PingOne Advanced Identity Cloud (formerly ForgeRock Identity Cloud) represents the cloud-native evolution of ForgeRock’s enterprise IAM platform. Following the Ping Identity and ForgeRock merger, this certification validates your expertise in the combined platform.
Understanding the Ping-ForgeRock Ecosystem
The Merger Context
In 2023, Ping Identity acquired ForgeRock, creating a unified identity platform:
| Product | Heritage | Current Branding |
|---|---|---|
| ForgeRock Identity Cloud | ForgeRock | PingOne Advanced Identity Cloud |
| ForgeRock AM/IDM/DS | ForgeRock | ForgeRock products under Ping |
| PingOne | Ping Identity | PingOne (unchanged) |
| PingFederate | Ping Identity | PingFederate (unchanged) |
Ping Identity Portfolio Overview:
graph TB
subgraph "PingOne Platform"
P1[PingOne SSO]
P2[PingOne MFA]
P3[PingOne Protect]
AIC[PingOne Advanced<br/>Identity Cloud]
end
subgraph "Self-Managed"
PF[PingFederate]
PA[PingAccess]
FR_AM[ForgeRock AM]
FR_IDM[ForgeRock IDM]
FR_DS[ForgeRock DS]
end
AIC -->|Based on| FR_AM
AIC -->|Based on| FR_IDM
AIC -->|Based on| FR_DS
style AIC fill:#667eea,color:#fff
style FR_AM fill:#764ba2,color:#fff
style FR_IDM fill:#764ba2,color:#fff
style FR_DS fill:#764ba2,color:#fff
What is PingOne Advanced Identity Cloud?
PingOne Advanced Identity Cloud (AIC) is a comprehensive, cloud-hosted identity platform that provides:
- Identity Management – User lifecycle, provisioning, governance
- Access Management – Authentication, SSO, federation
- Identity Orchestration – No-code journey builder
- Identity Governance – Access reviews, certifications, SoD
- Directory Services – Cloud-hosted identity store
Key Advantages over Self-Managed:
| Feature | Self-Managed | Advanced Identity Cloud |
|---|---|---|
| Infrastructure | Customer manages | Ping manages |
| Updates | Manual upgrades | Automatic, zero-downtime |
| Scaling | Customer configures | Auto-scaling |
| HA/DR | Customer implements | Built-in global redundancy |
| Compliance | Customer responsibility | SOC 2, ISO 27001 included |
Certification Overview
| Aspect | Details |
|---|---|
| Certification Name | PingOne Advanced Identity Cloud Certified Professional |
| Format | Multiple choice and scenario-based questions |
| Questions | 60-70 questions |
| Duration | 90 minutes |
| Passing Score | 70% |
| Prerequisites | Familiarity with IAM concepts, 6+ months AIC experience recommended |
| Validity | 2 years |
| Delivery | Online proctored |
Exam Domains and Objectives
Domain 1: Tenant Architecture and Administration (15%)
Key Topics:
- Tenant types (development, staging, production)
- Promotion between environments
- Realm configuration
- Admin console navigation
- ESV (Environment Secrets and Variables)
Environment Promotion Flow:
ESV Configuration:
# Environment Variables (configuration)
AM_BASE_URL=https://openam-mycompany.forgeblocks.com
# Environment Secrets (sensitive data)
SMTP_PASSWORD=encrypted_value
API_CLIENT_SECRET=encrypted_value
Domain 2: Authentication Journeys (25%)
The most heavily weighted domain. Journeys are the core of AIC authentication.
Journey Building Blocks:
| Node Type | Purpose | Examples |
|---|---|---|
| Collector | Gather user input | Username, Password, OTP |
| Decision | Branch logic | Data Store Decision, Script |
| Action | Perform operations | Create Object, Patch Object |
| Integration | External systems | Social Login, CAPTCHA |
| Authentication | Verify identity | WebAuthn, Push Notification |
Example Journey Structure:
graph LR
A[Page Node] --> B{Data Store<br/>Decision}
B -->|Success| C{MFA Required?}
B -->|Failure| F[Failure]
C -->|Yes| D[Push Auth]
C -->|No| E[Success]
D -->|Verified| E
D -->|Failed| F
style A fill:#667eea,color:#fff
style E fill:#28a745,color:#fff
style F fill:#dc3545,color:#fff
Key Journey Nodes to Master:
- Page Node – Collect multiple inputs in single page
- Data Store Decision – Validate credentials against identity store
- Scripted Decision – Custom JavaScript logic
- Inner Tree Evaluator – Call sub-journeys
- Identify Existing User – Find user by attribute
- Increment Login Count – Track authentication attempts
Domain 3: Identity Management (20%)
User Lifecycle Operations:
- User registration and onboarding
- Profile management
- Password management
- Account linking
- Deprovisioning
Managed Object Configuration:
{
"name": "alpha_user",
"schema": {
"properties": {
"userName": {
"type": "string",
"searchable": true,
"userEditable": false
},
"givenName": {
"type": "string",
"searchable": true,
"userEditable": true
},
"mail": {
"type": "string",
"searchable": true,
"policies": [
{ "policyId": "valid-email-format" }
]
},
"accountStatus": {
"type": "string",
"default": "active"
}
}
}
}
Provisioning Connectors:
| Connector | Use Case |
|---|---|
| SCIM | Cloud applications (Salesforce, Workday) |
| LDAP | On-premise directories (AD, OpenLDAP) |
| Database | Custom identity stores |
| Scripted | Custom API integrations |
Domain 4: Applications and Federation (15%)
Application Types:
- SAML 2.0 Applications – Enterprise SSO
- OAuth 2.0/OIDC Applications – Modern apps, SPAs, mobile
- Web Agents – Legacy web application protection
OIDC Application Configuration:
{
"clientId": "my-spa-app",
"clientType": "Public",
"redirectUris": [
"https://myapp.example.com/callback"
],
"scopes": ["openid", "profile", "email"],
"grantTypes": ["authorization_code"],
"tokenEndpointAuthMethod": "none",
"responseTypes": ["code"]
}
Domain 5: Identity Governance (15%)
IGA Capabilities in AIC:
- Access Reviews/Certifications
- Entitlement Management
- Segregation of Duties (SoD)
- Workflow Approvals
- Compliance Reporting
Access Review Process:
sequenceDiagram
participant Admin
participant AIC
participant Reviewer
participant User
Admin->>AIC: Schedule Review Campaign
AIC->>Reviewer: Notify: Access Review Required
Reviewer->>AIC: Review User Entitlements
alt Approve
AIC->>User: Access Maintained
else Revoke
AIC->>User: Access Removed
AIC->>AIC: Audit Log Updated
end
Domain 6: APIs and Extensibility (10%)
REST API Endpoints:
# Get user by ID
GET /openidm/managed/alpha_user/{id}
# Create new user
POST /openidm/managed/alpha_user
Content-Type: application/json
{
"userName": "jdoe",
"givenName": "John",
"sn": "Doe",
"mail": "[email protected]"
}
# Query users
GET /openidm/managed/alpha_user?_queryFilter=mail+eq+"[email protected]"
Scripted Customization:
// Journey Script: Check if user is in allowed group
var userId = sharedState.get("_id");
var groups = idRepository.getAttribute(userId, "memberOf");
if (groups.contains("cn=AllowedUsers,ou=Groups,dc=example,dc=com")) {
outcome = "allowed";
} else {
outcome = "denied";
}
Hands-On Lab Exercises
Lab 1: Basic Tenant Setup
- Navigate to Admin Console
- Configure realms (Alpha, Bravo)
- Set up managed objects schema
- Create test users
Lab 2: Authentication Journey
- Build a registration journey with:
- Username/password collection
- Email verification
- Progressive profiling
- Test with end-user UI
Lab 3: Application Integration
- Register OIDC application
- Configure scopes and claims
- Test authentication flow
- Verify token contents
Lab 4: Identity Governance
- Create access review campaign
- Define reviewers and scope
- Complete review process
- Verify remediation actions
Sample Exam Questions
Question 1
In PingOne Advanced Identity Cloud, which component would you use to implement step-up authentication when a user accesses a sensitive resource?
A) SAML Assertion B) Authentication Journey C) Managed Object Policy D) OAuth Scope
Show Answer
B) Authentication Journey - Journeys are used to implement all authentication flows including step-up authentication based on risk or resource sensitivity.
Question 2
You need to synchronize users from Workday to PingOne AIC. Which connector type is most appropriate?
A) LDAP Connector B) Database Connector C) SCIM Connector D) Scripted REST Connector
Show Answer
C) SCIM Connector - Workday supports SCIM protocol, making it the most appropriate and maintainable choice for user synchronization.
Question 3
What is the purpose of ESV (Environment Secrets and Variables) in PingOne AIC?
A) Store user passwords securely B) Manage configuration differences between environments C) Encrypt database connections D) Control API rate limiting
Show Answer
B) Manage configuration differences between environments - ESVs allow you to promote configurations between dev/staging/production while keeping environment-specific values separate.
ForgeRock vs PingOne Certification Path
If You Have ForgeRock Certifications
Your ForgeRock certifications remain valid. The knowledge transfers directly:
| ForgeRock Cert | AIC Equivalent Topics |
|---|---|
| AM Specialist | Journeys, Authentication, Federation |
| IDM Specialist | Identity Management, Provisioning, Governance |
| DS Specialist | Built-in (cloud-hosted directory) |
Recommended Path
Study Resources
Official Ping Identity Resources
-
Ping Identity University
- PingOne Advanced Identity Cloud Fundamentals
- Journey Building Workshop
- Identity Governance Essentials
-
Documentation
-
Hands-On Environment
- Free developer tenant available
- Sandbox environments for testing
Related Certifications
After AIC certification, consider:
- ForgeRock Certified AM Specialist – Deep dive into AM internals
- ForgeRock Certified IDM Specialist – Advanced provisioning
- ForgeRock Certified DS Specialist – Directory services expertise
- PingFederate Certified Professional – On-premise federation
Related Resources
PingOne AIC Tutorials
- Integrating PingOne Advanced Identity Cloud: A Comprehensive Guide for SPA and API
- Building Complete OIDC Login Flow URLs in ForgeRock Identity Cloud
- Configuring Hosted Login Journey URLs in ForgeRock Identity Cloud
Developer Tools
- JWT Decode Tool – Debug OIDC tokens
- PKCE Generator – OAuth 2.0 PKCE flow
- SAML Decoder – Debug SAML assertions
Conclusion
PingOne Advanced Identity Cloud certification validates your expertise in the leading cloud-native identity platform. Focus on Authentication Journeys (25% of exam), understand identity governance capabilities, and get hands-on experience with a developer tenant.
Good luck with your certification journey!