PingGateway Deep Dive
(IG-430)
Training Credits accepted
Ping Identity is starting to rebrand all products and courses under the Ping Identity brand. The content will remain the same and our curriculum developers will continue to prioritize courses that need development.
Description
The aim of this course is to showcase the key features and capabilities of the versatile and powerful edge security solution with the PingGateway environment, formerly known as ForgeRock® Identity Gateway. It provides the student with the knowledge and confidence to manage their own environment. It is accepted that this course is not able to demonstrate all the features and capabilities of PingGateway. Further information and guidance can be found in the documentation and knowledge base documents in the online repositories at: Backstage https://backstage.forgerock.com.
Note: Revision A of this course is based on version 7.2 of PingGateway.
Target Audiences
The target audiences for this course include:
- PingGateway Administrators
- Technical users who work with PingGateway
Objectives
Upon completion of this course, you should be able to:
- Integrate and protect web applications, APIs, legacy applications, and microservices with the Ping Identity Platform (Identity Platform), formerly known as ForgeRock® Identity Platform, by using PingGateway
- Add authentication to the ForgeRock Entertainment Company (FEC) solution using PingOne Advanced Identity Cloud (Advanced Identity Cloud), formerly known as ForgeRock® Identity Cloud, or PingAM (AM), formerly known as ForgeRock® Access Management, as the access manager, OpenID Connect (OIDC) provider, and Security Assertion Markup Language (SAML2) identity provider (IdP)
- Demonstrate how to use PingGateway to manage access to a website using Advanced Identity Cloud (or AM) policies and policies with advice
- Protect a REST API with PingGateway and extend PingGateway functionality with scripting
- Highlight various areas that must be taken into account when preparing PingGateway for a production environment. Topics discussed include auditing, monitoring, tuning, security, and deployment
Prerequisites
The following are the prerequisites for successfully completing this course:
- Completion of the PingGateway Essentials course available at: https://backstage.forgerock.com/university/forgerock/on-demand/path/TGVhcm5pbmdQYXRoOjQ%3D/chapter/Q291cnNlOjE1NzI2
Duration
5 days
Course Contents
Chapter 1: Integrating Applications With PingGateway
Integrate and protect web applications, APIs, legacy applications, and microservices with Identity Platform by using PingGateway.
Lesson 1: Introducing PingGateway
Introduce PingGateway and discuss scenarios for protecting web applications, APIs, and legacy applications:
- Introduce PingGateway
- Describe PingGateway features
- Compare PingGateway with policy agents
- Explore PingGateway integration with web applications
- Describe PingGateway integration with OIDC and SAML
- Explore PingGateway policy enforcement and second-factor authentication (2FA)
- Describe PingGateway protection of APIs
- Access your CloudShare VM
- Examine the lab environment
- Access the FEC and DVD4U websites
Lesson 2: Fronting a Website With PingGateway
Configure PingGateway to listen for secure connections, operate in development mode, and be a reverse proxy in front of the FEC website:
- Examine the PingGateway configuration structure
- Describe required PingGateway configuration
- Configure PingGateway for secure connections
- Configure PingGateway routes
- Creating and managing routes in PingGateway Studio
- Protect a website by using PingGateway Studio
- Upgrade a route to use WebSockets
- Configure PingGateway for development mode and TLS connections
- Protect the FEC website with PingGateway by using PingGateway Studio
- Manage routes in PingGateway Studio and examine PingGateway log files
Lesson 3: Routing Requests and Responses
Configure PingGateway to route requests depending on external conditions, and use various filters and handlers to process requests and responses within a route:
- Describe the PingGateway object model
- Examine objects available in routes
- Retrieve context data and configure sessions
- Route requests depending on conditions
- Describe route handlers
- Manage requests and responses with a route handler
- Process requests and responses with filters
- Create a route to allow access to a public area of FEC
- Add a page not found route
- Create a route to access the legacy DVD4U application
- Add password replay for the DVD4U application
Lesson 4: Configuring PingGateway Logging and Capturing Route Communication
Introduce decorators, capture information in the PingGateway logs information using the CaptureDecorator, and retrieve credentials from a file with a FileAttributesFilter:
- Manage PingGateway logs
- Introduce Decorators
- Configure route activity logs
- Capture inbound and outbound communication
- Retrieve credentials from a file
- Observe requests and responses in PingGateway logs
- Test different capture configuration settings
- Centralize PingGateway logging configuration
- Modify the DVD4U route to get credentials from a file
- Use Logback configuration for troubleshooting
Chapter 2: Configuring Agentless Single Sign-On
Add authentication to the FEC solution, using Advanced Identity Cloud or AM as the access manager, OIDC provider, and SAML2 identity provider.
Lesson 1: Implementing Authentication with the SSO Filter
Implement authentication for websites with the single sign-on (SSO) filter by using PingGateway to interact with Advanced Identity Cloud or AM as the authentication server, to ensure access to non-public content requires authentication:
- Create a route by using the PingGateway Studio Freeform Designer
- Configure Advanced Identity Cloud or AM as a service
- Describe how to use the SSO Filter
- Retrieve user data from the authentication provider
- Configure PingGateway as an HTTPS client
- Create a route with the PingGateway Studio Freeform Designer
- Redirect requests to AM for authentication
- Configure PingGateway for client-side HTTPS
- Access properties in SSO token context
- Retrieve user profile data for display in a web page
- Store information in a PingGateway HTTP session
- Configure capture decorators in Freeform Designer
Lesson 2: Configuring CDSSO for the Legacy Application
Configure cross-domain single sign-on (CDSSO) to support applications located in different domains, by using the CrossDomainSingleSignOnFilter:
- Describe the CDSSO Filter
- Configure the CDSSO Filter Solution
- Configure CDSSO redirect endpoints
- Integrate the legacy application with CDSSO
- Create a new route to protect DVD4U with CDSSO and AM
- Update the DVD4U route to automatically log in the authenticated user
- Prepare the Advanced Identity Cloud tenant
- Protect the DVD4U and FEC websites using CDSSO with Advanced Identity Cloud
Lesson 3: Performing SSO With PingGateway as an OIDC Relying Party
Configure PingGateway to operate as an OIDC client (relying party) to offer potential subscriber users access to the trial sections and immediate access to promotional content of the website by using their Gmail account:
- Describe basic OIDC concepts
- Configure PingGateway as an OIDC client
- Examine the flow of OIDC redirects for authentication and consent
- Explore the flow of OIDC callbacks and data injection
- Configure an OIDC relying party route
- Examine the OIDC relying party solution
Lesson 4: Providing SSO with PingGateway as a SAML2 SP
Configure PingGateway to act as a SAML2 service provider (SP), enabling an application to be SAML2-compliant:
- Authenticate with a SAML2 identity provider (IdP)
- Describe the use of the SAML federation handler
- Describe the use of the dispatch handler
- Describe the SAML2 implementation flow
- Set up SAML2 configuration files for PingGateway
- Configure a SAML2 route for the trial section
- Examine the SAML2 solution (optional)
Chapter 3: Controlling Access with PingGateway as Policy Enforcement Point
Demonstrate how to use PingGateway to manage access to a website using Advanced Identity Cloud (or AM) policies and policies with advice.
Lesson 1: Implementing Authorization With a Policy Enforcement Filter
Configure PingGateway to manage access to a website by evaluating policies configured in Advanced Identity Cloud (or AM) and using a PolicyEnforcementFilter:
- Describe the use of the Policy Enforcement Filter
- Illustrate the use of the Policy Enforcement Filter
- Configure a policy enforcement point (PEP) route for the premium section of FEC
- Examine the PEP solution (optional)
Lesson 2: Providing Step-Up Authentication and Transactional Authorization
Illustrate how PingGateway handles step-up authentication and transactional authorization policy advices with Advanced Identity Cloud (or AM):
- Describe step-up authentication
- Illustrate how PingGateway handles step-up authentication
- Describe transactional authorization
- Illustrate how PingGateway handles transactional authorization
- Configure a PEP route for the on demand and profile sections of FEC
- Examine the profile solution (optional)
- Examine the on-demand solution (optional)
Chapter 4: Protecting a REST API
Protect a REST API with PingGateway and extend PingGateway functionality with scripting.
Lesson 1: Configuring PingGateway as an OAuth2 Resource Server
Configure PingGateway to act as an OAuth2 resource server that protects a REST API:
- Describe the use of the OAuth2 resource server filter
- List access token resolvers
- Validate certificate-bound access tokens
- Observe the flow with the token introspection resolver
- Prepare the OAuth2 solution to protect the FEC REST API
- Configure PingGateway to protect the FEC REST APIs
- Examine the REST API solution (optional)
Lesson 2: Extending Functionality With Scripts
Log information on context, implement dynamic scopes to manage access to resources, and refine allowed access using script-based objects in PingGateway:
- Describe the scripting functionality for extending PingGateway
- Explore scriptable objects
- Examine dynamic scopes solution
- Describe OAuth2 token swapping in PingGateway
- Configure a scriptable filter to log the content of the OAuth2 context
- Configure a dynamic scopes script
- Configure a scriptable filter to retrieve the correct favorite list
Chapter 5: Preparing for Production with PingGateway
Highlight various areas that must be taken into account when preparing PingGateway for a production environment. Topics discussed include auditing, monitoring, tuning, security, and deployment.
Lesson 1: Auditing, Monitoring, and Tuning a PingGateway Solution
Prepare PingGateway for a production environment by considering auditing, monitoring, tuning, security, and deployment topics:
- Describe the audit framework
- Excluding sensitive data from audit logs
- Accessing the Common REST API monitoring endpoint
- Decreasing the number of requests through caching
Lesson 2: Developing an Awareness of Security Questions With PingGateway
Develop awareness of best practices, describe JwtSessions, examine common secrets, and manage request rates and throttling:
- Discuss PingGateway best practices regarding security
- Examine the common secrets
- Explore secret store types
- Describe throttling
- Create common secret stores
- Configure throttling
Lesson 3: Deploying PingGateway
Explore how to deploy PingGateway into a production context by using property value substitution and clustering:
- Describe property value substitution
- Set up multiple PingGateway instances
- Integrate configuration tokens in the solution
- Deploy a second PingGateway instance