🚀 Early Adopter Price: $39/mo for lifeClaim Your Price →
Identity and Access Management Fundamentals
Coming Soon
Expected availability announced soon

This course is in active development. Preview the scope below and create a free account to be notified the moment it goes live.

Notify me
SecurityFoundationalFreeComing Soon

Identity and Access Management Fundamentals

The IAM Fundamentals course teaches how identity systems work in modern enterprises and consumer applications — authentication factors, federation protocols (OAuth 2.0, OIDC, SAML), authorization models (RBAC, ABAC), privileged access management, and identity lifecycle — with practical guidance for designing and operating identity-centric security.

Who Should Take This

IT administrators, software engineers, and security generalists who manage user access in applications or enterprise environments. Assumes basic understanding of users, passwords, and groups. Learners finish able to design SSO with OIDC, choose appropriate authorization models, and reason about privileged access risk.

What's Included in AccelaStudy® AI

Adaptive Knowledge Graph
Practice Questions
Lesson Modules
Console Simulator Labs
Exam Tips & Strategy
13 Activity Formats

Course Outline

1Authentication
3 topics

Factors and MFA

  • Define the standard authentication factor categories (something you know, have, are, do, where) and identify an example of each.
  • Compare TOTP, push-based MFA, SMS, and WebAuthn/passkeys in terms of phishing resistance and usability.
  • Apply MFA selection guidance: WebAuthn for high-value accounts, TOTP as a baseline, avoid SMS where possible.

Passwords and Passkeys

  • Identify NIST SP 800-63B password guidance: long passphrases, no forced rotation absent compromise, breached-password checks.
  • Describe WebAuthn/FIDO2/passkeys at a protocol level: device-bound or synced credentials with public-key authentication and origin binding.
  • Apply passkey deployment guidance for a consumer application and identify the migration path from passwords + TOTP.

Authentication Attacks

  • Identify credential stuffing, password spraying, MFA bombing, and adversary-in-the-middle (AiTM) phishing as common authentication attacks.
  • Analyze an AiTM phishing scenario where TOTP is bypassed via a real-time proxy and explain why phishing-resistant MFA is required.
2Federation Protocols
4 topics

OAuth 2.0

  • Identify OAuth 2.0 as a delegation protocol (not authentication) and identify the four classic grant types: auth code, implicit, password, client credentials.
  • Apply Authorization Code with PKCE for browser and mobile clients and explain why implicit and password grants are deprecated.
  • Analyze a SaaS integration scenario and select the correct OAuth grant type, scopes, and token storage strategy.

OIDC and JWT

  • Define OIDC as the authentication layer on top of OAuth 2.0 and identify the ID token, userinfo endpoint, and standard claims.
  • Describe JWT structure (header.payload.signature) and identify the standard registered claims (iss, sub, aud, exp, iat, nbf, jti).
  • Apply correct JWT validation: signature, issuer, audience, expiration, and not-before. Identify 'none' algorithm and weak HMAC keys as common pitfalls.

SAML 2.0

  • Identify SAML 2.0 as an XML-based federation protocol common in enterprise SSO and identify SP-initiated and IdP-initiated flows.
  • Apply SAML assertion validation: signature, issuer, audience, recipient, NotBefore/NotOnOrAfter, and replay protection via assertion ID tracking.

SSO and IdP Design

  • Distinguish enterprise SSO (Okta, Entra ID, Ping) from consumer-facing identity (Auth0, Cognito, Firebase Auth).
  • Apply IdP selection criteria for a B2B SaaS product offering enterprise SSO via OIDC and SAML to customer IdPs.
3Authorization Models
3 topics

RBAC

  • Define RBAC and identify role explosion as a common scaling failure when ad-hoc roles accumulate.
  • Apply RBAC design with roles aligned to job functions and group-based assignment rather than direct-to-user.

ABAC and Policy as Code

  • Define ABAC and identify policy attributes as the core distinction from RBAC: subject, action, resource, environment.
  • Identify OPA/Rego, AWS Cedar, and AWS IAM policy language as policy-as-code tools and describe their typical use cases.
  • Apply ABAC to a multi-tenant SaaS scenario where access depends on tenant, role, and resource owner.

ReBAC

  • Define ReBAC and identify Google Zanzibar and AuthZed as canonical implementations.
  • Compare RBAC, ABAC, and ReBAC and identify a scenario (e.g., document sharing with nested groups) where ReBAC's relationship graph is the natural fit.
4Privileged Access and Lifecycle
3 topics

Privileged Access Management

  • Define PAM and identify just-in-time access, session recording, and password vaulting as core PAM capabilities.
  • Apply break-glass procedures with strict logging and post-use review for emergency administrative access.
  • Analyze a scenario where a long-lived 'root' or domain-admin account is shared and propose a PAM-aligned remediation.

Identity Lifecycle and Provisioning

  • Identify SCIM 2.0 as the standard protocol for cross-domain identity provisioning and describe joiner/mover/leaver flows.
  • Apply automated deprovisioning on termination and explain why orphaned accounts are a common audit finding and breach vector.

Access Reviews and Attestation

  • Define periodic access review (attestation/recertification) and describe its role in detecting privilege accumulation.
  • Apply risk-scored access reviews that focus reviewer attention on high-risk entitlements rather than every entitlement.
5Tokens, Sessions, and Cloud IAM
3 topics

Session Management

  • Identify common session vulnerabilities: session fixation, predictable session IDs, missing rotation on privilege change, missing logout invalidation.
  • Apply secure session cookie attributes: Secure, HttpOnly, SameSite=Lax/Strict, and short idle/absolute timeouts.

Token Theft and Replay

  • Identify token theft vectors: XSS exfiltrating browser-stored tokens, malware on endpoints, and AiTM phishing capturing live tokens.
  • Apply token-binding mitigations: short access token lifetimes, refresh-token rotation with reuse detection, mTLS-bound tokens for high-value APIs.

Workload and Cloud Identity

  • Define workload identity and identify how AWS IAM roles, GCP service accounts, and Azure managed identities replace static credentials for compute workloads.
  • Apply least-privilege IAM design with scoped roles, short-lived STS credentials, and identity federation to CI/CD instead of long-lived keys.
  • Analyze a leaked long-lived cloud access key scenario and propose the lifecycle-of-credentials remediation grounded in workload identity.
6Identity Governance and Risk
3 topics

IGA and Compliance Mapping

  • Identify Identity Governance and Administration (IGA) and identify SailPoint, Saviynt, and Okta Identity Governance as common platforms.
  • Apply compliance-mapping for IAM controls to common frameworks (SOX SoD, HIPAA minimum-necessary, ISO 27001 A.9).

Risk-Based Authentication

  • Define risk-based / adaptive authentication and identify common signals: device, location, IP reputation, behavior, time of day.
  • Analyze a 'step-up' authentication policy and evaluate when adaptive challenge improves security without harming legitimate-user experience.

Decentralized and Verifiable Credentials

  • Identify W3C Verifiable Credentials and DIDs as emerging decentralized identity standards and describe a representative use case (digital driver's license).
7Customer Identity and B2B/B2C Patterns
6 topics

Customer Identity (CIAM)

  • Distinguish workforce IAM from CIAM (Customer Identity & Access Management) and identify Auth0, Cognito, Firebase Auth, and Stytch as common CIAM platforms.
  • Apply CIAM design patterns: progressive profiling, social login, account linking, age-appropriate consent, and GDPR/CCPA-aware data handling.
  • Analyze a CIAM scenario where social login is the only auth option and propose adding email-link or passkey as fallback to reduce social-account-loss support burden.

B2B Multi-Tenant Identity

  • Identify B2B multi-tenant identity requirements: per-tenant SSO (SAML/OIDC), tenant-scoped roles, just-in-time user provisioning, and SCIM for lifecycle.
  • Apply tenant-aware authorization where access decisions depend on (user, tenant, role, resource) — never just (user, role).

Account Recovery and Self-Service

  • Identify common account recovery paths and their relative security strength: email-link, KBA (knowledge-based answers, weak), helpdesk verification, hardware-backed recovery.
  • Apply recovery-flow design that does not weaken the auth ceiling: if MFA is required, recovery should also require strong verification, not just an email link.
  • Analyze a 'SIM-swap recovery' attack chain and evaluate which controls (carrier-level PIN, recovery without SMS, hardware key recovery) reduce the success rate.

Service Account Hygiene

  • Define service accounts and identify their typical risk profile: long-lived credentials, ambiguous ownership, accumulated entitlements, missing rotation.
  • Apply service-account best practices: prefer workload identity over service accounts, document owner, scope per service, rotate credentials automatically, monitor for anomalous use.

Identity Threat Detection (ITDR)

  • Identify ITDR (Identity Threat Detection and Response) and identify representative signals: impossible-travel, anomalous device, password spraying, MFA fatigue, OAuth grant abuse.
  • Apply ITDR baseline coverage: monitor critical identities (admins, break-glass), integrate signals into the SIEM, and rehearse account-compromise response.
  • Analyze the 2022 Okta / Lapsus$ scenario or comparable identity-provider compromise and identify which detective and preventative ITDR controls would have changed the outcome.

OAuth Consent Phishing

  • Define OAuth consent phishing (illicit consent grant) and identify it as a third-party app abusing user-granted scopes to access mailbox, files, or APIs.
  • Apply tenant-wide OAuth-app governance: app review/allowlisting, scope-based admin consent, and continuous monitoring of granted apps.
  • Analyze a granted-app review where 200 third-party apps have user-only mail-read scope and propose a triage approach grounded in app reputation, install count, and scope severity.

Scope

Included Topics

  • Authentication factors (something you know/have/are/do/where) and MFA design.
  • Password policies, passkeys (WebAuthn/FIDO2), and passwordless authentication.
  • OAuth 2.0 grant types, OIDC ID tokens and userinfo, and JWT structure and validation.
  • SAML 2.0 SP-initiated and IdP-initiated flows and assertion validation.
  • Authorization models: RBAC, ABAC, ReBAC, and policy-as-code (OPA/Rego, Cedar).
  • Single sign-on (SSO), federation, identity providers (IdPs), and B2B/B2C scenarios.
  • Privileged Access Management (PAM): just-in-time access, session recording, secrets vaulting.
  • Identity lifecycle: provisioning (SCIM), joiner-mover-leaver, attestation/recertification.
  • Common identity attacks: credential stuffing, phishing, MFA bombing, token theft, session hijacking.
  • Cloud IAM concepts (least privilege, service principals, workload identity) at conceptual depth.

Not Covered

  • Vendor-specific deep configuration (Azure AD policies, AWS IAM JSON details beyond examples).
  • Cryptographic depth on JWT signing algorithms (covered in Cryptography Fundamentals).
  • Compliance-specific identity controls (covered in Compliance Training specs).

Identity and Access Management Fundamentals is coming soon

Adaptive learning that maps your knowledge and closes your gaps.

Create Free Account to Be Notified