iam-source.org

These are key concepts and terminology related to IAM, explained in plain English. This an introductory guide for IAM and looking into these concepts deeper is encouraged.

Vendor Neutral Concepts - General

IAM is often a simple general role, but sometimes it’s split into the 3 subsets of IAM:

  • Identity and Access Management (IAM) – An IAM Analyst does general IAM work by letting certain people have access to certain resources.
  • Privileged Access Management (PAM) –  A PAM Analyst is focused on managing special high-level user accounts that have more permissions than regular users.
  • Customer Identity and Access Management (CIAM) – A CIAM Analyst deals with managing customer accounts for online services.
  • Identity Governance and Administration (IGA) – An IGA Analyst focused on policies, processes, and procedures that govern and oversee the management of identities within an organization.

 

    • Directory Service – A centralized system that stores, organizes, and manages information about users, devices, and resources within a network (e.g. Active Directory for on-prem identity management, Okta’s Universal Directory for cloud identity management).
    • Identity Provider (IdP) – A service that handles user authentication and provides verified identity information (tokens) to applications for access, to enable features like MFA and SSO (e.g. Entra ID, Okta)
    • User Provisioning – The process of granting access to resources. 
    • Identity Lifecycle Management – Managing user accounts from creation to deletion as employees join (i.e. Joiner process), move within (i.e. Mover process), and leave a company (i.e. Leaver process).
    • Workflows – Automated IAM processes (for increased productivity & efficiency).
    • Access Certifications – Regular checks to make sure users only have access to what they need for their current job.
    • Access Control Models
      • Role-Based Access Control (RBAC) – Giving access based on a user’s job role. 
      • Attribute-Based Access Control (ABAC) – Deciding access based on various factors about the user, resource, or environment
    • Multi-Factor Authentication (MFA) – Something you know (e.g. user+pass), something you have (e.g. smart phone authenticator app), something you are (e.g. facial recognition)
      • Adaptive MFA – Changing the login requirements based on things like where you’re logging in from or what device you’re using. 
    • OTP (One-Time Password) – The general concept of generating a temporary password that can only be used once. These are the two specific implementations of OTP:
      • HOTP (HMAC-based One-Time Password) – Uses a shared secret key and an incrementing counter to generate unique codes, commonly used in hardware tokens and banking transactions where the code remains valid until used. For example, when you press a button on a hardware token to generate a new code for your bank login.
      • TOTP (Time-based One-Time Password) – Similar to HOTP but uses the current time instead of a counter to generate codes that automatically expire after a short window (typically 30 seconds), widely used in authenticator apps like Google Authenticator and Microsoft Authenticator. So when you open your authenticator app to get a 6-digit code for your Gmail login, that’s TOTP in action.
    • Single Sign-On (SSO) – Allowing users to securely log in once and access a portal with access to multiple systems/applications (as opposed to individually logging into each).
    • Public key infrastructure (PKI) – A core security framework that IAM systems rely on for secure authentication and encrypted communications. It manages digital certificates that help prove users and devices are legitimate, enabling important IAM features like certificate-based authentication, digital signatures for secure workflows, and encrypted data exchange between identity systems. Common examples include SSL certificates for secure logins and smart card authentication for employees.
    • JWT (JSON Web Token) – A compact, self-contained token format commonly used in authentication and authorization. Encoded as JSON, JWTs are used to securely transmit information between parties (often in OAuth and OIDC).
    • Security Concepts
      • Zero Trust – “Trust no one, verify everything” approach to security.
      • Least Privileged Access – Only giving users the minimum access they need to do their job.
      • C.I.A.
        • Confidentiality – Keeping information private.
        • Integrity – Ensuring information hasn’t been tampered with.
        • Availability – Making sure systems are accessible when needed.
      • A.A.A.
        • Authentication – Verifying that users are who they say they are.
        • Authorization – Determining what a user is allowed to do.
        • Accounting – Keeping track of what users do on the system.

Vendor Neutral Concepts - Protocols & Standards

OAuth 2.0 – An authorization framework that allows applications to grant limited access to user resources without exposing credentials. Commonly used to give an app authorization to perform certain tasks on other apps or approve access to certain information from other apps. Giving Instagram permission to access your camera roll, giving Venmo permission to access your contacts, and giving Spotify permission to post on your behalf on Twitter are all examples of OAuth 2.0 in action. 

OpenID Connect (OIDC) – An authentication protocol built on OAuth 2.0 which adds identity verification. Commonly used for social logins like “Sign in with Google”, “Sign in with Facebook”, “Sign in with Apple”, etc. This is SSO for customers/consumers and applicable to any size business. 

SAML 2.0 (Security Assertion Markup Language) – An XML-based protocol used for Single Sign-On (SSO), enabling secure exchange of authentication and authorization data between an identity provider and a service provider (e.g., logging into one service using credentials from another). Commonly used for apps to integrate seamlessly into an SSO portal. This is SSO for workforce/employees and primarily for mid-large enterprise environments. Note: Okta, Entra ID, or any other IdP’s end-user dashboard login page is not SAML, SAML is between the IdP and applications.

SCIM (System for Cross-domain Identity Management) – A protocol for automating the provisioning and management of user identities across systems, streamlining user data synchronization between identity providers and applications. For example, SCIM makes onboarding someone through Okta seamless by automatically creating their user account in connected applications, such as Slack, Google Workspace, or Salesforce, with the appropriate roles and permissions. Similarly, when the user leaves the organization, SCIM ensures their accounts are promptly deactivated across all integrated systems, reducing the risk of orphaned accounts and improving security.

LDAP (Lightweight Directory Access Protocol) – A protocol for accessing and maintaining distributed directory information services over a network, commonly used for managing and authenticating users in directory services like Active Directory.

Kerberos – A secure protocol for authenticating users in a network. It uses tickets to verify identities and is widely used in environments like Active Directory to manage access. It also relies on symmetric key cryptography and a trusted third-party Key Distribution Center (KDC), which helps in preventing replay attacks and ensuring secure, single sign-on (SSO) experiences across networked services.

WS-Federation (WS-Fed or formally Web Services Federation) – A protocol that enables Single Sign-On (SSO) across multiple domains and organizations, allowing users to access different services with one login. It is part of the broader WS-* standards family supported in Windows Server and Active Directory Federation Services (ADFS).

WebAuthn (Web Authentication) – An open authentication standard that enables passwordless authentication using public key cryptography. It allows users to authenticate using biometrics, mobile devices, or FIDO security keys. WebAuthn is the web-facing component of FIDO2 that enables browsers to interact with authenticators.

NTLM (NT LAN Manager) – Microsoft’s challenge-response authentication protocol for Windows networks, providing basic user authentication and session security. It’s severely limited by vulnerabilities to pass-the-hash attacks, lack of mutual authentication, and weak MD4 hashing. The protocol works through a simple flow where a client requests access, the server issues a challenge, the client responds with a password hash, and the server validates to grant or deny access. Largely replaced by Kerberos for Active Directory authentication in modern systems.

XACML (eXtensible Access Control Markup Language) – An authorization standard that defines a declarative fine-grained, attribute-based access control policy language, an architecture, and a processing model describing how to evaluate access requests according to the rules defined in policies. It provides a way to express and enforce complex access control policies in a standardized way.

SPML (Service Provisioning Markup Language) – An XML-based framework for managing the provisioning and allocation of identity information and system resources within and between organizations. It standardizes how organizations exchange user, resource, and service provisioning information across different platforms. Considered legacy technology, largely superseded by SCIM.

Active Directory

  • Active Directory Domain Services (AD DS) 
    • Domain Controller (DC)
      • Handles authentication and authorization requests
      • Manages replication between DCs
    • Organizational Units (OUs)
      • Logical groupings for users, computers, and other resources
      • Supports delegation of administrative control
    • FSMO (Flexible Single Master Operation) Roles
      • Schema Master
      • Domain Naming Master
      • PDC Emulator
      • RID Master
      • Infrastructure Master
    • Global Catalog
      • Provides access to information across the forest
      • Stores a partial replica of every object in the forest
    • List of protocols used in AD DS
      • LDAP (Lightweight Directory Access Protocol)
        • Directory service protocol for querying and modifying AD
        • Uses ports 389 (unencrypted) and 636 (encrypted)
      • Kerberos Authentication
        • Default authentication protocol in AD environments
        • Provides secure, ticket-based authentication
      • NTLM Authentication
        • Older authentication protocol
        • Used as a fallback when Kerberos is unavailable
  • Active Directory Users and Computers (ADUC)
    • User Accounts
      • Identity objects used for logging in and accessing resources
      • Controlled by password policies
    • Groups
      • Used to manage permissions and access to resources
      • Security Groups (for access control)
      • Distribution Groups (for email distribution)
      • Group scopes: Domain Local, Global, Universal
    • Computer Accounts
      • Represents devices within AD
      • Used for device authentication within the domain
  • Group Policy
    • Group Policy Objects (GPOs)
      • Used to enforce settings on users and computers
      • Applies security policies, software installation, and configuration settings
    • Group Policy Management Console (GPMC)
      • Tool for managing and editing GPOs
    • Inheritance and Filtering
      • GPOs can be inherited or filtered based on OUs and security groups
  • Active Directory Federation Services (AD FS)
    • Provides single sign-on (SSO) for web-based applications
    • Uses SAML, OAuth, and OpenID Connect for federated authentication
  • Active Directory Certificate Services (AD CS)
    • Issues and manages digital certificates
    • Supports certificate-based authentication and encryption
  • Active Directory Rights Management Services (AD RMS)
    • Provides information protection by controlling access to documents and emails.
    • Enforces usage restrictions (e.g., read, edit, print) through rights policy templates.
  • Active Directory Lightweight Directory Services (AD LDS)
    • Provides directory services without the need for a domain controller, ideal for application-specific data storage.
    • Supports LDAP protocol and can be run on multiple instances, offering flexibility without the overhead of full AD DS.
  • PowerShell for Active Directory
    • Common cmdlets: Get-ADUser, Get-ADGroup, New-ADUser
    • Used for querying and managing AD objects via scripts and automation