PingOne Advanced Identity Cloud (formerly ForgeRock Identity Cloud) represents the cloud-native evolution of ForgeRock’s enterprise IAM platform. Following the Ping Identity and ForgeRock merger, this certification validates your expertise in the combined platform.

Understanding the Ping-ForgeRock Ecosystem

The Merger Context

In 2023, Ping Identity acquired ForgeRock, creating a unified identity platform:

ProductHeritageCurrent Branding
ForgeRock Identity CloudForgeRockPingOne Advanced Identity Cloud
ForgeRock AM/IDM/DSForgeRockForgeRock products under Ping
PingOnePing IdentityPingOne (unchanged)
PingFederatePing IdentityPingFederate (unchanged)

Ping Identity Portfolio Overview:

graph TB
    subgraph "PingOne Platform"
        P1[PingOne SSO]
        P2[PingOne MFA]
        P3[PingOne Protect]
        AIC[PingOne Advanced<br/>Identity Cloud]
    end

    subgraph "Self-Managed"
        PF[PingFederate]
        PA[PingAccess]
        FR_AM[ForgeRock AM]
        FR_IDM[ForgeRock IDM]
        FR_DS[ForgeRock DS]
    end

    AIC -->|Based on| FR_AM
    AIC -->|Based on| FR_IDM
    AIC -->|Based on| FR_DS

    style AIC fill:#667eea,color:#fff
    style FR_AM fill:#764ba2,color:#fff
    style FR_IDM fill:#764ba2,color:#fff
    style FR_DS fill:#764ba2,color:#fff

What is PingOne Advanced Identity Cloud?

PingOne Advanced Identity Cloud (AIC) is a comprehensive, cloud-hosted identity platform that provides:

  • Identity Management – User lifecycle, provisioning, governance
  • Access Management – Authentication, SSO, federation
  • Identity Orchestration – No-code journey builder
  • Identity Governance – Access reviews, certifications, SoD
  • Directory Services – Cloud-hosted identity store

Key Advantages over Self-Managed:

FeatureSelf-ManagedAdvanced Identity Cloud
InfrastructureCustomer managesPing manages
UpdatesManual upgradesAutomatic, zero-downtime
ScalingCustomer configuresAuto-scaling
HA/DRCustomer implementsBuilt-in global redundancy
ComplianceCustomer responsibilitySOC 2, ISO 27001 included

Certification Overview

AspectDetails
Certification NamePingOne Advanced Identity Cloud Certified Professional
FormatMultiple choice and scenario-based questions
Questions60-70 questions
Duration90 minutes
Passing Score70%
PrerequisitesFamiliarity with IAM concepts, 6+ months AIC experience recommended
Validity2 years
DeliveryOnline proctored

Exam Domains and Objectives

Domain 1: Tenant Architecture and Administration (15%)

Key Topics:

  • Tenant types (development, staging, production)
  • Promotion between environments
  • Realm configuration
  • Admin console navigation
  • ESV (Environment Secrets and Variables)

Environment Promotion Flow:

Development → Staging → Production
     ↓            ↓           ↓
  Build &      Test &     Production
  Iterate    Validate      Release

ESV Configuration:

# Environment Variables (configuration)
AM_BASE_URL=https://openam-mycompany.forgeblocks.com

# Environment Secrets (sensitive data)
SMTP_PASSWORD=encrypted_value
API_CLIENT_SECRET=encrypted_value

Domain 2: Authentication Journeys (25%)

The most heavily weighted domain. Journeys are the core of AIC authentication.

Journey Building Blocks:

Node TypePurposeExamples
CollectorGather user inputUsername, Password, OTP
DecisionBranch logicData Store Decision, Script
ActionPerform operationsCreate Object, Patch Object
IntegrationExternal systemsSocial Login, CAPTCHA
AuthenticationVerify identityWebAuthn, Push Notification

Example Journey Structure:

graph LR
    A[Page Node] --> B{Data Store<br/>Decision}
    B -->|Success| C{MFA Required?}
    B -->|Failure| F[Failure]
    C -->|Yes| D[Push Auth]
    C -->|No| E[Success]
    D -->|Verified| E
    D -->|Failed| F

    style A fill:#667eea,color:#fff
    style E fill:#28a745,color:#fff
    style F fill:#dc3545,color:#fff

Key Journey Nodes to Master:

  1. Page Node – Collect multiple inputs in single page
  2. Data Store Decision – Validate credentials against identity store
  3. Scripted Decision – Custom JavaScript logic
  4. Inner Tree Evaluator – Call sub-journeys
  5. Identify Existing User – Find user by attribute
  6. Increment Login Count – Track authentication attempts

Domain 3: Identity Management (20%)

User Lifecycle Operations:

  • User registration and onboarding
  • Profile management
  • Password management
  • Account linking
  • Deprovisioning

Managed Object Configuration:

{
  "name": "alpha_user",
  "schema": {
    "properties": {
      "userName": {
        "type": "string",
        "searchable": true,
        "userEditable": false
      },
      "givenName": {
        "type": "string",
        "searchable": true,
        "userEditable": true
      },
      "mail": {
        "type": "string",
        "searchable": true,
        "policies": [
          { "policyId": "valid-email-format" }
        ]
      },
      "accountStatus": {
        "type": "string",
        "default": "active"
      }
    }
  }
}

Provisioning Connectors:

ConnectorUse Case
SCIMCloud applications (Salesforce, Workday)
LDAPOn-premise directories (AD, OpenLDAP)
DatabaseCustom identity stores
ScriptedCustom API integrations

Domain 4: Applications and Federation (15%)

Application Types:

  • SAML 2.0 Applications – Enterprise SSO
  • OAuth 2.0/OIDC Applications – Modern apps, SPAs, mobile
  • Web Agents – Legacy web application protection

OIDC Application Configuration:

{
  "clientId": "my-spa-app",
  "clientType": "Public",
  "redirectUris": [
    "https://myapp.example.com/callback"
  ],
  "scopes": ["openid", "profile", "email"],
  "grantTypes": ["authorization_code"],
  "tokenEndpointAuthMethod": "none",
  "responseTypes": ["code"]
}

Domain 5: Identity Governance (15%)

IGA Capabilities in AIC:

  • Access Reviews/Certifications
  • Entitlement Management
  • Segregation of Duties (SoD)
  • Workflow Approvals
  • Compliance Reporting

Access Review Process:

sequenceDiagram
    participant Admin
    participant AIC
    participant Reviewer
    participant User

    Admin->>AIC: Schedule Review Campaign
    AIC->>Reviewer: Notify: Access Review Required
    Reviewer->>AIC: Review User Entitlements
    alt Approve
        AIC->>User: Access Maintained
    else Revoke
        AIC->>User: Access Removed
        AIC->>AIC: Audit Log Updated
    end

Domain 6: APIs and Extensibility (10%)

REST API Endpoints:

# Get user by ID
GET /openidm/managed/alpha_user/{id}

# Create new user
POST /openidm/managed/alpha_user
Content-Type: application/json
{
  "userName": "jdoe",
  "givenName": "John",
  "sn": "Doe",
  "mail": "jdoe@example.com"
}

# Query users
GET /openidm/managed/alpha_user?_queryFilter=mail+eq+"jdoe@example.com"

Scripted Customization:

// Journey Script: Check if user is in allowed group
var userId = sharedState.get("_id");
var groups = idRepository.getAttribute(userId, "memberOf");

if (groups.contains("cn=AllowedUsers,ou=Groups,dc=example,dc=com")) {
    outcome = "allowed";
} else {
    outcome = "denied";
}

Hands-On Lab Exercises

Lab 1: Basic Tenant Setup

  1. Navigate to Admin Console
  2. Configure realms (Alpha, Bravo)
  3. Set up managed objects schema
  4. Create test users

Lab 2: Authentication Journey

  1. Build a registration journey with:
    • Username/password collection
    • Email verification
    • Progressive profiling
  2. Test with end-user UI

Lab 3: Application Integration

  1. Register OIDC application
  2. Configure scopes and claims
  3. Test authentication flow
  4. Verify token contents

Lab 4: Identity Governance

  1. Create access review campaign
  2. Define reviewers and scope
  3. Complete review process
  4. Verify remediation actions

Sample Exam Questions

Question 1

In PingOne Advanced Identity Cloud, which component would you use to implement step-up authentication when a user accesses a sensitive resource?

A) SAML Assertion B) Authentication Journey C) Managed Object Policy D) OAuth Scope

Show Answer

B) Authentication Journey - Journeys are used to implement all authentication flows including step-up authentication based on risk or resource sensitivity.

Question 2

You need to synchronize users from Workday to PingOne AIC. Which connector type is most appropriate?

A) LDAP Connector B) Database Connector C) SCIM Connector D) Scripted REST Connector

Show Answer

C) SCIM Connector - Workday supports SCIM protocol, making it the most appropriate and maintainable choice for user synchronization.

Question 3

What is the purpose of ESV (Environment Secrets and Variables) in PingOne AIC?

A) Store user passwords securely B) Manage configuration differences between environments C) Encrypt database connections D) Control API rate limiting

Show Answer

B) Manage configuration differences between environments - ESVs allow you to promote configurations between dev/staging/production while keeping environment-specific values separate.

ForgeRock vs PingOne Certification Path

If You Have ForgeRock Certifications

Your ForgeRock certifications remain valid. The knowledge transfers directly:

ForgeRock CertAIC Equivalent Topics
AM SpecialistJourneys, Authentication, Federation
IDM SpecialistIdentity Management, Provisioning, Governance
DS SpecialistBuilt-in (cloud-hosted directory)
New to IAM:
  → PingOne AIC Certification

ForgeRock Background:
  → Review AIC-specific features
  → Take AIC Certification

Ping Identity Background:
  → Learn ForgeRock concepts in AIC
  → Take AIC Certification

Study Resources

Official Ping Identity Resources

  1. Ping Identity University

    • PingOne Advanced Identity Cloud Fundamentals
    • Journey Building Workshop
    • Identity Governance Essentials

  2. Documentation

  3. Hands-On Environment

    • Free developer tenant available
    • Sandbox environments for testing

After AIC certification, consider:

PingOne AIC Tutorials

Developer Tools

Conclusion

PingOne Advanced Identity Cloud certification validates your expertise in the leading cloud-native identity platform. Focus on Authentication Journeys (25% of exam), understand identity governance capabilities, and get hands-on experience with a developer tenant.

Good luck with your certification journey!