By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.
Identity and Access (I&A) is the framework that ensures the right people (or systems) access the right resources at the right time. You use it to secure data, applications, and infrastructure by verifying identities (authentication) and controlling permissions (authorization).
Why use it today?Without I&A, anyone could access sensitive systems—leading to breaches, compliance violations, and operational chaos. Modern businesses rely on I&A to enable remote work, cloud services, and zero-trust security.
Proves who (or what) is trying to access a system.- Methods: - Passwords: Weak alone; pair with multi-factor authentication (MFA). - MFA: Combines two or more factors (e.g., password + SMS code + biometrics). - Tokens: Physical (YubiKey) or software-based (TOTP apps like Google Authenticator). - Biometrics: Fingerprint, facial recognition, or behavioral patterns. - Single Sign-On (SSO): Log in once to access multiple services (e.g., Google Workspace, Okta).
Determines what an authenticated user can do.- Models: - Role-Based Access Control (RBAC): Permissions tied to roles (e.g., "Admin," "Editor"). - Attribute-Based Access Control (ABAC): Permissions based on attributes (e.g., "department=finance AND location=NYC"). - Policy-Based Access Control: Rules like "Allow access only during business hours."
Central systems that manage user identities and authentication.- Examples: Okta, Microsoft Entra ID (formerly Azure AD), Google Identity Platform.- Protocols: SAML, OAuth 2.0, OpenID Connect (OIDC).
Databases storing user identities, groups, and permissions.- Examples: Active Directory (AD), LDAP, Azure AD.- Use case: Sync employee roles across apps (e.g., HR system → Slack → Salesforce).
A security model assuming no user or device is trusted by default.- Principles: - Verify every request (even internal ones). - Enforce least-privilege access. - Monitor continuously.
Simple Diagram:
User → App → IdP (AuthN) → Token → App (AuthZ) → Resource
Goal: Secure a web app with Okta SSO using OAuth 2.0/OIDC.
Create an app:
http://localhost:3000/login/callback
Configure Your App
npm install @okta/okta-auth-js
Add this snippet to your app’s login route: ```javascript const { OktaAuth } = require('@okta/okta-auth-js');
const oktaAuth = new OktaAuth({ issuer: 'https://{yourOktaDomain}/oauth2/default', clientId: '{yourClientId}', redirectUri: 'http://localhost:3000/login/callback', });
app.get('/login', (req, res) => { res.redirect(oktaAuth.authorizeUrl({ scopes: ['openid', 'email'] })); }); ```
Handle the Callback
Add a route to process the IdP’s response: javascript app.get('/login/callback', async (req, res) => { const { tokens } = await oktaAuth.token.parseFromUrl(req); req.session.user = tokens.idToken.claims; res.redirect('/dashboard'); });
javascript app.get('/login/callback', async (req, res) => { const { tokens } = await oktaAuth.token.parseFromUrl(req); req.session.user = tokens.idToken.claims; res.redirect('/dashboard'); });
Protect Routes
Add middleware to check for a valid session: ```javascript function requireAuth(req, res, next) { if (!req.session.user) return res.redirect('/login'); next(); }
app.get('/dashboard', requireAuth, (req, res) => { res.send(Welcome, ${req.session.user.email}!); }); ```
Welcome, ${req.session.user.email}!
Test It
http://localhost:3000/login
Expected Outcome:- Users log in via Okta.- Your app receives a JWT with user claims (e.g., email, name).- Protected routes are inaccessible without authentication.
Fix: Use environment variables or secret managers (e.g., AWS Secrets Manager, HashiCorp Vault).
Over-Permissive Roles
Fix: Follow the principle of least privilege—grant only necessary permissions.
Ignoring Token Expiry
Fix: Implement token refresh (e.g., OAuth 2.0 refresh tokens) or silent re-authentication.
No MFA for Admins
Fix: Enforce MFA for all admin roles (e.g., via IdP policies).
Assuming Internal Traffic Is Safe
What is the primary purpose of an Identity Provider (IdP)?A) To store user passwords securely B) To manage authentication and issue tokens for access C) To encrypt all user data at rest D) To monitor network traffic for threats
Correct Answer: B Explanation: An IdP (e.g., Okta, Auth0) authenticates users and issues tokens (e.g., JWTs) to prove identity to applications.Why the Distractors Are Tempting:- A: IdPs can store passwords, but their core role is authentication.- C: Encryption is handled by other tools (e.g., TLS, disk encryption).- D: Monitoring is a separate function (e.g., SIEM tools like Splunk).
A company grants all employees "Admin" access to a database "just in case." What principle does this violate?A) Defense in depth B) Principle of least privilege C) Separation of duties D) Zero trust
Correct Answer: B Explanation: The principle of least privilege states that users should have only the permissions they need to do their jobs.Why the Distractors Are Tempting:- A: Defense in depth involves multiple layers of security (e.g., firewalls + MFA), but this is about permissions.- C: Separation of duties splits critical tasks (e.g., one person approves payments, another executes), but this is about over-permissioning.- D: Zero trust assumes no trust by default, but this is specifically about permission levels.
Which protocol is commonly used for Single Sign-On (SSO) between an app and an IdP?A) FTP B) SAML C) SMTP D) DNS
Correct Answer: B Explanation: SAML (Security Assertion Markup Language) is a standard for exchanging authentication and authorization data between an IdP and a service provider (app).Why the Distractors Are Tempting:- A: FTP is for file transfers, not authentication.- C: SMTP is for email, not SSO.- D: DNS resolves domain names to IPs, unrelated to authentication.
Join 4M+ learners. Unlock unlimited quizzes, wrong-answer tracking, flashcards + reminders, study guides, and 1-on-1 challenges.