The aim of this course is to showcase the key features and capabilities of the versatile and powerful access management solution in a Ping Identity environment. Further information and guidance can be found in the documentation and knowledge base in the online repositories at: Backstage https://backstage.pingidentity.com.

Target Audiences

The target audiences for this course include:

• Ping Access Management Administrators
• System Integrators
• System Consultants
• System Architects
• System Developers

Objectives

Upon completion of this course, you should be able to:

• Start with an unprotected website and end up with a fully functional access management solution where every user trying to access the website is redirected to PingAM (AM) for authentication
• Improve access management security in Ping Access Management (PingAM or AM) with multi-factor authentication (MFA), context-based risk analysis, and continuous risk checking
• Implement OAuth 2.0 (OAuth2) based protocols; namely, OAuth2 and OpenID Connect 1.0 (OIDC), to enable low-level devices and mobile applications to make requests that access resources belonging to a subscriber. Ping Identity Access Management (PingAM or AM) can be configured to function as an OIDC client and delegate authentication to social media OIDC providers
• Introduce SAML2 with AM as an identity provider (IdP) and AM as a service provider (SP)

Prerequisites

The following are the prerequisites for successfully completing this course:

• Completion of the Introduction to PingAM On Demand course available at: https://training.pingidentity.com/on-demand/course/TGVhcm5pbmdQYXRoOjEwNw%3D%3D
• Completion of the PingAM Getting Started On Demand course available at: https://training.pingidentity.com/on-demand/course/TGVhcm5pbmdQYXRoOjEwNw%3D%3D

Duration

3 days

Course Contents

Chapter 1: Enhancing Intelligent Access

Start with an unprotected website and end up with a fully functional access management solution where every user trying to access the website is redirected to PingAM (AM) for authentication.

Lesson 1: Reviewing Authentication Mechanisms

Explore the AM admin UI, view the role of cookies used during and after authentication, and describe authentication trees and nodes:

• Describe the course lab environment
• Access the lab environment
• Examine the initial AM installation
• Review AM authentication
• Review sessions
• Review realms
• Configure a realm and test default authentication
• Review authentication trees and nodes
• Create a login tree
• Test the login tree

Lesson 2: Protecting a Website With PingGateway

Protect a website by integrating PingGateway with AM:

• Present AM edge clients
• Describe PingGateway functionality as an edge client
• Review the FEC website protected by PingGateway
• Integrate the FEC website with AM
• Observe the PingGateway token cookie
• (Optional) Review PingGateway configuration
• Authenticate identities with AM
• Create an authentication tree with an LDAP Decision node
• Integrate identities in AM with an identity store
• Integrate an identity store with AM

Lesson 3: Controlling Access

Create security policies to control which users can access specific areas of the website:

• Describe entitlements with AM authorization
• Define AM policy components
• Define policy environment conditions and response attributes
• Describe the process of policy evaluation
• Implement access control on a website

Chapter 2: Improving Access Management Security

Improve access management security in Ping Access Management (PingAM or AM) with multi-factor authentication (MFA), context-based risk analysis, and continuous risk checking.

Lesson 1: Increasing Authentication Security

Increase authentication security using MFA:

• Describe MFA
• Register a device
• Include recovery codes
• Examine OATH authentication
• Implement TOTP authentication
• (Optional) Implement HOTP authentication
• Examine Push notification authentication
• (Optional) Implement Push notification authentication
• Implement passwordless WebAuthn
• (Optional) Implement passwordless WebAuthn
• Examine HOTP authentication using email or SMS
• (Optional) Implement HOTP authentication using email or SMS

Lesson 2: Modifying the Authentication Journey Based on Context

Describe how AM can take into account the context of an authentication request in order to make access decisions:

• Introduce context-based risk analysis
• Describe device profile nodes
• Determine the risk based on the context
• Implement a browser context change script
• Lock and unlock accounts
• Implement account lockout

Lesson 3: Checking Risk Continuously

Review the AM tools used to check the risk level of requests continuously:

• Introduce continuous contextual authorization
• Describe step-up authentication
• Implement step-up authentication flow
• Describe transactional authorization
• Implement transactional authorization
• Prevent users from bypassing the default tree

Chapter 3: Extending Services Using OAuth2-Based Protocols

Implement OAuth 2.0 (OAuth2) based protocols; namely, OAuth2 and OpenID Connect 1.0 (OIDC), to enable low-level devices and mobile applications to make requests that access resources belonging to a subscriber. Ping Identity Access Management (PingAM or AM) can be configured to function as an OIDC client and delegate authentication to social media OIDC providers.

Lesson 1: Integrating Applications With OAuth2

Integrate clients using OAuth2 by demonstrating the use of the OAuth2 Device Code grant type flow with AM configured as the OAuth2 authorization server (AS):

• Discuss OAuth2 concepts
• Describe OAuth2 tokens and codes
• Describe refresh tokens, macaroons, and token modification
• Request OAuth2 access tokens with OAuth2 grant types
• Explain OAuth2 scopes and consent
• Configure OAuth2 in AM
• Configure AM as an OAuth2 provider
• Configure AM with an OAuth2 client
• Test the OAuth2 Device Code grant type flow

Lesson 2: Integrating Applications With OIDC

Integrate an application using OIDC and the Authorization grant type flow with AM as an OIDC provider:

• Introduce OIDC
• Describe OIDC tokens
• Explain OIDC scopes and claims
• List OIDC grant types
• Create and use an OIDC script
• Create an OIDC claims script
• Register an OIDC client and configure the OAuth2 Provider settings
• Test the OIDC Authorization Code grant type flow

Lesson 3: Authenticating OAuth2 Clients With JWT Profiles, mTLS, and PoP

Identify OAuth2 client authentication methods, authenticate a client with mTLS, and obtain a certificate-bound access token for proof-of-possession:

• Examine OAuth2 client authentication
• Examine OAuth2 client authentication using JWT profiles
• Examine OAuth2 client authentication using mTLS
• Authenticate an OAuth2 client using mTLS
• Examine certificate-bound PoP when mTLS is configured
• Obtain a certificate-bound access token

Lesson 4: Transforming OAuth2 Tokens

Request and obtain security tokens from an OAuth2 authorization server, including security tokens that employ impersonation and delegation semantics:

• Describe OAuth2 token exchange
• Explain token exchange types and purpose for exchange
• Describe token scopes and claims
• Implement a token exchange impersonation pattern
• Implement a token exchange delegation pattern
• Configure token exchange in AM
• Configure AM for token exchange
• Test token exchange flows

Lesson 5: (Optional) Implementing Social Authentication

Provide a way for users to register and authenticate to AM using a social account:

• Delegate registration and authentication to social media providers
• Implement social registration and authentication with Google

Chapter 4: Federating Across Entities Using SAML2

Introduce SAML2 with AM as an identity provider (IdP) and AM as a service provider (SP).

Lesson 1: Introducing AM as a SAML2 Identity Provider

Explain the role of AM as a SAML2 IdP and perform a basic hosted IdP configuration:

• Discuss SAML2 entities and federation concepts
• Explain the SAML2 flow from the IdP point of view
• Configure AM as a hosted IdP and export metadata

Lesson 2: Introducing AM as a SAML2 Service Provider

Explain the role of AM as a SAML2 SP and perform a simple integrated-mode configuration:

• Explain the SSO flow from the SP point of view
• Describe the metadata content and purpose
• Configure AM as a hosted SP and create a simple SAML2 tree