All domainsIAM Domains

AM & Access

Access Management, SSO, MFA, and modern authentication flows.

  1. Module 01

    Standards, Protocols & Directory Services

    1. 01.01

      Directory Services

      Read article

      The foundation of the IAM protocol stack — what a directory service is, the LDAP data model (DIT, DN, entries, objectClasses, schema), Active Directory's domains and forests, the shift to cloud directories like Entra ID and Okta, hybrid identity sync, and why the directory is the enterprise's crown jewels.

    2. 01.02

      SAML 2.0

      Read article

      How SAML 2.0 federates identity into web apps — the IdP/SP/user roles and trust via metadata XML, SP-initiated vs IdP-initiated flows, the HTTP-Redirect/POST/Artifact bindings, the anatomy of a SAML assertion (Subject, Conditions, AuthnStatement, AttributeStatement), signing and encryption, and when SAML is still the right choice over OAuth/OIDC.

    3. 01.03

      OAuth 2.0

      Read article

      How OAuth 2.0 lets an app act on your behalf without your password — the four roles, access vs refresh tokens, the grant types and when to use each (Authorization Code + PKCE, Client Credentials, Device Code, Refresh Token; the deprecated Implicit and ROPC), scopes and consent, and what OAuth 2.1 changes. Plus the critical point: OAuth authorizes the client, it does not authenticate the user.

    4. 01.04

      OpenID Connect (OIDC)

      Read article

      How OIDC turns OAuth 2.0 into real authentication — the ID token (JWT) vs the access token, standard claims (sub, iss, aud, exp, email…), the discovery (.well-known/openid-configuration) and UserInfo endpoints, JWKS validation, the Authorization Code/Hybrid/Implicit flows, and front-channel, back-channel, and RP-initiated logout.

    5. 01.05

      SCIM 2.0

      Read article

      How SCIM 2.0 standardizes user provisioning between identity providers and apps — the REST resource model (User, Group, EnterpriseUser), the /Users, /Groups, /Bulk and /Schemas endpoints, the CRUD + Search + PATCH operations, how SCIM drives the JML lifecycle and replaces custom scripts, and its real limitations around granular entitlements and dynamic roles.

    6. 01.06

      Tokens & Formats

      Read article

      The building blocks the protocols depend on — JWT structure (header, payload, signature), self-contained vs opaque/reference tokens, JWE for confidential payloads, PASETO as a safer alternative that avoids algorithm confusion, and how to validate a token: signature, expiry, audience, issuer, and revocation.

    7. 01.07

      The Veterans & the Vanguard

      Read article

      The identity protocols beyond the core four — Kerberos tickets still authenticating every Active Directory login, RADIUS behind corporate Wi-Fi and VPNs, the legacy SOAP-based WS-Federation and WS-Trust alive in big ERP estates, and the phishing-resistant FIDO2/WebAuthn/CTAP vanguard.

    8. 01.08

      NIST SP 800-63 — Assurance Levels

      Read article

      How NIST SP 800-63 turns 'how strong should this be?' into three independent dials — IAL (identity proofing), AAL (authenticator strength), and FAL (federation assurance) — each with three levels, and how to combine them to fit a use case's risk (for example, IAL2/AAL2 for banking).

    9. 01.09

      The Frontier

      Read article

      Where identity protocols are heading — securing microservices and workloads with OAuth token exchange (RFC 8693), DPoP (RFC 9449), and SPIFFE in the service mesh; continuous access evaluation via CAEP and the Shared Signals Framework; and putting people back in control of their credentials with verifiable credentials, DIDs, and OpenID for Verifiable Credentials (OID4VCI/OID4VP).

  2. Module 02

    Authentication, Authorization & Access Management

    1. 02.01

      Identification, Authentication, Authorization & Auditing

      Read article

      How every access decision breaks down into three sequential stages — identification, authentication, and authorization — and why audit is a transversal pillar, not a fourth stage. We resolve the '3 vs 4 A's' confusion.

    2. 02.02

      Authentication Factors

      Read article

      The five categories of authentication factors with their specific implementations (passwords, TOTP, push, FIDO2, biometrics, context), the difference between SFA/2FA/MFA, step-up authentication, and risk-based adaptive authentication (RBA).

    3. 02.03

      MFA Implementations

      Read article

      Technical mechanics of the most-used MFA implementations — TOTP, SMS OTP, push, FIDO2/WebAuthn, passkeys, magic links — with their flows, specific vulnerabilities, and fallback patterns. Plus CAPTCHA: why it's not authentication but is a useful complement.

    4. 02.04

      Biometrics

      Read article

      A practitioner's deep dive into biometric authentication: the main modalities, how matching works, the FAR/FRR/EER error metrics and the threshold trade-off, liveness detection and anti-spoofing (PAD), how templates must be stored, the privacy and regulatory constraints (BIPA, GDPR Art. 9), and behavioral biometrics.

    5. 02.05

      Single Sign-On (SSO)

      Read article

      How Single Sign-On lets one authentication unlock many applications: the difference between Web SSO, Enterprise SSO, and Social SSO, the concrete benefits for UX and security posture, the 'breaking the chain' blast-radius risk of a central identity provider, and why Single Logout (SLO) is so hard that it is often quietly ignored.

    6. 02.06

      Session Management

      Read article

      How web sessions are built and defended: cookie attributes (HttpOnly, Secure, SameSite, Domain, Path), server-side session tokens versus JWTs and their trade-offs, sliding versus absolute timeouts, idle timeout and forced re-authentication, how to actually revoke a session, and the controls against CSRF, XSS, and session hijacking.

    7. 02.07

      Zero Trust

      Coming soon