SSO & Identity Management
Core Concepts
SSO (Single Sign-On) — authenticate once, access many systems with the same credentials.
Identity Federation — users access multiple systems across trust boundaries using one identity.
IdP (Identity Provider) — the trusted service that authenticates users and issues tokens/assertions.
SSO Technologies
| Technology | Type | Description |
|---|---|---|
| SAML 2.0 | Protocol | XML-based. Authenticates once, reuses across services. Common in enterprise SSO. |
| OAuth 2.0 | Framework | Authorization — grants limited access without sharing credentials. |
| OpenID Connect | Protocol | Identity layer on top of OAuth 2.0. Adds user info (who you are). |
| Kerberos | Protocol | Network auth via tickets. Used in AD environments for SSO. |
SAML vs OAuth vs OIDC
| SAML | OAuth 2.0 | OpenID Connect | |
|---|---|---|---|
| Purpose | Authentication + Authorization | Authorization only | Authentication |
| Format | XML | JSON (JWT) | JSON (JWT) |
| Common use | Enterprise SSO | API access delegation | Social login |
IAM (Identity & Access Management)
Manages who can access what across an organization.
Access Control Models
| Model | Description | Example |
|---|---|---|
| DAC | Discretionary — owner sets permissions | NTFS permissions |
| RBAC | Role-Based — permissions tied to role/group | AD group memberships |
| ABAC | Attribute-Based — conditions on attributes | Conditional access policies |
| MAC | Mandatory — labels/classifications, system enforced | SELinux, MLS |
| Rule-based | If/then rules applied to all | Firewall ACLs |
PIM (Privileged Identity Management)
Subset of IAM focused on high-privilege accounts: root, admins, service accounts.
What PIM Provides
Real-time visibility → Monitoring all privileged activity
Accountability → Tracking + nonrepudiation of actions
JIT access → Just-in-time privilege — granted only when needed
Ephemeral credentials → TOTP, tokens, keys — expire automatically
Password vaulting → Secure storage + automated rotation of privileged creds
Alert on violations → Real-time detection of policy breachesPrivileged Accounts PIM Covers
- Root / superuser
- Domain / local administrator
- Network, cloud, and system admin accounts
- Service accounts with elevated access
User Lifecycle (Onboarding → Offboarding)
Onboarding
1. Identity proofing → Verify who the person is (ID, docs)
2. Account provisioning → Create account, assign role/group/permissions
3. Device provisioning → Issue device, apply MDM policy
4. Training → Security awarenessMaintenance
Password resets, permission changes, device lock/wipe, activity monitoringOffboarding / Deprovisioning
1. Disable account immediately
2. Revoke all access tokens and sessions
3. Collect device
4. Back up/reassign data
5. Delete account after retention period
6. Document all stepsAlways apply principle of least privilege — grant only what the role requires.