ForgeRock Access Management and ForgeRock Identity Management Core Concepts Rev B.1

This structured course comprises a mix of instructor-led lessons and demonstrations with plenty of lab exercises to ensure an opportunity to fully understand each of the topics covered. It provides students with a strong foundation for the design, installation, configuration, and administration of a ForgeRock® Access Management (AM) solution and how to implement ForgeRock® Identity Management (IDM) to manage the lifecycle and relationship of digital identities within the context of a Customer Identity and Access Management solution (CIAM), and the integration with the ForgeRock Identity Platform™.

Note that Revision B.1 of this course is built on version 6.5 of IDM.

Target Audiences

The following are the target audiences for this course:

• System Integrators
• System Consultants
• System Architects
• System Administrators
• System Developers
• System Administrators

Prerequisites

The following are the prerequisites to successfully completing this course:

• Knowledge of Unix/Linux commands and text editing
• An appreciation of HTTP and web applications
• A basic appreciation of how directory servers function
• A basic understanding of REST
• A basic knowledge of Java based environments would be beneficial. Programming experience is not required.
• Basic knowledge and skills using the Linux operating system to complete labs
• Basic knowledge of JSON, JavaScript, REST and Java is helpful for understanding examples; however, programming experience is not required

Certification

Earn a Digital Badge from attending this course. Learn more about ForgeRock badges at www.youracclaim.com/organizations/forgerock/badges

Course Contents

Chapter 1: Performing Basic Configuration

Lesson 1: Implementing Default Authentication

• Describe how to use AM to manage default authentication using cookies
• Implement default authentication with AM
• Understand the need for and the use of realms
• Implement separation of admins and users using realms
• Observe the function of cookies

Lesson 2: Protecting a Website

• List and describe AM authentication clients
• Describe web agent main functionality
• Implement policy enforcement using web agents
• Analyze the am-auth-jwt cookie

Lesson 3: Empowering Users Through Self-Service

• Describe the main capabilities of user self-service
• Configure user self-service self-registration basic flow

Chapter 2: Implementing Intelligent Authentication

Lesson 1: Extending Authentication Functionality

• Describe the authentication mechanisms of AM
• List the available nodes
• Compare tree and chain mechanisms
• Identify realm-level authentication settings
• Use the authentication tree designer and ForgeRock’s Marketplace
• Create and test an authentication tree containing an LDAP Decision node
• Use the recording tool for troubleshooting

Lesson 2: Retrieving User Information

• Understand the use of an identity store
• Explain the distinction between identity store and credentials store
• Implement user-specific features on the website
• Retrieve user profile information using REST

Lesson 3: Increasing Authentication Security

• Discuss the need to increase authentication security
• Implement account lockout
• Configure risk-based authentication
• Configure second-factor authentication
• Demonstrate push notification authentication
• Start ID 1, 2 and 4

Chapter 3: Introducing IDM and Getting Started

Introduce IDM and describe where it fits within the ForgeRock Identity Platform to provide identity management services for a CIAM solution. Also, describe how to get started using IDM within a development environment.

Lesson 1: Introducing IDM and Exploring the FEC Solution

Provide an overview of IDM and become familiar with the end of class solution for the FEC use cases so you better understand the core concepts of IDM that you learn throughout this course:

• Describe how IDM is used in the ForgeRock Identity Platform to deliver a CIAM solution
• Demonstrate each of the core concepts from an end user and administrator perspective

Lesson 2: Installing IDM

Perform a basic installation of IDM, explore the default user interfaces, and then run one or more of the sample configurations shipped with IDM:

• Describe the basic IDM installation requirements for deploying IDM
• Install and start IDM for the first time and explore the default UIs
• Start IDM with the CSV sample configuration and run the sample
• Start IDM with the LDAP sample configuration and run the sample

Lesson 3: Deploying and Managing IDM as a Project

Deploy and manage IDM as a development project to help you capture your configuration changes throughout the project:

• Set up a new IDM project for development
• Configure IDM to run as a background process

Lesson 4: Performing Basic IDM Troubleshooting

Learn how to examine the different log files to assist in troubleshooting configuration errors that might occur during development. Learn how you can get additional help for troubleshooting assistance:

• Examine the different log files in IDM
• Get additional help troubleshooting outside of IDM

Chapter 4: Enabling User Registration and Self-Service

Implement self-service so end users can self-register for services, update and manage their profile information, and reset their passwords when forgotten (or retrieve their username when forgotten). Also, delegate the administration of subscriber accounts to a subset of help desk administrators.

Lesson 1: Configuring the Default User Registration Process

Enable and configure the self-service user registration form options of IDM to let users self-register on the IDM Self-Service UI:

• Configure the outbound email service
• Enable email-based self-registration

Lesson 2: Configuring IDM User Self-Service

Configure the other user self-services features of IDM that include forgotten username, password reset, and additional KBA questions. Also, add additional fields to the user registration page:

• Enable email-based password reset and username retrieval
• Expand the KBA options
• Add a custom field to the Self-Service UI registration page

Lesson 3: Delegating Administration Privileges

Delegate administration of managed users to a new group of help desk administrators responsible for managing a subset of subscriber account properties:

• Add a new internal role and set up privileges to delegate administration

Chapter 5: Managing Synchronization and Reconciliation

Synchronize identity data across multiple external resources in real time or by scheduling reconciliation events. Consolidate multiple identity data stores into one centralized identity store using IDM.

Lesson 1: Using the REST Interface to Access IDM

Use the IDM REST interface to query data from the connectors and managed user objects stored in the repository:

• Query and manipulate IDM objects using the API Explorer and cURL

Lesson 2: Connecting to External Resources Using OpenICF

Update the LDAP connector to communicate with DS, acting in the role of the subscriber’s LDAP directory:

• Describe how to connect to external resources using OpenICF
• Add a connector to an external LDAP resource

Lesson 3: Performing Basic Synchronization

Create basic sync mappings to reconcile subscribers between the IDM repository and external LDAP directory server:

• Describe how to create sync mappings to flow identity objects and properties between IDM and one or more external resources
• Add a sync mapping from the IDM repository to the LDAP server
• Add a sync mapping from the LDAP server to the IDM repository

Lesson 4: Running Selective Synchronization and LiveSync

Filter objects that are synchronized and automate synchronization using LiveSync:

• Run selective synchronization using filters
• Identify methods of determining change events with LiveSync
• Schedule LiveSync with the LDAP directory

Lesson 5: Configuring Role-Based Provisioning

Automatically provision users to a set of LDAP groups based on role membership:

• Provision attributes to one or more external resources based on static role assignments
• Provision attributes to one or more external resources based on dynamic role assignments
• Add temporal constraints to a role