Configuring ForgeRock Identity Gateway

Configuring ForgeRock Identity Gateway - IG-440

The Configuring ForgeRock Identity Gateway course is for students who want to learn how to configure ForgeRock Identity Gateway (IG) to help extend access to and protect web applications, application programming interfaces (APIs), and devices and things within an access management solution.

This course comprises a mix of instructor-led lessons and demonstrations with plenty of lab exercises to ensure an opportunity to fully understand each of the topics covered. It provides students with the necessary skills to plan, install, configure, and administer an IG deployment. The main goal of the course is to provide a thorough understanding of and hands-on experience with IG, so students can control the most important functions of and manage a successful production deployment.

Note that Revision A of this course is built on version 5.5 of IG.

Target Audiences

The following are the target audiences for this course:

  • System Integrators

  • System Consultants

  • System Architects

  • System Administrators

  • Web Developers

 

Upon completion of this course, you should be able to:

  • Describe the role and use cases where IG fits within a ForgeRock Identity Platform™ solution, basic concepts of IG, and how to perform a basic installation and configuration of IG

  • Describe advanced configuration topics and pre-configured default objects in the IG configuration and how to apply the knowledge when building an IG project

  • Use IG as a policy enforcement point (PEP) to protect a given web application, where ForgeRock® Access Management (AM) is the policy decision point (PDP)

  • Extend IG to support logout functionality and the retrieval of user profile attributes

  • Configure IG in the context of OAuth2 and OpenID Connect (OIDC)

  • Configure IG as a Service Provider (SP) in a SAML2 federation context

  • Plan the different phases of an IG project from high-level planning, detailed planning, and implementation

 

Prerequisites

The following are the prerequisites to successfully completing this course:

  • Basic knowledge and skills using the Linux operating system to complete labs

  • Basic knowledge of HTTP and communications between clients and web applications is critical to understanding and working with IG

  • Basic knowledge of JSON, JavaScript, REST, Java, Groovy, SQL, and XML helpful in understanding examples, especially Groovy for scripting within IG

 

Duration: 3 days
 

Course Contents

Chapter 1: Basic Configuration

Describe the role and use cases where IG fits within a ForgeRock Identity Platform solution, basic concepts of IG, and how to perform a basic installation and configuration of IG.

 

Lesson 1: Introducing ForgeRock Identity Gateway

  • Compare an IG-based solution with a solution using AM policy agents

  • Examine a request and response through IG to help understand how IG works

  • Describe the use cases for using IG within your identity management solution

  • Use IG Studio to create a simple reverse proxy route configuration of IG to monitor the related log file

  • Examine the lab environment configuration supporting the various IG use cases

Lesson 2: Creating a Basic IG Configuration

  • Describe the installation requirements and process for IG

  • Perform a basic installation of IG

  • Describe how you can use IG Studio to build or prototype routes

  • Build or prototype routes using IG Studio

  • Describe basic handlers in IG

  • Use the static response and HTTP client handler in the base configuration

  • Describe basic routing in IG

  • Configure IG to route with two configurations

  • Describe basic Filters in IG

  • Configure IG filters to intercept requests and responses

 

Chapter 2: Advanced Configuration

Describe advanced configuration topics and pre-configured default objects in the IG configuration and how to apply the knowledge when building an IG project.

 

Lesson 1: Enhancing the Default Configuration Objects

  • Describe how the AdminHttpApplication and GatewayHttpApplication class initializes IG

  • Use JWT sessions to capture state and store as a cookie

 

Lesson 2: Attaching Decorators to Configuration Objects

  • Describe the default CaptureDecorator

  • Test the default CaptureDecorator

  • Configure a decorator in a route

 

Lesson 3: Monitoring, Logging, and Auditing in IG

  • Describe monitoring in IG

  • Describe the audit framework and how IG manages audit messages

  • Capture and store audit data

  • Describe how you can manage logging events in IG

  • Change log levels and capture areas

 

Lesson 4: Extending IG with Scripts

  • Describe the scripting framework for extending IG functionality

  • Add a script through IG Studio

  • Implement a ScriptableHandler

  • Prepare a development environment for scripting

  • Use existing scripts to extent IG functionality (optional)

Chapter 3: IG as a PEP to Protect an Application

Use IG as a policy enforcement point to protect a given web application, where AM is the policy decision point and extend IG to support logout functionality and the retrieval of user profile attributes.

 

Lesson 1: Configuring IG as a Basic PEP

  • Describe the use cases for configuring IG as a PEP and explain the AM requirements for a policy decision

  • Configure IG as a PEP to enforce policy decisions from AM

  • Add advanced options to the PEP filter using a custom handler to handle authorization failure, result caching, and AM policy enforcement

 

Lesson 2: Extending IG as a Basic PEP

  • Configure IG to not enforce authorization on common extensions

  • Add a log out function using a ScriptableFilter and custom Groovy script

 

Chapter 4: IG with OAuth 2.0 and OpenID Connect 1.0

Configure IG in the context of OAuth2 and OpenID Connect (OIDC).

 

Lesson 1: Configuring IG in the Role of an OAuth2 Resource Server

  • Describe the use cases for configuring IG in the role as an OAuth2 resource server

  • Briefly describe how OAuth2 works in relation to IG

  • Examine the supporting AM configurations necessary for integrating with IG

  • Configure IG in the role of an OAuth2 resource server

  • Test the OAuth2 flow with IG

 

Lesson 2: Configuring IG as an OIDC Relying Party

  • Describe the use cases for IG as a relying party and how OIDC works in relation to IG

  • Examine the supporting AM configurations necessary for integrating with IG

  • Configure IG as a relying party

  • Test the minimal flow and examine the route configuration

  • Examine the route configuration of IG

  • Prepare for and test the extended configuration

 

Chapter 5: IG as a SAML2 Service Provider

Configure IG as an SP in a SAML2 federation context.

 

Lesson 1: Configuring IG as SAML2 SP

  • Describe the use cases for using IG as a SP and how SAML2 works in relation to IG

  • Configure IG as a SAML2 Service Provider to support SP-initiated single-sign-on (SSO)

  • Follow the protocol flow using the SAML Tracer browser plugin to test SSO access

 

Lesson 2: Extending IG as SAML2 SP

  • Explain why and how you might extend the basic SAML2 use case to include not enforced URLs, set header fields, and set cookies

  • Configure the SAML2 route configuration to include not enforced URLs, set header fields, and set a cookie based on information from the SAML assertion

 

Chapter 6: Building an IG Project

Plan the different phases of an IG project from high-level planning, detailed planning, and implementation.

Lesson 1: Planning a Project

  • Describe how to plan a project with IG at a high level

  • Describe how to add detailed planning steps to a project

 

Lesson 2: Implementing the Plan

  • Describe the process for implementing a project

  • Describe basic troubleshooting steps

 

Lesson 3: Moving to Production

  • Describe and implement how to throttle the rate of requests to a protected application

  • Add parameters to an IG configuration to use the same configuration across environments