Domain 4 of 6 · Chapter 7 of 7

Identity & Access Management Solutions

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing Certified Cloud Security Professional premium course — no separate purchase.

Included in this chapter:

  • Authentication vs authorization, and the three protocols
  • Federation, identity providers, and single sign-on
  • Multi-factor authentication and factor strength
  • Cloud access security broker (CASB)
  • Secrets management for non-human identities
  • Exam-pattern recognition for IAM solutions

Federation protocols: what each one actually carries

ProtocolPrimary purposeToken / message formatTypical use
SAML 2.0Authentication (SSO assertion)XML assertion, signedEnterprise/workforce SSO to web apps
OAuth 2.0Delegated authorizationAccess token (often JWT), bearerApp acts on a user's API/resource with scoped rights
OpenID Connect (OIDC)Authentication on top of OAuth 2.0ID token (JWT) plus OAuth access tokenModern web/mobile login, consumer and workforce

Decision tree

What is the gap?identity, login, or credentialApp needs access toa user's resource?access / loginSecuring a credential,not a user?machine / SaaSOAuth 2.0delegated authZdelegated accessSAML or OIDCauthN: XML vs JWTauthenticate userFIDO2/WebAuthnphishing-resistant MFAharden vs phishingCASBgovern shadow ITunsanctioned SaaSSecrets managerrotate, never hardcodeAPI key / passwordAlways: federate to the IdP so the cloud app never stores the password

Cheat sheet

  • Authentication proves identity; authorization grants rights
  • OAuth 2.0 authorizes; it does not authenticate
  • OIDC adds authentication on top of OAuth 2.0
  • SAML is the enterprise web SSO assertion (signed XML)
  • Federation keeps the IdP authoritative so the cloud app never holds the password
  • SSO is the user-facing payoff of federation, and concentrates risk on the IdP
  • SCIM handles account lifecycle; SAML/OIDC handle sign-in
  • Real MFA combines factors from different categories
  • FIDO2/WebAuthn is the phishing-resistant factor; SMS OTP is the weakest
  • TOTP beats SMS but is still phishable
  • Step-up and adaptive auth raise assurance only when risk rises
  • A CASB governs cloud services the enterprise does not run
  • Know the four CASB pillars: visibility, compliance, data security, threat protection
  • CASB deployment mode decides coverage: proxy is inline, API mode is out-of-band
  • Reach unmanaged/BYOD devices with a reverse proxy or API mode, not a forward proxy
  • Secrets management protects the credentials applications authenticate with
  • A leaked secret must be rotated, not just deleted from the latest commit
  • Automatic rotation, and dynamic secrets, shrink the window a leak is useful
  • Keys go in a KMS/HSM; secrets go in a secrets manager; certs come from a CA
  • An HSM holds keys when FIPS validation or key custody is required
  • JIT access grants temporary elevated privileges that auto-revoke after the task
  • Zero Standing Privileges creates and deletes permissions per session so no privileged role exists
  • ABAC evaluates attributes to fix RBAC role explosion while staying granular
  • In XACML the PDP decides, the PIP supplies attributes, and combining algorithms resolve conflicts

Unlock with Premium — includes all practice exams and the complete study guide.

Also tested in

References

  1. NIST SP 800-63 Digital Identity Guidelines Whitepaper
  2. NIST SP 800-63B Authentication and Lifecycle Management Whitepaper