Deploying the Identity Platform with Custom Docker Images

To build and push Docker images using a private Docker registry to deploy the Identity Platform with customized configurations of ForgeRock® Access Management (AM), ForgeRock^® Identity Management (IDM), and ForgeRock^® Identity Gateway (IG):

Navigate the forgeops repository
Describe data used during deployment of the Identity Platform
Deploying the Identity Platform using a customized configuration profile
Deploy the Identity Platform using a customized configuration profile
Describe how to work with Kubernetes manifests and objects
Describe how to use Kustomize overlays to modify Kubernetes objects
Use Kustomize overlays to modify deployment configurations

Chapter 2: Working with the CDM

Configure the ForgeRock^® Identity Platform (Identity Platform) using the Cloud Deployment Model (CDM).

Lesson 1: Managing Multiple Deployment Environments

Plan and prepare for moving the Identity Platform Cloud Deployment Model (CDM)-based deployment from the development or Proof of Concept (PoC) stage into a test, and ultimately a production environment:

Manage multiple environments with Skaffold profiles and Kustomize
Prepare for deployment to multiple environments
Move from development to other environments using Property Value Substitution

Lesson 2: Preparing Your Environment for Deployment Based on the CDM

Explain the CDM, describe the requirements for setting up your deployment environment on GKE for the CDM, and deploy a new cluster based on one of the CDM configuration samples:

Describe the CDM
Describe the requirements for creating and setting up the deployment environment for the CDM
Create a Kubernetes cluster
Deploy the Secret Agent Operator
Deploy an ingress controller on the cluster
Deploy the certificate manager on the cluster
Deploy the monitoring tools on a cluster
Set up your local environment to push Docker images

Lesson 3: Deploying the CDM

Deploy the Identity Platform using the CDM “small” profile:

Deploy the CDM

Chapter 3: Building a Staging Environment

Use the provided ForgeRock scripts to add monitoring, run benchmarks, and explore the backup and restore tools for the ForgeRock^® Identity Platform (Identity Platform). Build your custom base Docker images. Manage Secrets.

Lesson 1: Monitoring and Benchmarking Your Deployment

Deploy the Prometheus and Grafana monitoring tools within your deployed cluster and monitor your Kubernetes deployment objects and Identity Platform components. Generate test load and benchmark the deployment (optional):

Describe the monitoring infrastructure for the CDM
Deploy the monitoring tools on a cluster
Monitor the CDM deployment
Benchmark the CDM deployment for monitoring (optional)

Lesson 2: Backing Up and Restoring the Identity Platform

Describe how to back up and restore the Identity Platform on a Kubernetes cluster:

Describe backup and restore with CDM
Enable scheduled backups, initiate a backup, and export user data

Lesson 3: Building Your Own Base Docker Images

Build your own base Docker image and reference it in the related product’s Dockerfile for a CDK or CDM deployment of the Identity Platform with your customizations:

Overview of building custom base Docker images
Prepare ForgeRock software for your own base Docker images
Create your own base Docker images
Deploy your own base Docker images

Lesson 3: Handling Secrets

Describe and handle secrets for securing access to components deployed with your configuration of the Identity Platform:

Overview of the forgeops secret generation
Managing secrets

Chapter 4: Migrating an On-Prem Deployment to Kubernetes

Migrate the FEC Portal sample application to Kubernetes.

Lesson 1: General Considerations

Discuss how to migrate an existing, on-prem deployment to Kubernetes, learn about planning the migration, and securing a production environment:

Plan the migration
Production Considerations
Prepare your environment

Lesson 2: Migrating an On-Prem DS Configuration to Kubernetes

Discuss how to migrate an existing DS configuration to Kubernetes, and then implement the migration tasks for the given FEC Portal use case:

Discuss how you can migrate an existing DS configuration to Kubernetes
Migrate the DS configuration and sample user data using the CDK

Lesson 3: Migrating an On-Prem AM Configuration to Kubernetes

Discuss how to migrate an existing AM configuration to Kubernetes, and then implement the migration tasks for the given FEC Portal use case:

Discuss how you can migrate an existing AM configuration to Kubernetes
Migrate an existing AM configuration to Kubernetes
Discuss how to customize the AM web application
Customize the AM web application during deployment

Lesson 3: Migrating an On-Prem IDM Configuration to Kubernetes

Discuss how to migrate a previous IDM deployment to Kubernetes and implement the migration tasks for the given FEC Portal use case:

Discuss how you can migrate an existing IDM configuration to Kubernetes
Migrate the configuration from an on-prem IDM to the CDK
Migrate identity data from a previous version of IDM to Kubernetes

ForgeRock Identity Cloud Training Courses

Getting Started with ForgeRock® Identity Cloud (IC-300)

Getting Started with ForgeRock® Identity Cloud (IC-300)

Course Overview

This course takes students from a high-level understanding of how ForgeRock^® Identity Cloud (Identity Cloud) works, through the various online resources available to them, to a fully functional hands-on development environment, where they learn how to implement the many features of Identity Cloud in a training environment. Students take real-world use cases and implement them in a provided live Identity Cloud environment, where they learn the concepts and tasks necessary to successfully manage identities, applications, and user journeys in their own Identity Cloud.

Duration – 3 Days

Course Outline

Who Can Benefit

The target audiences for this course include:

ForgeRock Identity Cloud Administrators
Technical users new to ForgeRock Identity Cloud and other ForgeRock products
Those new to Identity Cloud and considering taking the certification exam

Skills Gained

Upon completion of this course, you should be able to:

Describe the benefits and features of Identity Cloud, understand how to access an Identity Cloud tenant and your CloudShare lab environment
Manage the onboarding of users through self-service, importing bulk identities, and synchronizing identities between Identity Cloud and external resources
Create new user journeys to support how end users authenticate and perform self-service with Identity Cloud
Integrate application client profiles and gateway profiles into Identity Cloud to support external applications accessing Identity Cloud for identity and access management services
Manage federation to let employees with credentials stored in a remote Active Directory data store access services in Identity Cloud

Prerequisites

The following are the prerequisites for successfully completing this course:

Completion of the ForgeRock Product Essentials courses
- ForgeRock^® Access Management Essentials
- ForgeRock^® Identity Management Essentials
- ForgeRock^® Identity Gateway Essentials
- ForgeRock^® Directory Services Essentials

Course Details

Chapter 1: Introducing Identity Cloud

Describe the benefits and features of Identity Cloud, understand how to access an Identity Cloud tenant and your CloudShare lab environment.

Lesson 1: Introducing ForgeRock Identity Cloud

Provide an overview of Identity Cloud, starting with what students should already know about it, and relate it to their job role, and the tasks they need to perform to support the business requirements supported by Identity Cloud:

Describe Identity Cloud
Describe the top ten customer business requirements
Describe Identity Cloud onboarding services

Lesson 2: Getting Access to Identity Cloud

Describe the onboarding process or procedure for getting access to Identity Cloud:

Describe the tenant registration process
Describe the Identity Cloud Admin UI

Lesson 3: Accessing Your CloudShare Lab Environment

A short lesson to introduce and access the CloudShare lab environment:

Describe the CloudShare lab environment
Log in to your CloudShare lab environment

Chapter 2: Managing User Identities

Manage the onboarding of users through self-service, importing bulk identities, and synchronizing identities between Identity Cloud and external resources.

Lesson 1: Managing Identities

Manage user identities as an Identity Cloud administrator using the Identity Cloud Admin UI, which is an administrative interface to manage your tenant settings. Delegate user management in the End User UI to end users:

Describe use cases and processes for managing identities
Manage identities using the Identity Cloud Admin UI
Set up 2-step verification and configure delegated administration
Describe use cases and processes for password policy management
Configure default password policies

Lesson 2: Onboarding Users With Self-Service

Add new users to your tenant through self-registration

Describe use cases and processes for self-registration
Create a new user using self-registration
Describe use cases and processes for managing personal data and consent
Manage personal data and consent

Lesson 3: Adding Identities with Bulk Import

Bulk import user identities from a CSV file:

Describe use cases and processes for bulk import
Add customers to Identity Cloud
Troubleshoot import failures

Lesson 4: Utilizing Placeholder Attributes

Update and extend the managed user object schema to add properties to a user’s profile:

Describe use cases and processes for placeholder attributes
Manage placeholder attributes

Lesson 5: Synchronizing Identities from External Resources

Connect to external resources using a Remote Connector Server, and synchronize identities between Identity Cloud and on-premises resources:

Describe use cases and processes for synchronizing identities from an external resource
Configure remote connections between your tenant and external ForgeRock^® Directory Services (DS)
Describe how to synchronize identities
Synchronize entries between DS and Identity Cloud
Synchronize entries between Identity Cloud and DS
Configure remote connections between your tenant and an external AD server
Synchronize AD entries
(Optional) Configure a Remote Connector Server cluster

Lesson 6: Managing Provisioning Roles and Assignments

Manage provisioning roles and assignments within the platform to provision attributes to external resources:

Describe roles and assignment use cases and processes
Create assignments and provisioning roles

Lesson 7: (Optional) Additional Administration Tasks

Discuss and demonstrate additional tasks that an Identity Cloud administrator should be aware of:

Describe how to add a custom domain name
Describe how to access Identity Cloud using REST API endpoints
Describe how to access platform logs
Describe how to monitor your environment

Chapter 3: Managing User Journeys

Create new user journeys to support how end users authenticate and perform self-service with Identity Cloud.

Lesson 1: Exploring the User Journeys

Describe the purpose of the preconfigured user journeys included with Identity Cloud, and explore each user journey as an Identity Cloud administrator and an end user:

Describe the preconfigured user journeys
View the preconfigured user journeys
Describe the URLs and realms relationship
Describe the preconfigured ProgressiveProfile journey
Collect user preferences upon subsequent logins
Describe the self-service journeys
Recover your forgotten username, reset your password, and update your password

Lesson 2: Modifying the User Journeys

Use the journey editor in Identity Cloud to duplicate and modify the default Login user journey:

Describe the role of authentication nodes and trees within Identity Cloud
Modify the default Login user journey
Modify the UI theme for an organization
Make minor branding changes
Describe how to modify the preconfigured email templates
Modify an email template for the ResetPassword and Registration journeys
Describe how to reference variables from within a script

Lesson 3: Configuring User Self-Service

Configure the self-service features of Identity Cloud to empower end users to independently make changes to their identity, instead of going through a help desk:

Describe the KBA-related journey
Configure the KBA questions and set requirements
Describe the Terms and Conditions-related journey
Configure and set the Terms and Conditions

Lesson 4: Configuring Social Registration and Authentication

Configure Identity Cloud to let end users register and authenticate new accounts using a social provider:

Describe steps for configuring social registration and authentication
Configure a social identity provider for Identity Cloud
Describe how you can add social registration
Add social registration to the preconfigured Registration user journey
Describe how you can add social authentication
Add social authentication to the preconfigured Login user journey

Chapter 4: Integrating Applications and Gateways

Integrate application client profiles and gateway profiles into Identity Cloud to support external applications accessing Identity Cloud for identity and access management services.

Lesson 1: Defining Applications

Describe the role of an application in Identity Cloud:

Describe the role of applications in Identity Cloud
Describe the supported application types

Lesson 2: Adding an Application Client Profile

Add a new application client profile in Identity Cloud for a given ForgeRock^® SDK sample application, and validate the application can authenticate with Identity Cloud using the client profile:

Describe the role of the ForgeRock SDKs within Identity Cloud
Describe the tasks for adding a browser-based type application
Add a browser-based type application
Use an SSO token with a browser-based application

Lesson 3: Integrating Identity Gateway

Add a gateway profile, and supporting application client profile, to integrate ForgeRock^® Identity Gateway (Identity Gateway) with Identity Cloud:

Describe the Identity Cloud with Identity Gateway use cases
Configure Identity Cloud to validate access tokens from Identity Gateway
Configure Identity Cloud as an OIDC provider
Configure Identity Cloud as an SSO authentication server

Chapter 5: Managing Federation

Manage federation to let employees with credentials stored in a remote Active Directory data store access services in Identity Cloud.

Chapter 1: Introducing ForgeRock Identity Cloud

Describe the benefits and features of Identity Cloud and how to access an Identity Cloud tenant as an administrator.

Lesson 1: Introducing Identity Cloud

Provide an overview of Identity Cloud, and the onboarding process:

Describe Identity Cloud
Explain Identity Cloud onboarding services

Lesson 2: Getting Access to Identity Cloud

Describe Identity Cloud tenant registration:

Describe the tenant registration process
Introduce the Identity Cloud Admin UI

Chapter 2: Managing User Identities

Manage the onboarding of users through self-service, understand managed objects, import identities, and synchronize identities between Identity Cloud and external resources.

Lesson 1: Managing Identities

Manage user identities and invite additional administrators using the Identity Cloud Admin UI, which is an administrative interface to manage your tenant settings:

Manage user profiles in Identity Cloud
Manage a user profile in Identity Cloud
Manage administrators
Invite a top-level administrator
Explain UI integration options
Configure themes for the Alpha and Bravo realms
Manage password policies
Configure password policies

Lesson 2: Onboarding Users With Self-Service

Add new users to your tenant through self-registration:

Describe self-registration
Register a user
Describe self-service
Explore self-service features

Lesson 3: Introducing Organizations

Explain how an organization hierarchical structure can be used to model a brand hierarchy to control access to business applications:

Explain how to model an organization structure

Lesson 4: Adding Identities With Bulk Import

Bulk import user identities from a CSV file:

Describe bulk import
Import customers and employees

Lesson 5: Extending the User Identity Schema

Extend the user identity schema to store and display custom properties:

Manage placeholder properties
Customize placeholder properties
Describe how to use custom attributes
Add custom attributes

Lesson 6: Synchronizing Identities from External Resources

Connect to external resources using a Remote Connector Server (RCS), and synchronize identities between Identity Cloud and on-prem resources:

Explain how to connect to external resources
Configure a connection between Identity Cloud and an external ForgeRock^® Directory Services (DS)
Explain synchronization
Populate Identity Cloud with DS entries
Configure bi-directional synchronization
Populate Identity Cloud with AD users
Configure an RCS Cluster (optional)

Lesson 7: Managing Provisioning Roles and Assignments

Manage provisioning roles and assignments to dynamically provision attributes to external resources:

Introduce provisioning roles and assignments
Create assignments and provisioning roles

Lesson 8: Additional Administration Tasks

Explain additional tasks that an Identity Cloud administrator should be aware of:

Add a custom domain name
Introduce Identity Cloud REST APIs
Explore logs
Monitor your tenant
View the Identity Cloud analytics dashboard
Describe how to manage environment secrets and variables
Create and call an environment variable

Chapter 3: Managing User Journeys

Manage journeys to support how end users authenticate and perform self-service with Identity Cloud.

Lesson 1: Exploring Default Journeys

Describe the default journeys included with Identity Cloud, and explore self-service journeys as an Identity Cloud administrator and end user:

Introduce journeys
Explain self-service journeys
Explore self-service journeys

Lesson 2: Modifying Journeys

Use the journey editor in Identity Cloud to manage a journey, and understand the use of authentication nodes and email templates in a journey flow:

Introduce authentication nodes
Manage journeys
Group journeys
Modify the Login journey
Explore email templates and nodes
Configure email templates
Modify an email template
Describe how to debug a journey
Enable debug mode on a user journey

Lesson 3: Configuring Self-Service

Configure the self-service features of Identity Cloud to empower end users to independently make changes to their identity, instead of going through a help desk:

Explore knowledge-based authentication (KBA) options
Configure self-service to use KBA
Explain terms and conditions
Configure terms and conditions

Lesson 4: Configuring Social Registration and Authentication

Configure Identity Cloud to let end users register and authenticate new accounts using a social provider:

Explain social registration and authentication
Configure an OAuth 2.0 client for Identity Cloud and configure Google as an identity provider
Add social registration to the Registration journey
Add social authentication to the Login journey

Lesson 5: Importing and Exporting Journeys

Import and export user journeys using the Identity Cloud Admin UI:

Describe how to export and import journeys
Export and import journeys

Chapter 4: Integrating Applications and Gateways

Integrate application client profiles and gateway profiles into Identity Cloud to support external applications accessing Identity Cloud for identity and access management services.

Lesson 1: Defining Applications

Describe the role of an application in Identity Cloud:

Describe supported application types

Lesson 2: Adding an Application Client Profile

Add a new application client profile in Identity Cloud for a ForgeRock SDK sample application, and validate the application can authenticate with Identity Cloud using the client profile:

Explain how the ForgeRock SDKs are used with Identity Cloud
Add an SPA
Enable a JavaScript application to use Identity Cloud for authentication

Lesson 3: Integrating Identity Gateway

Show how Identity Gateway can protect an application when it is integrated with Identity Cloud:

Introduce Identity Gateway
Integrate Identity Gateway with Identity Cloud
Integrate the Identity Gateway sample application with Identity Cloud

Chapter 5: Managing Federation

Manage federation to let employees with credentials stored in a remote AD data store access services in Identity Cloud.

Lesson 1: Integrating Third-Party Services using SAML

Integrate Identity Cloud with a third-party provider using SAML v2.0 (SAML) to provide single sign-on services:

Introduce Federation
Explain how to configure Identity Cloud as an SP
Configure Identity Cloud as an SP
Explain how to configure ADFS as an IdP
Configure ADFS as an identity provider (IdP)
Explain how to configure Identity Cloud to use an IdP
Configure Identity Cloud to use an IdP

Certification

ForgeRock Certification Paths

ForgeRock offers world-class certifications designed to validate and recognize IT professionals with the technical capabilities and real-world experience needed to effectively design, deploy, and manage ForgeRock technology based identity solutions. Red Education delivers the complete curriculum of ForgeRock University courses. As ForgeRock’s largest Training Provider in Asia Pacific, EMEA, SAARC & LATAM we offer all courses in our popular Virtual-Instructor-Led-Training option or traditional classroom training.

ForgeRock Certified Access Management Specialist

ForgeRock Certified Access Management Specialist Exam – FRX-AM-CSE

The ForgeRock Certified Access Management Specialist exam is targeted at IT professionals responsible for administering and deploying ForgeRock Access Management solutions. The exam validates your ability to install, configure, administer, troubleshoot and maintain components of ForgeRock Access Management.

The exam consists of 100 questions that must be completed in 120 minutes.
Questions are multiple choice.
You must achieve a minimum score of 53% to pass.

There are several requirements you should meet before attempting the exam:

Successfully complete the ForgeRock Access Management Deep Dive (AM-410) course
Successfully complete the ForgeRock Access Management: Customization and APIs (AM-421) course will also be of benefit to exam candidates
Thorough understanding of AM-410 ForgeRock Access Management Deep Dive, including all Access Management documentation and Knowledge Base articles on Backstage
3-6 months of experience installing and configuring ForgeRock Access Management
Working knowledge of Java based environments

The ForgeRock Certified Identity Management Specialist

ForgeRock Certified Identity Management Specialist Exam – FRX-IDM-CSE

The ForgeRock Certified Identity Management Specialist exam is targeted at IT professionals responsible for administering and deploying ForgeRock Identity Management solutions. The exam validates your ability to install, configure, administer, troubleshoot and maintain components of ForgeRock Identity Management.

The exam consists of 100 questions that must be completed in 120 minutes.
Questions are multiple choice.
You must achieve a minimum score of 68% to pass.

There are several requirements you should meet before attempting the exam:

Successfully complete the ForgeRock Identity Management Deep Dive (IDM-420)
Thorough understanding of IDM-420 ForgeRock Identity Management, including all Identity Management documentation and Knowledge Based articles on Backstage
3-6 months of experience installing and configuring ForgeRock Identity Management
Working knowledge of JSON, JavaScript, REST, Java, Groovy, SQL and LDAP

ForgeRock® Identity Cloud Certified Professional

ForgeRock® Identity Cloud Certified Professional Exam - FRX-IC-CPE

The ForgeRock Identity Cloud Professional exam is for IT professionals responsible for administering deployments of the ForgeRock Identity Cloud. The exam validates your ability to configure, administer, troubleshoot and maintain components of ForgeRock Identity Cloud tenants.

The exam consists of 60 questions that must be completed in 90 minutes.
Questions are multiple choice.
You must achieve a minimum score of 65% to pass.

There are several requirements you should meet before attempting the exam:

Successfully complete the IC-300 Getting Started with ForgeRock Identity Cloud course
Thorough understanding of IC-300 Getting Started with ForgeRock Identity Cloud, including all Identity Cloud documentation and Knowledge Base articles on Backstage
3-6 months of experience configuring and administering ForgeRock Identity tenants
Working knowledge of OAuth 2.0, OpenID Connect and SAML v2.0

ForgeRock Certification Exam Registration

The exam registration process begins at forgerock.com/university as all ForgeRock certification exams require prior ForgeRock authorization. Once authorized, you will be directed to Pearson VUE to book and pay for your exam. If this is your first time taking a ForgeRock certification exam, please create a new web account using the Candidate ID provided in order to schedule the exam that you have been authorized to take. This is required even if you have taken other certification exams at Pearson VUE and have an existing account.