This course builds upon the Getting Started With PingOne Advanced Identity Cloud for Administrators training to provide advanced techniques for managing and configuring PingOne Advanced Identity Cloud (Advanced Identity Cloud). Students will master advanced authentication journeys with multi-factor authentication, implement context-based authorization policies, and learn to model complex identity objects with relationships between managed objects. The course covers essential synchronization techniques, including connector configuration, reconciliation, LiveSync, and role-based provisioning to manage identity flow between Advanced Identity Cloud and external resources. Participants will gain hands-on experience with the REST API for programmatic access to identity management features, enabling automation and integration with external systems. Through practical exercises, students will learn to deploy and configure PingGateway to protect websites, implement continuous contextual authorization, and create comprehensive identity management solutions.

Target Audiences

The target audiences for this course include:

• Advanced Identity Cloud Administrators
• System Integrators
• System Consultants
• System Architects
• System Developers

Objectives

Upon completion of this course, you should be able to:

• Recap authentication with the PingOne Advanced Identity Cloud (Advanced Identity Cloud). Increase security by introducing multi-factor authentication as well as context-based user journeys. Protect a website using PingGateway
• Model identity objects, their identity properties, and the relationships between objects, onto existing or new managed objects within PingIDM (IDM)
• Understand and configure Advanced Identity Cloud managed objects, their properties, and relationships to effectively model your identity data structures and implement delegated administration
• Configure and manage connections between Advanced Identity Cloud and external resources to enable identity synchronization, reconciliation, and role-based provisioning
• Master the Advanced Identity Cloud REST interfaces to authenticate, query, and manage identity objects programmatically

Prerequisites

The following are the prerequisites for successfully completing this course:

• Completion of the Getting Started With PingOne Advanced Identity Cloud for Administrators course available at: https://backstage.forgerock.com/university/forgerock/
• Experience with Identity and Access Management
• Working knowledge of related specifications such as OAuth2, OIDC, JWT, REST

Duration

3 days

Course Contents

Chapter 1: Administering Authentication Journeys

Recap authentication with the PingOne Advanced Identity Cloud (Advanced Identity Cloud). Increase security by introducing multi-factor authentication as well as context-based user journeys. Protect a website using PingGateway.

Lesson 1: Recap Authentication in Advanced Identity Cloud

Provide a recap of authentication in Advanced Identity Cloud:

• Introduce the basic concepts of authentication
• Prepare the lab environment
• Describe the authentication mechanisms of Advanced Identity Cloud
• Examine Advanced Identity Cloud default authentication
• Create and manage journeys
• Explore journey nodes
• Create a login journey
• Test the login journey

Lesson 2: Increasing Authentication Security

Increase authentication security using Multi-Factor Authentication (MFA):

• Describe multi-factor authentication
• Register a device
• Include recovery codes
• Examine OATH authentication
• Implement TOTP authentication
• Examine Push notification authentication
• Implement passwordless WebAuthn
• (Optional) Implement passwordless WebAuthn

Lesson 3: Modifying a User’s Journey Based on Context

Describe how Identity Cloud can take into account the context of an authentication request in order to take access decisions:

• Introduce context-based risk analysis
• Describe device profile nodes
• Determine the risk based on the context
• Implement a browser context change script
• Lock and unlock accounts
• Implement account lockout

Lesson 4: Protecting a Website With PingGateway

Show how IG, integrated with Identity Cloud, can protect a website:

• Present Advanced Identity Cloud edge clients
• Describe PingGateway functionality as an edge client
• Review the BXE website protected by PingGateway
• Integrate the BXE website with Advanced Identity Cloud
• Observe the PingGateway token cookie
• (Optional) Review PingGateway configuration

Chapter 2: Administering Authorization Policies

Model identity objects, their identity properties, and the relationships between objects, onto existing or new managed objects within PingIDM (IDM).

Lesson 1: Controlling Access

Create security policies to control which users can access specific areas of the website:

• Describe entitlements with Advanced Identity Cloud authorization
• Define Advanced Identity Cloud policy components
• Define policy environment conditions and response attributes
• Process of Advanced Identity Cloud policy evaluation
• Implement access control on a website

Lesson 2: Checking Risk Continuously

Review the Identity Cloud tools used to check the risk level of requests continuously:

• Introduce continuous contextual authorization
• Describe step-up authentication
• Implement step-up authentication flow
• Describe transactional authorization
• Implement transactional authorization
• (Optional) Prevent users from bypassing the default journey

Chapter 3: Administering Managed Objects

Understand and configure Advanced Identity Cloud managed objects, their properties, and relationships to effectively model your identity data structures and implement delegated administration.

Lesson 1: Modeling an Identity Profile

Learn about the different object types in Advanced Identity Cloud, and how you can model a custom user profile onto an existing managed user object type in Advanced Identity Cloud:

• Review the Advanced Identity Cloud documentation
• Describe the different object types in Advanced Identity Cloud
• Map an identity object to a managed object
• Describe how to use placeholder attributes
• Model a managed user object in Advanced Identity Cloud

Lesson 2: Managing Organizations

Set up managed organizations to delegate user administration based on the owner of hierarchical trees:

• Describe the roles and privileges within an organization
• Implement the organization example

Lesson 3: Introducing Relationships

Describe relationships between managed objects:

• Describe the purpose of relationships
• Describe how relationships are stored in the schema
• Query an object relationship using the REST interface

Chapter 4: Administering Connectors, Synchronization, and Provisioning

Configure and manage connections between Advanced Identity Cloud and external resources to enable identity synchronization, reconciliation, and role-based provisioning.

Lesson 1: Connecting to External Resources Using Connectors (Recap)

Describe the connectors supported in Advanced Identity Cloud, and how to create connector configurations to communicate with external resources:

• Describe how to connect external resources to Advanced Identity Cloud
• Configure communication between Advanced Identity Cloud and an RCS
• Describe how to connect to external resources using ICF connectors

Lesson 2: Configuring Connectors Over REST

• Describe the process for creating a connector configuration over REST
• Describe the object types and property mappings
• Generate a full connector configuration JSON object over REST

Lesson 3: Performing Basic Synchronization (Recap)

Describe how to use the Identity Management admin UI to create synchronization mappings (sync mappings) to reconcile identities between Advanced dentity Cloud and an external resource:

• Describe how to create mappings to synchronize identity objects and properties
• Describe how to create a sync mapping from Advanced Identity Cloud to an external resource
• Describe how to add source and target properties to the sync mapping
• Describe how to add a correlation query and a situational event script
• Describe how to set the situational behaviors and run reconciliation
• (Optional) Add a sync mapping from Advanced Identity Cloud to an LDAP server
• Describe the sync mapping from an LDAP server to Advanced Identity Cloud
• (Optional) Add a sync mapping from an LDAP server to Advanced Identity Cloud

Lesson 4: Running Selective Synchronization and LiveSync

Filter objects that are synchronized and automate synchronization using LiveSync:

• Describe the different methods that you can use to filter entries
• Run selective synchronization using filters
• Describe how to use LiveSync to synchronize changes
• Trigger LiveSync on a connector
• Describe how to schedule LiveSync
• Schedule LiveSync with an external resource

Lesson 5: Configuring Role-Based Provisioning

Automatically provision users to a set of LDAP groups based on role membership:

• Describe how to provision attributes to a target system based on static role assignments
• Describe the steps to enable role-based provisioning
• Query the role assignment properties using the REST interface
• Provision attributes to a target resource based on static role assignments
• Describe how to provision attributes to a target system based on dynamic role assignments
• Provision attributes to a target resource based on dynamic role assignments
• Describe how to add temporal constraints to a role
• Add temporal constraints to a role

Chapter 5: Access Advanced Identity Cloud Over REST

Master the Advanced Identity Cloud REST interfaces to authenticate, query, and manage identity objects programmatically.

Lesson 1: Authenticating Over REST

Use Postman to access the PingOne Advanced Identity Cloud (Advanced Identity Cloud) REST API and authenticate either using a simple (header-based) approach or a more complex approach, where the server may request additional information from the client using callback:

• Understand the REST authentication protocol
• Authenticate with REST
• Authenticate using header-based simple authentication
• Authenticate using callback-based complex authentication

Lesson 2: Querying Advanced Identity Cloud Objects Over REST

Create security policies to control which users can access specific areas of the website:

• Describe how to query objects using the REST interface
• Describe how to use the Advanced Identity Cloud Postman collection
• Query Advanced Identity Cloud Identity objects using Postman