ForgeRock Access Management - Customization and APIs

Enroll in your business future

ForgeRock Access Management – Customization and APIs (FR-421)

Description

This hands-on technical introduction to ForgeRock Access Management focuses on APIs and customization use cases. Students examine Access Management extension points and gain the skills required to extend and integrate an Access Management deployment in a real-world context. Development best practices are demonstrated in a series of labs.

Note that Revision B of this course is built on OpenAM 13.

Target Audiences

The following are the target audiences for this course:

  • Application developers, adapting client applications to use access management capabilities

  • System architects and software developers, extending and integrating access management services for their organizations

Objectives

Upon completion of this course, you should be able to:

  • List extension points of ForgeRock Access Management

  • Describe the Service Provider Interface mechanism

  • List which customizable components are affected in common access management use-cases

  • Use the Service Management Service

  • Understand the basic concepts of scripting

  • Use the administration interface to look up, edit, and configure scripts

  • Describe how Access Management performs authentication

  • Design and implement a custom authentication module

  • Discuss characteristics of Post Authentication Plugins (PAPs)

  • Design and implement a custom Post Authentication Plugin

  • Describe how scripted authentication works

  • Explain how server-side scripted authentication modules communicate with Access Management

  • Use the administration interface to create and test authentication chains containing scripts

  • Discuss the policy concepts in OpenAM 13

  • Implement an EntitlementCondition or a scripted condition

  • Describe the ForgeRock Common REST API (CREST)

  • Enable Cross-Origin Resource Sharing (CORS)

  • Explain how to authenticate users through the REST API

  • Demonstrate how identities and realms can be managed through the REST API

  • Show how password reset and user self-registration can be carried out using the REST API

  • Query the list of dashboard applications through the REST API

  • Show how to use the policy engine to protect non-URL-based resources

  • Describe the policy management and evaluation REST APIs

  • Describe OAuth 2.0 and OpenID Connect, including how to use their HTTP endpoints

  • Demonstrate scope validation and customize its default behavior

  • Explain the basic concepts of UMA

  • Set up Access Management as an UMA authorization server

  • Manage UMA resource sets

  • Demonstrate how to customize the UMA workflow

Prerequisites

The following are the prerequisites to successfully completing this course:

  • Completion of the AM-400 course

  • Basic knowledge and skills using the Linux operating system to complete labs

  • Basic knowledge of JSON, JavaScript, REST, Java, Groovy, and XML will be helpful in understanding examples

Duration

5 days

Course Contents

Chapter 1: Extension Points

Extension points of Access Management

  • Discuss the main components of the Access Management architecture
  • Describe the various APIs through which Access Management services can be accessed
  • Understand how and at what points can be the behavior of Access Management can be customized

The Service Provider Interface (SPI) mechanism

  • Illustrate the concept and types of Service Provider Interfaces
  • Describe how Service Provider Interfaces can be implemented and deployed
  • Understand scripted extensions

Common customization use-cases of Access Management

  • Review customization use cases related to authentication
  • Review customization use cases related to policy evaluation
  • Review customization use cases related to SAML2
  • Review customization use cases related to OAuth and UMA

Get familiar with the example application (Lab)

  • Learn how to start and stop Access Management
  • Learn how to start and stop the Directory Services directory server
  • Learn how to browse and edit information stored by the Directory Services directory server
  • Try the various functions of the ContactList example application as a regular user
  • Try the various functions of the ContactList example application in the three available roles (contact reader, contact administrator, user administrator)
  • Comprehend the structure of the example application’s source code

Implementing Service Provider Interfaces

Service Management Service

  • Discuss the service concept in Access Management
  • Review the main classes in the Service Management Service API

Accessing fundamental services with the SDK

  • Discuss the Access Management Client SDK
  • Describe how to configure and use the SDK
  • Demonstrate how to authenticate with the SDK
  • Manage identities with the SDK
  • Manage services with the SDK
  • Manage and use policies with the SDK
  • Perform audit and debug logging with the SDK

Create a custom service (Lab)

  • Examine definition of the custom service provided in the lab
  • Register the custom service
  • Modify the custom service to use a dynamically generated role list
  • Register and test the modified service
  • Complete the integration test provided in the lab

Chapter 3: Scripting API

Fundamental concepts of scripting

  • Discuss the characteristics of the Scripting API
  • Describe the scenarios in which the Scripting API can be used
  • Demonstrate the script execution mechanism

Scripting environment

  • Discuss the HTTP services provided to scripts
  • Describe the logging services provided to scripts
  • Understand the user profile management services provided to scripts

Management of scripts through the administration interface

  • Learn how to create a new script
  • Learn how to edit a script
  • Learn how to configure the scripting engine

Get familiar with the scripting engine (Lab)

  • Examine the global scripts
  • Create a simple script and examine the effect of modifying the white list of the configuration engine

CHapter 4: Customizing Authentication

Authentication in Access Management

  • Review the concept of authentication module
  • Discuss the architecture of authentication modules
  • Run the Workflow Use cases (optional)

Implementation of custom authentication modules

  • Explain the execution flow during authentication
  • Create the necessary service configuration
  • Localize the custom authentication module
  • Implement the custom authentication module
  • Define callbacks
  • Build and deploy the custom authentication module
  • Test the custom authentication module

Post-Authentication Plugins (PAP)

  • Describe the concept of a Post-Authentication Plugin
  • Learn how to implement a Post-Authentication Plugin
  • Build and deploy a custom Post-Authentication Plugin

Implement a custom authentication module (Lab)

  • Complete the code of a custom authentication module provided in the lab, which will make it possible for the user to select the role they want to log in
  • Deploy and test the developed custom authentication module

Chapter 5: Scripted Authentication Modules

Scripted authentication

  • Discuss how scripted authentication works, including its limitations as opposed to authentication modules written in Java
  • Describe client-side authentication scripts
  • Describe server-side authentication scripts

Interfacing client- and server-side authentication scripts with Access Management

  • Review how client-side authentication scripts can communicate with Access Management
  • Review how server-side authentication scripts can communicate with Access Management
  • Discuss the services available to server-side authentication scripts

Management of scripted authentication modules through the administration interface

  • Learn how to create the script
  • Create the scripted authentication module for the script
  • Embed the scripted authentication module into an authentication chain
  • Test the authentication chain containing the scripted authentication module
  • Learn how to debug client- and server-side authentication scripts

Write and test a scripted authentication module (Lab)

  • Write a server-side authentication script checking the disabled status of a user
  • Embed the script into an authentication chain
  • Test the authentication script

Chapter 6: Customizing Authorization

Policy API in Access Management

  • Review the main elements of the policy API
  • Discuss the concept of resource types
  • Describe the concept of policy sets (formerly applications)
  • Describe the concept of application types
  • Illustrate policy structure

Custom policy best practices

  • Review the main groups of built-in policy conditions and the most important members of them
  • Discuss situations where an EntitlementCondition can be used
  • Describe the situations where a script condition can be used

Implementing an EntitlementCondition

  • Review the steps needed to implement an EntitlementCondition
  • Review the steps needed to build and deploy an EntitlementCondition

Implementing a scripted condition

  • Review the execution flow of the scripted condition
  • Discuss the variables available to the scripted condition
  • Describe the steps needed to create and deploy a scripted condition
  • Learn how to use a scripted condition through the administration interface
  • Learn how to use a scripted condition through the REST API

Develop a custom policy condition (Lab)

  • Write a custom policy condition checking whether the ContactList example application is in maintenance mode or not
  • Modify the policy condition to return additional information, like the maintenance flag and a message in case of maintenance mode
  • Complete the policy set

Chapter 7: Using the REST API

Access Management services available through the REST API

  • Describe the set of Access Management services which can be accessed via the REST API

ForgeRock Common REST API (CREST)

  • Review the main characteristics of the REST API
  • Discuss the verbs available in the REST API
  • Review the status codes returned by the REST API
  • Describe filtering, paging, sorting and pretty printing
  • Explain the REST API versioning

Accessing the REST API from the browser

  • Learn how to use the REST API from jQuery
  • Learn how to use the REST API from AngularJS

Enabling Cross Origin Resource Sharing (CORS)

  • Describe CORS
  • Learn how to enable CORS in Access Management
  • List the configuration options for the CORSFilter

Modify the example application to use Access Management for authentication (Lab)

  • Examine the client- and server-side components of the ContactList example application
  • Set up CORSFilter in Access Management
  • Create an AngularJS module in ContactList that uses the authentication service of Access Management

Chapter 8: Authentication with the REST API

Logging in and out

  • Compare the difference between the simplified (username/password) and full authentication APIs
  • Discuss callback types
  • Learn how to use the simplified authentication API
  • Learn how to use the full authentication API
  • Describe advanced authentication options (realm, authentication attributes, session upgrade)
  • Learn how to log out

Token and session management

  • Learn how to validate tokens
  • Describe the session API

Identity management

  • Discuss the identity management API
  • Learn how to read user attributes

Realm management

  • Learn how to create a realm

Modify the example application to use Access Management for all authentication-related functions

  • Complete the AngularJS service interfacing Access Management to cover all authentication-related functions
  • Modify the login service to use the testSelectRole authentication chain in Access Management

Chapter 9: Common User Self-Service with the REST API

Password reset

  • Review the characteristics of the self-service API
  • Illustrate the flow of password reset
  • Learn how to enable the password reset functionality
  • Learn how to perform password reset through the REST API

User self-registration

        • Discuss the flow of user self-registration

        • Learn how to enable the user self-registration functionality

        • Learn how to perform user self-registration

User dashboard

        • Describe the concept of user dashboard

        • Learn how to list dashboard applications through the REST API

Implement password reset in the example application (Lab)

        • Prepare for the password reset functionality by configuring Access Management and setting up a fake e-mail server

        • Emulate password reset using curl

        • Add password reset functionality to the ContactList example application

Chapter 10: Authorization with the REST API

Protecting resources

  • Describe how to protect URL-based resources
  • Explain how to protect non-URL-based resources

Policy management

  • List the main elements of the policy management API
  • Discuss the entities of the policy service

Policy evaluation

  • Describe the policy evaluation REST API
  • Explain the concept of policy sets
  • Learn how to request policy evaluation for a set of resources

Fine-grained authorization

  • Demonstrate how policy evaluation can be used to determine which user interface components to show in a JavaScript client

Modify the example application to use Access Management for authorization (Lab)

  • Create and test policy sets tailored to the ContactList example application
  • Extend the back end of ContactList to use the authorization REST API
  • Extend the front end of ContactList to use the authorization REST API

Chapter 11: OAuth Custom Scopes

OAuth 2.0

  • Explain the benefits of OAuth 2.0
  • List the main elements of OAuth 2.0
  • Illustrate the authorization code flow
  • Describe the OAuth-related HTTP services available in Access Management

OpenID Connect

  • Explain the benefits of OpenID Connect
  • List the main elements of OpenID Connect
  • Illustrate the authorization code flow extended with OpenID Connect
  • Describe the TokenInfo endpoint
  • Describe the UserInfo endpoint
  • Discuss the OpenID Connect HTTP services

Scope validation

  • Explain how scope validation is implemented in Access Management
  • Learn how to implement and register a custom scope validation implementation
  • Describe the default OIDC script
  • Learn how to set up a custom OIDC script

Modify the example application to use OAuth 2.0/OpenID Connect for authentication and authorization

  • Set up OAuth 2.0 and OpenID Connect in Access Management
  • Create a customized scope validator and token response
  • Modify the ContactList example application to use OpenID Connect for authentication
  • Modify ContactList to behave as an OAuth 2.0 resource server

Chapter 12: User Managed Access (UMA)

UMA concepts

  • Explain the benefits of UMA
  • List the main elements of UMA
  • Describe the various tokens and tickets used in UMA
  • Illustrate the UMA protocol flow

Setting up UMA in Access Management

  • Learn how to enable UMA
  • Learn how to use the UMA discovery endpoint
  • Learn how to configure UMA providers and stores

UMA administration

  • Learn how to manage resources on the UMA administration page

UMA REST API

  • Describe the resource set and user label endpoints
  • Discuss the policy endpoint
  • Explain the permission request, RPT and pending request endpoints

Customizing UMA

  • Understand possible customization points
  • Learn how to register UMA filters

Allow resource sharing in the example application

  • Enable and configure UMA in Access Management
  • Examine the source code of the ContactList example application (both in the front end and back end) dealing with resource sharing
  • Examine the source code of the ContactList example application (both in the front end and back end) dealing with the access of shared resources
Available Courses
ForgeRock® Access Management - Customization and APIs (BVP)
(FR-421-BVP Rev B)
Tech Data UK - Europe Various

ForgeRock® Access Management - Customization and APIs (BVP)
(FR-421-BVP Rev B)
GCA - Americas Various

ForgeRock® Access Management - Customization and APIs (BVP-FR)
(FR-421-BVP-FR Rev B)
Aduneo - France
Language: French

ForgeRock® Access Management - Customization and APIs (BVP)
(FR-421-BVP Rev B)
ExitCertified - Americas Various

ForgeRock® Access Management - Customization and APIs (BVP)
(FR-421-BVP Rev B)
Tech Data UK - Europe Various

ForgeRock® Access Management - Customization and APIs (BVP)
(FR-421-BVP Rev B)
Red Education - Singapore

ForgeRock® Access Management - Customization and APIs (BVP)
(FR-421-BVP Rev B)
GCA - Americas Various

ForgeRock® Access Management - Customization and APIs (BVP-FR)
(FR-421-BVP-FR Rev B)
Aduneo - France
Language: French

ForgeRock® Access Management - Customization and APIs (ILT)
(FR-421-ILT Rev B)
ExitCertified - Americas Various

ForgeRock® Access Management - Customization and APIs (BVP)
(FR-421-BVP Rev B)
GCA - Americas Various

ForgeRock® Access Management - Customization and APIs (BVP)
(FR-421-BVP Rev B)
ExitCertified - Americas Various

ForgeRock® Access Management - Customization and APIs (BVP)
(FR-421-BVP Rev B)
GCA - Americas Various

ForgeRock® Access Management - Customization and APIs (ILT)
(FR-421-ILT Rev B)
ExitCertified - Americas Various

ForgeRock® Access Management - Customization and APIs (BVP)
(FR-421-BVP Rev B)
GCA - Americas Various

ForgeRock® Access Management - Customization and APIs (ILT)
(FR-421-ILT Rev B)
ExitCertified - Americas Various