🏛️Pillars 📚Concepts 📋Ops 🎯Skills 💬Discuss
Knowledge Base · v2.0  ·  By Dheeraj Nimmala

Master Identity &
Access Management

The complete operational reference for IAM professionals. From core concepts and daily workflows to skill-building and tooling.

6
Core Pillars
8
Key Concepts
8
Workflows
18
Glossary Terms
MFA Coverage
94.2%
↑ 3.1% this month
🔐
IAM System Status
SSO / Federation● Operational
MFA Enforcement● Active
Access Reviews● In Progress
PAM Vaulting● Operational
SCIM Provisioning● Syncing
Stale Accounts⚠ 12 Found
Access Reviews
78 / 120
Certified this quarter
Foundation

The Six Core Pillars

Every IAM program is built on these disciplines. Master each to build a mature, auditable security posture.

🔐
Authentication
Verifying that a user, device, or system is who they claim to be. The first gate in any access control chain.
Foundational
🛡️
Authorization
Determining what an authenticated identity is permitted to do. Enforced via policies, roles, and permissions.
Foundational
🗄️
Directory Services
Centralized stores for identity data — LDAP, Active Directory, cloud directories. The backbone of enterprise IAM.
Infrastructure
🔄
Identity Lifecycle
Provisioning, modifying, and deprovisioning accounts across the Joiner–Mover–Leaver (JML) process.
Operations
📋
Governance & Compliance
Access reviews, certifications, audit trails, and alignment with SOX, HIPAA, GDPR, and PCI-DSS.
Governance
🔑
Privileged Access
Managing high-risk admin and service accounts using vaulting, session recording, and just-in-time access.
High Risk
Deep Dives

Key Concepts & Frameworks

Click any concept to expand definitions, implementation steps, and code examples.

001
Single Sign-On (SSO)
AuthenticationSAML 2.0OIDC
What is it?

SSO allows a user to authenticate once and gain access to multiple applications without re-entering credentials. It leverages a trusted Identity Provider (IdP) and protocols like SAML 2.0 or OIDC.

How to implement
  • Choose an IdP (Okta, Azure AD, Ping Identity, Google Workspace)
  • Register each Service Provider (app) in the IdP console
  • Configure SAML assertions or OIDC claims and attribute mappings
  • Map user attributes to app-specific roles and groups
  • Test the SSO flow and configure fallback authentication
SAML Authentication Flow
User → SP → Redirect to IdP → Authenticate IdP → SAML Assertion (signed XML) → SP SP validates signature → Creates session → ✓ Access granted
002
Multi-Factor Authentication (MFA)
AuthenticationSecurity
What is it?

MFA requires two or more verification factors: something you know (password), something you have (TOTP app, hardware key), and something you are (biometric). Eliminates ~99.9% of account compromise attacks.

MFA Methods Ranked by Strength
  • FIDO2 / Hardware Security Keys (strongest — phishing-resistant)
  • Authenticator App TOTP (Google Authenticator, Microsoft Authenticator)
  • Push Notification with Number Matching (Okta Verify, Duo)
  • SMS OTP (weakest — vulnerable to SIM swap attacks)
Conditional Access Policy
IF user = external OR resource = sensitive_data THEN require: MFA + compliant_device IF risk_score > 70 THEN require: MFA + block_legacy_auth ELSE: allow if low_risk_signal
003
Role-Based Access Control (RBAC)
AuthorizationLeast Privilege
What is it?

Permissions are assigned to roles, not individuals. Users are granted roles that bundle appropriate permissions for their job function. Simplifies management at scale and enforces least privilege.

Access Control Model Comparison
  • RBAC — permissions tied to named job function roles
  • ABAC — attributes (dept, location, device type) determine access
  • PBAC — policy engine evaluates all conditions dynamically at runtime
Role Design Example
Role: "Finance_Analyst" ✓ Read: GL Ledger, AP/AR Reports ✓ Write: Journal entries (own dept only) ✗ Deny: HR Records, Admin Consoles, PII DB Role: "IT_Admin" ✓ Full: Infrastructure + Cloud Systems ✗ Deny: Finance data, HR payroll records
004
Zero Trust Architecture
FrameworkNIST 800-207
Core Principle

"Never trust, always verify." No user, device, or network location is implicitly trusted — even inside the corporate perimeter. Every request is authenticated, authorized, and continuously validated.

NIST Zero Trust Pillars
  • Verify explicitly — always use all available signals (identity, device, location)
  • Use least privilege — JIT and JEA access with time-bound entitlements
  • Assume breach — minimize blast radius, segment networks, encrypt in transit
Policy Engine Decision Flow
Signals → Policy Engine → Trust Score → Decision ● User identity + MFA status ● Device: MDM enrolled, patch level, EDR ● Network: corporate / VPN / public / TOR ● Behavior: anomaly score via UEBA ● Data: sensitivity classification label
005
Privileged Access Management (PAM)
PrivilegedHigh Risk
What is it?

PAM secures, controls, and audits access to critical systems by privileged users (admins, service accounts, DevOps). The majority of major data breaches involve compromised privileged credentials.

Key PAM Capabilities
  • Credential vaulting — auto-store and rotate passwords/SSH keys
  • Session recording — full video + keystroke audit of all privileged sessions
  • Just-in-Time (JIT) access — elevate only when needed, auto-expire after TTL
  • Least privilege enforcement — no standing admin rights for any user
JIT Access Workflow
Request elevated access → Manager approves via ticket → Temp role granted (TTL: 1–4 hours) → Session recorded & monitored by PAM tool → Access auto-revoked after TTL expires → Full audit log sent to SIEM / SOAR
006
Automated Provisioning & SCIM
LifecycleAPI
What is it?

SCIM (System for Cross-domain Identity Management) is an open standard for automating user provisioning and deprovisioning between identity systems and cloud applications via a REST API.

SCIM HTTP Operations
  • POST /Users — Create new account in target SaaS app
  • PATCH /Users/{id} — Update attributes (title, department, manager)
  • DELETE /Users/{id} — Deprovision and suspend the account
End-to-End Provisioning Chain
HR System (Workday) — JML Event → IdP (Okta) → SCIM → Salesforce (auto-created) → SCIM → GitHub Enterprise (team assigned) → SCIM → Slack (channel added) → SCIM → ServiceNow (role granted)
007
OAuth 2.0 & OpenID Connect (OIDC)
ProtocolsAPI Auth
Protocol Comparison
  • SAML 2.0 — XML-based, enterprise/legacy, full browser SSO
  • OAuth 2.0 — Delegated authorization framework, issues access tokens
  • OIDC — OAuth 2.0 + identity layer (ID tokens in JWT format)
OAuth 2.0 Grant Types
Authorization Code + PKCE ← Web & mobile apps (preferred) Client Credentials ← Machine-to-machine (M2M) APIs Device Code Flow ← Smart TVs / CLI tools Refresh Token ← Long-lived session renewal
⚠ Security: Always use PKCE with Authorization Code. Never use the Implicit flow — it exposes tokens in URL fragments and is deprecated.
008
Access Certification & Reviews
GovernanceCompliance
What is it?

Periodic campaigns where managers or data owners certify (approve or revoke) user entitlements. Required for SOX, HIPAA, ISO 27001, and SOC 2 compliance. Typically run through an IGA platform.

Recommended Review Cadence
  • Privileged accounts — Quarterly (high risk, high change rate)
  • Sensitive data access — Semi-annually
  • Standard entitlements — Annually
  • Contractor / vendor accounts — Monthly or on-contract expiry
Certification Workflow
IGA generates entitlement snapshot → Task assigned to certifier (manager) → Certifier: Approve / Revoke / Delegate → Revoked items → auto-deprovisioning → Completion report → compliance dashboard
Day-to-Day

Operational Workflows

Step-by-step runbooks for the most common IAM tasks performed daily.

// WF-01
Onboarding a New Employee
Triggered by HR joiner event. Goal: all accounts ready before Day 1.
01
HR submits request with role, department, start date
02
IdP creates user account (SCIM or manual)
03
Role assigned based on job profile mapping
04
Apps provisioned automatically via SCIM
05
Welcome email: temp password + MFA enrollment link
06
Verify access on Day 1 with new hire
// WF-02
Offboarding / Termination
Critical: complete within 1 hour. Reduces insider threat and data leakage risk.
01
Receive termination notice from HR immediately
02
Disable IdP account — revokes all active sessions
03
Revoke MFA tokens, OAuth refresh tokens
04
Transfer data ownership (mailbox, files, repos)
05
Deprovision all downstream apps via SCIM
06
Document in ticket + write audit log entry
// WF-03
Password / MFA Reset
Most common helpdesk task. Identity verification required before any action.
01
Verify identity — ticket + manager confirm or video call
02
Check for anomaly flags in SIEM before proceeding
03
Initiate reset in IdP admin console
04
Force MFA re-enrollment on next login
05
Notify user via out-of-band channel
06
Log ticket with authorizing party + timestamp
// WF-04
Access Request & Approval
User needs access to a resource outside their current role profile.
01
User submits self-service request via IGA portal
02
Policy engine checks against job profile baseline
03
Route to manager → resource owner for approval
04
Run SoD (Segregation of Duties) conflict check
05
Approved: provision; Denied: notify with reason code
06
Set access expiry date if temporary access
// WF-05
New SaaS App SSO Integration
Connecting a new vendor app to corporate IdP for centralized authentication.
01
Get SAML metadata URL or OIDC config from vendor
02
Create app integration in IdP (Okta / Azure AD)
03
Configure attribute mappings (email, role claims)
04
Assign user groups to the application in IdP
05
Test SSO flow in staging with pilot users
06
Disable native login in app — enforce SSO only
// WF-06
Suspicious Login Response
Alert from SIEM/UEBA or user report. Treat as potential account takeover.
01
Pull login logs — IP, geo, device, time, user agent
02
Check if IP is residential proxy, TOR, or known bad
03
Contact user out-of-band to confirm legitimacy
04
Unrecognized: force password reset + revoke sessions
05
Apply Conditional Access block for IP/country
06
Escalate to SOC if data access occurred
// WF-07
Quarterly Access Review Campaign
Governance task to certify entitlements are still needed. Compliance requirement.
01
Pull entitlement snapshot from IGA tool
02
Launch campaign, assign to managers in IGA
03
Send reminder emails at Day 7 and Day 14
04
Escalate non-responses to skip-level manager
05
Process bulk revocations via IGA automation
06
Export completion report to compliance dashboard
// WF-08
Audit Evidence Package
Preparing IAM evidence for SOC 2, SOX, or ISO 27001 auditors on short notice.
01
Identify in-scope controls for the audit period
02
Export provisioning / deprovisioning event logs
03
Provide access review completion reports + artifacts
04
Screenshot MFA enforcement policies in IdP
05
Document exception handling with approval records
06
Compile into organized evidence folder with index
Competency

IAM Skills Matrix

Technical and operational skills for IAM roles — from analyst to architect level.

SkillCategoryProficiencyNotes
SAML 2.0 / OIDC ConfigurationCore
Critical for SSO integrations
Okta AdministrationTool
Market-leading IdP
Azure AD / Entra IDTool
Essential for Microsoft environments
Role & Permission DesignCore
RBAC / ABAC modeling
SCIM ProvisioningCore
Automates lifecycle events
Active Directory / LDAPTool
On-prem directory backbone
CyberArk / PAM ToolsTool
Privileged access management
Access Certification CampaignsGov
SailPoint, Saviynt
SOX / SOC 2 ControlsGov
Audit evidence prep
Conditional Access PoliciesCore
Zero Trust enforcement
OAuth 2.0 / Token ManagementCore
API & M2M auth flows
PowerShell / Graph API ScriptingOps
IAM automation
SIEM Log AnalysisOps
Splunk, Sentinel, QRadar
Identity Incident ResponseOps
Account takeover playbooks
Ecosystem

IAM Tool Landscape

Major platforms across the IAM ecosystem — organized by capability category.

Identity Providers & SSO
🟦
Okta
IdP · SSO · MFA · SCIM
🔷
Azure Entra ID
Microsoft IdP · SSO
🟥
Ping Identity
Enterprise Federation
🟩
Google Workspace
Cloud IdP · SAML
🟧
Auth0 / CIC
CIAM · Developer IdP
ForgeRock
Enterprise IAM Suite
Privileged Access Management
🛡️
CyberArk
PAM · Vaulting · Sessions
🔐
BeyondTrust
PAM · Remote Access
🔑
HashiCorp Vault
Secrets · Dynamic Creds
🟦
Delinea
PAM · Server Control
Identity Governance & Administration
SailPoint
IGA · Access Reviews
🌊
Saviynt
Cloud IGA · CPAM
🏛️
IBM ISIM
Enterprise IGA
📊
Omada
IGA · Compliance
Reference

Glossary of IAM Terms

Quick-reference definitions for common acronyms and concepts across the IAM discipline.

Identity Provider
IdP

A system that creates, manages, and authenticates digital identities. Issues signed assertions or tokens to relying service providers.

Service Provider
SP

An application that relies on an IdP for authentication. Trusts and validates tokens or assertions issued by the IdP.

Security Assertion Markup Language
SAML 2.0

XML-based open standard for exchanging authentication and authorization data between identity and service providers.

OpenID Connect
OIDC

Identity layer built on top of OAuth 2.0. Provides ID tokens in JWT format for authenticating end users.

JSON Web Token
JWT

Compact, URL-safe token format for transmitting signed claims. Consists of three base64 parts: header.payload.signature.

Just-in-Time Access
JIT

Temporary privilege elevation granted on-demand for a limited TTL, then automatically revoked — eliminating standing privileges.

Privileged Access Management
PAM

Controls for securing, monitoring, and auditing privileged accounts and credentials across critical infrastructure.

Identity Governance & Admin
IGA

Processes and tools for managing user entitlements, running access certifications, and enforcing policy at enterprise scale.

Segregation of Duties
SoD

Policy preventing any single user from holding conflicting access rights that could enable fraud, error, or unauthorized action.

Least Privilege Principle
PoLP

Users and systems should hold the minimum access rights needed to perform their function — no more, no less.

Customer IAM
CIAM

IAM focused on managing external customer identities at scale, with emphasis on UX, privacy consent, and federation.

User & Entity Behavior Analytics
UEBA

ML-driven analytics that detect anomalous behavior patterns indicative of compromise, insider threat, or lateral movement.

Attribute-Based Access Control
ABAC

Access control where decisions are based on user, resource, and environment attributes evaluated dynamically at runtime.

Credential Vaulting

Securely storing and managing privileged credentials with automated rotation and a check-out workflow for access.

Adaptive Authentication

Risk-based authentication that dynamically adjusts challenge requirements based on contextual risk signals.

Entitlement

A specific permission or access right granted to an identity — such as an app role, group membership, or file permission.

Federated Identity

An arrangement that allows a user to use the same authenticated identity across multiple separate security domains.

Deprovisioning

The process of removing or disabling a user's access rights when they no longer require them — triggered by JML events.

Community

Discussion Board

Share ideas, ask questions, and discuss IAM concepts with the community.

0 Posts
0 Reactions
🟢 Live
IAM Community
👤
0 / 600
👍🔐🛡️ 💡🔑⚠️ 🚀 🤔📋🔄
Sort by:
💬
No posts yet
Be the first to start the conversation!
🔍
ESC
🔐
Start typing to search across all IAM content
Use ↑↓ to navigate, Enter to go, Esc to close
CtrlK to open