PingAM Deep Dive

Chapter 1: Enhancing Intelligent Access

Start with an unprotected website and end up with a fully functional access management solution where every user trying to access the website is redirected to AM for authentication.

Lesson 1: Exploring Authentication Mechanisms

Explore the AM admin UI, view the role of cookies used during and after authentication, and describe authentication trees and nodes:

• Introduce AM authentication
• Understand realms
• Describe authentication life cycle
• Explain sessions
• Examine session cookies
• Access the lab environment
• Examine an initial AM installation
• Configure a realm and examine AM default authentication
• Experiment with session cookies
• Describe the authentication mechanisms of AM
• Create and manage trees
• Explore tree nodes
• Create a login tree
• Test the login tree

Lesson 2: Protecting a Website With PingGateway

Show how PingGateway, formerly known as ForgeRock® Identity Gateway, integrated with AM, can protect a website:

• Present AM edge clients
• Describe PingGateway functionality as an edge client
• Review the FEC website protected by PingGateway
• Integrate the FEC website with AM
• Observe the PingGateway token cookie
• (Optional) Review PingGateway configuration
• Authenticate identities with AM
• Create an authentication tree with an LDAP Decision node
• Integrate identities in AM with an identity store
• Integrate an identity store with AM

Lesson 3: Controlling Access

Create security policies to control which users can access specific areas of the website:

• Describe entitlements with AM authorization
• Define AM policy components
• Define policy environment conditions and response attributes
• Describe the process of policy evaluation
• Implement access control on a website

Chapter 2: Improving Access Management Security

Improve access management security in AM with MFA, context-based risk analysis, and continuous risk checking.

Lesson 1: Increasing Authentication Security

Increase authentication security using MFA:

• Describe MFA
• Register a device
• Include recovery codes
• Examine OATH authentication
• Implement time-based one-time password (TOTP) authentication
• (Optional) Implement HMAC-based one-time password (HOTP) authentication
• Examine Push notification authentication
• (Optional) Implement Push notification authentication
• Implement passwordless WebAuthn
• (Optional) Implement passwordless WebAuthn
• Examine HOTP authentication using email or SMS
• (Optional) Implement HOTP authentication using email or SMS

Lesson 2: Modifying a User’s Authentication Experience Based on Context

Describe how AM can take into account the context of an authentication request in order to make access decisions:

• Introduce context-based risk analysis
• Describe device profile nodes
• Determine the risk based on the context
• Implement a browser context change script
• Lock and unlock accounts
• Implement account lockout

Lesson 3: Checking Risk Continuously

Review the AM tools used to check the risk level of requests continuously:

• Introduce continuous contextual authorization
• Describe step-up authentication
• Implement step-up authentication flow
• Describe transactional authorization
• Implement transactional authorization
• Prevent users from bypassing the default tree

Chapter 3: Extending Services Using OAuth2-Based Protocols

Implement OAuth2 based protocols; namely, OAuth2 and OIDC, to enable low-level devices and mobile applications to make requests that access resources belonging to a subscriber. AM can be configured to function as an OIDC client and delegate authentication to social media OIDC providers.

Lesson 1: Integrating Applications With OAuth2

Integrate clients using OAuth2 by demonstrating the use of the OAuth2 Device Code grant type flow with AM configured as the OAuth2 authorization server (AS):

• Discuss OAuth2 concepts
• Describe OAuth2 tokens and codes
• Describe refresh tokens, macaroons, and token modification
• Request OAuth2 access tokens with OAuth2 grant types
• Explain OAuth2 scopes and consent
• Configure OAuth2 in AM
• Configure AM as an OAuth2 provider
• Configure AM with an OAuth2 client
• Test the OAuth2 Device Code grant type flow

Lesson 2: Integrating Applications With OIDC

Integrate an application using OIDC and the Authorization grant type flow with AM as an OIDC provider:

• Introduce OIDC
• Describe OIDC tokens
• Explain OIDC scopes and claims
• List OIDC grant types
• Create and use an OIDC script
• Create an OIDC claims script
• Register an OIDC client and configure the OAuth2 Provider settings
• Test the OIDC Authorization Code grant type flow

Lesson 3: Authenticating OAuth2 Clients and using mTLS in OAuth2 for PoP

Authenticate OAuth2 clients with AM using various approaches and obtain certificate-bound access tokens using mutual TLS (mTLS) to provide token proof-of-possession (PoP):

• Examine OAuth2 client authentication
• Examine OAuth2 client authentication using JWT profiles
• Examine OAuth2 client authentication using mTLS
• Authenticate an OAuth2 client using mTLS
• Examine certificate-bound PoP when mTLS is configured
• Obtain a certificate-bound access token

Lesson 4: Transforming OAuth2 Tokens

Request and obtain security tokens from an OAuth2 authorization server, including security tokens that employ impersonation and delegation semantics:

• Describe OAuth2 token exchange
• Explain token exchange types and purpose for exchange
• Describe token scopes and claims
• Implement a token exchange impersonation pattern
• Implement a token exchange delegation pattern
• Configure token exchange in AM
• Configure AM for token exchange
• Test token exchange flows

Lesson 5: (Optional) Implementing Social Authentication

Provide a way for users to register and authenticate to AM using a social account:

• Delegate registration and authentication to social media providers
• Implement social registration and authentication with Google

Chapter 4: Federating Across Entities Using SAML2

Demonstrate federation across entities using SAML2 with AM.

Lesson 1: Implementing SSO Using SAML2

Demonstrate single sign-on (SSO) functionality across organizational boundaries:

• Discuss SAML2 entities and profiles
• Explain the SAML2 flow from the identity provider (IdP) point of view
• Examine SSO across SPs
• Configure AM as an IdP and integrate with third-party service providers (SPs)
• Examine SSO between an SP and IdP and across SPs

Lesson 2: Delegating Authentication Using SAML2

Delegate authentication to a third-party IdP using SAML2 and examine the metadata:

• Explain the SSO flow from the SP point of view
• Describe the metadata content and purpose
• Configure AM as a SAML2 SP and integrate with a third-party IdP

Chapter 5: Installing and Deploying AM

Install a new AM instance configured with external directory server data stores as the foundation for an AM cluster, modify the AM configuration to harden security, upgrade an AM instance to a new version, and deploy the Ping Identity Platform, formerly known as the ForgeRock® Identity Platform, to the Google Cloud Platform (GCP).

Lesson 1: Installing and Upgrading AM

Install AM using interactive and command-line methods creating the foundations for a cluster topology, and upgrade an AM 7.0.1 instance to AM 7.3:

• Plan deployment configurations
• Prepare before installing AM
• Deploy AM
• Outline tasks and methods to install AM
• Install AM with the web wizard
• Install an AM instance with the web wizard
• Install AM and manage configuration with Amster
• Install Amster
• Describe the AM bootstrap process
• Upgrade an AM instance
• Upgrade AM with the web wizard
• (Optional) Upgrade AM with the configuration tool

Lesson 2: Hardening AM Security

Explore a few default configuration and security settings that need to be modified before migrating to a production-ready solution:

• Harden AM security
• Adjust default settings
• Harden AM security
• Describe secrets, certificates, and keys
• Describe keystores and secret stores
• Manage the AM keystore, aliases, and passwords
• Configure and manage secret stores
• Configure an HSM secret store to sign OIDC ID tokens
• Describe the monitoring tools
• Describe the audit logging
• Describe debug logging
• Capture troubleshooting information
• Capture troubleshooting information

Lesson 3: Clustering AM

Create an AM cluster with a second AM instance added to the first AM instance that has already been installed:

• Explore high availability solutions
• Scale AM deployments
• Describe AM cluster concepts
• Create an AM cluster
• Prepare the initial AM cluster
• Install another AM server in the cluster
• Test AM cluster failover scenarios
• (Optional) Modify the cluster to use client-side sessions

Lesson 4: Deploying the Identity Platform to the Cloud

Deploy the Identity Platform into a cluster in a Google Kubernetes Environment (GKE):

• Describe the Identity Platform
• Prepare your deployment environment
• Deploy and access the Identity Platform
• Access and authenticate your GCP account
• Prepare to deploy the Identity Platform
• Deploy the Identity Platform with the Cloud Development Kit (CDK)
• Remove the Identity Platform deployment