ForgeRock® Access Management- Deep Dive

Begin with an unprotected website & end up with a fully operational access management solution where every user attempting to access the website is redirected to AM for verification.

Lesson One- Exploring Authentication Mechanisms

Explore the AM Admin UI & view the role of cookies used during & after authentication-

• Familiarize AM authentication
• Comprehend realms
• Explain authentication life cycle
• Describe sessions
• Examine session cookies
• Train the lab environment
• Examine an initial AM installation
• Configure a realm & examine AM default authentication
• Experimentation with session cookies
• Explain the authentication mechanisms of AM
• Construct and manage trees
• Explore tree nodes
• Develop a login tree
• Test the login tree

Lesson Two- Protecting a Website With IG

Show how IG, integrated with AM, can guard a website-

• Present AM edge clients
• Explain IG functionality as an edge client
• Examine the FEC website protected by IG
• Combine the FEC website with AM
• Observe the IG token cookie
• (Optional) Check IG configuration
• Affirm identities with AM
• Combine identities in AM with an identity store
• Develop an authentication tree with an LDAP Decision node
• Combine an identity store with AM

Lesson Three- Controlling Access

Create security policies to manage which users can access precise areas of the website-

• Explain entitlements with AM authorization
• Define AM policy components
• Express policy environment conditions and response attributes
• Explain the process of policy evaluation
• Execute access control on a website

Enhance access management security in AM with MFA, context-based risk analysis, & continuous threat checking.

Lesson One- Increasing Authentication Security

Improve authentication security using MFA-

• Explain MFA
• Register a device
• Enclose recovery codes
• Examine OATH authentication
• Execute TOTP authentication
• (Optional) Execute HOTP authentication
• Examine Push notification authentication
• (Optional) Execute Push notification authentication
• Execute passwordless WebAuthn
• (Optional) Execute passwordless WebAuthn
• Investigate HOTP authentication using email or SMS
• (Optional) Implement HOTP authentication utilizing email or SMS

Lesson Two- Adjusting a User's Authentication Experience Based on Context

Explain how AM can take into account the context of an authentication proposal in order to bring access decisions-

• Present context-based risk analysis
• Explain device profile nodes
• Determine the threat based on the context
• Execute a browser context change script
• Lock & unlock accounts
• Execute account lockout

Lesson Three- Checking Risk Continuously

Examine the AM tools used to check the threat level of requests continuously-

• Present continuous contextual authorization
• Explain step-up authentication
• Implement step-up authentication flow
• Illustrate transactional authorization
• Execute transactional authorization
• Stop users from bypassing the default tree

Execute OAuth2 based protocols; namely, OAuth2 and OIDC, to allow low-level devices & mobile applications to make proposals that access resources belonging to a subscriber. AM can be configured to operate as an OIDC client & delegate authentication to social media OIDC providers.

Lesson 1- Integrating Applications With OAuth2

Combine clients utilizing OAuth2 by demonstrating the usefulness of the OAuth2 Device Code grant class flow with AM configured as the OAuth2 authorization server-

• Consult OAuth2 concepts
• Explain OAuth2 tokens and codes
• Explain refresh tokens, macaroons, & token modification
• Appeal OAuth2 access tokens with OAuth2 grant types
• Describe OAuth2 scopes and consent
• Configure OAuth2 in AM
• Configure AM as an OAuth2 provider
• Configure AM with an OAuth2 client
• Experiment the OAuth2 Device Code grant type flow

Lesson 2- Integrating Applications With OIDC

Combine an application using OIDC & the Authorization grant class flow with AM as an OIDC provider-

• Present OIDC
• Explain OIDC tokens
• Explain OIDC scopes and claims
• List OIDC grant types
• Construct and use an OIDC script
• Build an OIDC claims script
• Register an OIDC client & configure the OAuth2 Provider settings
• Experiment the OIDC Authorization Code grant type flow

Lesson 3- Authenticating OAuth2 Clients and utilizing mTLS in OAuth2 for PoP

Certify OAuth2 clients with AM using various approaches and obtain certificate-bound access tokens utilizing mutual TLS (mTLS) to deliver token proof-of-possession (PoP)-

• Examine OAuth2 client authentication
• Examine OAuth2 client authentication utilizing JWT profiles
• Examine OAuth2 client authentication utilizing mTLS
• Authenticate an OAuth2 client utilizing mTLS
• Examine certificate-bound PoP when mTLS is configured
• Acquire a certificate-bound access token

Lesson 4- Transforming OAuth2 Tokens

Request & obtain security tokens from an OAuth2 authorization server, including security tokens that employ impersonation & delegation semantics-

• Explain OAuth2 token exchange
• Describe token exchange types and purpose for exchange
• Explain token scopes and claims
• Execute a token exchange impersonation pattern
• Execute a token exchange delegation pattern
• Configure token exchange in AM
• Configure AM for token exchange
• Test token exchange flows

Lesson 5- (Optional) Implementing Social Authentication

Deliver a way for users to register & authenticate to AM using a social account-

• Delegate registration & authentication to social media providers
• Execute social registration & authentication with Google

Demonstrate federation across entities utilizing SAML2 with AM.

Lesson 1- Implementing SSO Using SAML2

Demonstrate single sign-on (SSO) functionality across corporate boundaries-

• Discuss SAML2 entities and profiles
• Describe the SAML2 flow from the IdP point of view
• Examine SSO across SPs
• Configure AM as an IdP & integrate with third-party SPs
• Examine SSO between SP & IdP and across SPs

Lesson 2- Delegating Authentication Using SAML2

Delegate authentication to a third-party IdP utilizing SAML2 and examine the metadata-

• Describe the SSO flow from the SP point of view
• Explain the metadata content and purpose
• Configure AM as a SAML2 SP & integrate with a third-party IdP

Install new AM instance configured with external directory server data stores as the foundation for an AM cluster, change the AM configuration to harden security, boost an AM instance to a new version, & deploy the ForgeRock® Identity Platform (Identity Platform) to the Google Cloud Platform (GCP).

Lesson One- Installing & Upgrading AM

Install AM utilizing interactive & command-line methods creating the foundations for a cluster topology, & upgrade an AM 7.0.1 instance to AM 7.1-

• Schedule deployment configurations
• Prepare before installing AM
• Deploy AM
• Outline tasks & methods to install AM
• Install AM with the web wizard
• Install AM & manage configuration with Amster
• Explain the AM bootstrap process
• Install an AM instance with the web wizard
• Install Amster
• Boost an AM instance
• Upgrade AM with the web wizard
• (Optional) Upgrade AM with the configuration tool

Lesson Two- Hardening AM Security

Explore a few default configuration & security settings that require to be modified before relocating to a production-ready solution-

• Harden AM security
• Adjust Default Settings
• Harden AM security
• Illustrate secrets, certificates, and keys
• Explain keystores and secret stores
• Handle the AM keystore, aliases, and passwords
• Configure & manage secret stores
• Configure an HSM secret store to sign OIDC ID token
• Explain the audit logging
• Explain the monitoring tools

Lesson Three- Clustering AM

Build an AM cluster with a second AM instance added to the first AM instance that has already been installed-

• Analyze high availability solutions
• Scale AM deployments
• Depict AM cluster concepts
• Develop an AM cluster
• Equip the initial AM cluster
• Install another AM server in the cluster
• Test AM cluster failover scenarios
• (Optional) Change the cluster to use client-based sessions

Lesson Four- Deploying the Identity Platform to the Cloud

Deploy the Identity Platform into a cluster in a (GKE) Google Kubernetes Environment -

• Explain the Identity Platform
• Schedule Your Deployment Environment
• Deploy & access the Identity Platform
• Access an authenticate your GCP account
• Schedule to deploy the Identity Platform
• Deploy the Identity Platform with the CDK
• Dismiss the Identity Platform deployment

A- To attend the training session you should have an operational Desktops or Laptops with required specification along with good internet connection to access the labs. 

A- We would always recommend you to attend the live session to practice & clarify the doubts instantly and get more value from your investment. However, due to some contingency if you have to skip the class Radiant Techlearning would help you with the recorded session of that particular day.  However, those recorded sessions are not meant only for personal consumption and NOT for distribution or any commercial use.

A- Radiant Techlearning has a data center containing the Virtual Training environment for the purpose of participant’s hand-on-practice. 

Participants can easily access these labs over Cloud with the help of remote desktop connection. 

Radiant virtual labs provide you the flexibility to learn from anywhere in the world and in any time zone.

A- The learners will be enthralled as we engage them in real world and industry Oriented projects during the training program. These projects will improve your skills and knowledge and you will gain better experience. These real time projects, they will help you a lot in your future tasks and assignments.