Fatskills
Practice. Master. Repeat.
Study Guide: **Identity and Access: A Practical Guide**
Source: https://www.fatskills.com/comptia-a-exam/chapter/identity-and-access-a-practical-guide

**Identity and Access: A Practical Guide**

By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.

⏱️ ~8 min read

Identity and Access: A Practical Guide


What Is This?

Identity and Access (I&A) is the framework that ensures the right people (or systems) access the right resources at the right time. You use it to secure data, applications, and infrastructure by verifying identities (authentication) and controlling permissions (authorization).

Why use it today?
Without I&A, anyone could access sensitive systems—leading to breaches, compliance violations, and operational chaos. Modern businesses rely on I&A to enable remote work, cloud services, and zero-trust security.


Why It Matters

  • Security: Prevents unauthorized access to data, systems, or physical spaces.
  • Compliance: Meets legal requirements (e.g., GDPR, HIPAA, SOC 2) by enforcing access controls.
  • Productivity: Lets employees and customers access tools without constant manual approvals.
  • Scalability: Automates identity management for growing teams and complex IT environments.


Core Concepts


1. Authentication (AuthN)

Proves who (or what) is trying to access a system.
- Methods:
- Passwords: Weak alone; pair with multi-factor authentication (MFA).
- MFA: Combines two or more factors (e.g., password + SMS code + biometrics).
- Tokens: Physical (YubiKey) or software-based (TOTP apps like Google Authenticator).
- Biometrics: Fingerprint, facial recognition, or behavioral patterns.
- Single Sign-On (SSO): Log in once to access multiple services (e.g., Google Workspace, Okta).

2. Authorization (AuthZ)

Determines what an authenticated user can do.
- Models:
- Role-Based Access Control (RBAC): Permissions tied to roles (e.g., "Admin," "Editor").
- Attribute-Based Access Control (ABAC): Permissions based on attributes (e.g., "department=finance AND location=NYC").
- Policy-Based Access Control: Rules like "Allow access only during business hours."

3. Identity Providers (IdP)

Central systems that manage user identities and authentication.
- Examples: Okta, Microsoft Entra ID (formerly Azure AD), Google Identity Platform.
- Protocols: SAML, OAuth 2.0, OpenID Connect (OIDC).

4. Directory Services

Databases storing user identities, groups, and permissions.
- Examples: Active Directory (AD), LDAP, Azure AD.
- Use case: Sync employee roles across apps (e.g., HR system → Slack → Salesforce).

5. Zero Trust

A security model assuming no user or device is trusted by default.
- Principles:
- Verify every request (even internal ones).
- Enforce least-privilege access.
- Monitor continuously.


How It Works (Architecture)

  1. User Requests Access
  2. A user tries to log in to an app (e.g., a cloud dashboard).
  3. Authentication
  4. The app redirects to an IdP (e.g., Okta) for verification.
  5. The IdP checks credentials (password, MFA, etc.).
  6. Authorization
  7. The IdP sends a token (e.g., JWT) to the app, proving the user’s identity and permissions.
  8. Access Granted/Denied
  9. The app validates the token and grants access based on policies.

Simple Diagram:


User → App → IdP (AuthN) → Token → App (AuthZ) → Resource


Hands-On / Getting Started


Prerequisites

  • Basic understanding of HTTP, JSON, and APIs.
  • A free Okta or Auth0 developer account (for IdP setup).
  • A simple web app (e.g., Node.js/Express or Python Flask).

Step-by-Step: Add SSO to a Web App

Goal: Secure a web app with Okta SSO using OAuth 2.0/OIDC.


  1. Set Up Okta
  2. Sign up for Okta Developer.
  3. Create an app:


    • Go to ApplicationsCreate App Integration.
    • Select OIDC - OpenID ConnectWeb Application.
    • Set redirect URIs (e.g., http://localhost:3000/login/callback).
    • Note your Client ID and Client Secret.
  4. Configure Your App

  5. Install the Okta SDK for your language (e.g., npm install @okta/okta-auth-js for Node.js).
  6. Add this snippet to your app’s login route:
    ```javascript
    const { OktaAuth } = require('@okta/okta-auth-js');

    const oktaAuth = new OktaAuth({
    issuer: 'https://{yourOktaDomain}/oauth2/default',
    clientId: '{yourClientId}',
    redirectUri: 'http://localhost:3000/login/callback', });

    app.get('/login', (req, res) => {
    res.redirect(oktaAuth.authorizeUrl({ scopes: ['openid', 'email'] })); }); ```

  7. Handle the Callback

  8. Add a route to process the IdP’s response:
    javascript
    app.get('/login/callback', async (req, res) => {
    const { tokens } = await oktaAuth.token.parseFromUrl(req);
    req.session.user = tokens.idToken.claims;
    res.redirect('/dashboard');
    });

  9. Protect Routes

  10. Add middleware to check for a valid session:
    ```javascript
    function requireAuth(req, res, next) {
    if (!req.session.user) return res.redirect('/login');
    next();
    }

    app.get('/dashboard', requireAuth, (req, res) => {
    res.send(Welcome, ${req.session.user.email}!); }); ```

  11. Test It

  12. Run your app and visit http://localhost:3000/login.
  13. You’ll be redirected to Okta, then back to your app with a session.

Expected Outcome:
- Users log in via Okta.
- Your app receives a JWT with user claims (e.g., email, name).
- Protected routes are inaccessible without authentication.


Common Pitfalls & Mistakes

  1. Storing Secrets in Code
  2. Mistake: Hardcoding API keys or client secrets in source code.
  3. Fix: Use environment variables or secret managers (e.g., AWS Secrets Manager, HashiCorp Vault).

  4. Over-Permissive Roles

  5. Mistake: Granting "Admin" to all users "just in case."
  6. Fix: Follow the principle of least privilege—grant only necessary permissions.

  7. Ignoring Token Expiry

  8. Mistake: Not handling token expiration, causing sudden logouts.
  9. Fix: Implement token refresh (e.g., OAuth 2.0 refresh tokens) or silent re-authentication.

  10. No MFA for Admins

  11. Mistake: Skipping MFA for privileged accounts.
  12. Fix: Enforce MFA for all admin roles (e.g., via IdP policies).

  13. Assuming Internal Traffic Is Safe

  14. Mistake: Trusting internal networks without verification.
  15. Fix: Apply zero-trust principles (e.g., mutual TLS, network segmentation).

Best Practices


Authentication

  • Enforce MFA for all human users, especially admins.
  • Use passwordless auth where possible (e.g., magic links, biometrics).
  • Rotate secrets (e.g., API keys, certificates) regularly.

Authorization

  • Audit permissions quarterly to remove unused access.
  • Use RBAC for simplicity, ABAC for granularity.
  • Log access events (e.g., "User X accessed resource Y at time Z").

Identity Management

  • Centralize identities in an IdP (avoid siloed logins).
  • Sync directories (e.g., AD → Okta → Slack) to avoid orphaned accounts.
  • Automate deprovisioning (e.g., revoke access when an employee leaves).

Zero Trust

  • Verify every request (e.g., check device posture, location, time).
  • Segment networks (e.g., isolate HR systems from engineering).
  • Monitor continuously for anomalies (e.g., impossible travel, unusual access times).


Tools & Frameworks

Tool/Framework Use Case When to Use
Okta Enterprise SSO, MFA, user management Large orgs with many apps
Auth0 Developer-friendly auth for apps Startups, custom apps
Microsoft Entra ID Windows/Office 365 integration Microsoft-centric environments
Keycloak Open-source IdP Self-hosted solutions
AWS IAM Cloud resource permissions AWS environments
HashiCorp Vault Secrets management Secure storage of API keys, certs
Duo Security MFA Adding MFA to existing systems
Ping Identity Hybrid cloud identity Enterprises with on-prem + cloud


Real-World Use Cases


1. Secure Employee Access to Cloud Apps

  • Problem: Employees use 10+ SaaS tools (Slack, Salesforce, GitHub) with separate logins.
  • Solution:
  • Deploy Okta as an IdP.
  • Enforce MFA and SSO for all apps.
  • Automate onboarding/offboarding via HR system sync.
  • Outcome: Reduced password fatigue, faster deprovisioning, fewer breaches.

2. Customer Identity for a SaaS Product

  • Problem: A fintech app needs to verify user identities without storing passwords.
  • Solution:
  • Use Auth0 for social logins (Google, Facebook) + MFA.
  • Integrate with a KYC provider (e.g., Jumio) for identity proofing.
  • Store user data in a secure directory (e.g., AWS Cognito).
  • Outcome: Faster sign-ups, compliance with financial regulations, reduced fraud.

3. Zero-Trust Network for Remote Workers

  • Problem: Remote employees access internal tools (e.g., databases, wikis) from untrusted networks.
  • Solution:
  • Deploy a zero-trust network access (ZTNA) tool (e.g., Cloudflare Access, Zscaler).
  • Require device posture checks (e.g., up-to-date antivirus) before granting access.
  • Enforce mutual TLS for all connections.
  • Outcome: Eliminated VPNs, reduced attack surface, granular access control.


Check Your Understanding (MCQs)


Question 1

What is the primary purpose of an Identity Provider (IdP)?
A) To store user passwords securely B) To manage authentication and issue tokens for access C) To encrypt all user data at rest D) To monitor network traffic for threats

Correct Answer: B Explanation: An IdP (e.g., Okta, Auth0) authenticates users and issues tokens (e.g., JWTs) to prove identity to applications.
Why the Distractors Are Tempting:
- A: IdPs can store passwords, but their core role is authentication.
- C: Encryption is handled by other tools (e.g., TLS, disk encryption).
- D: Monitoring is a separate function (e.g., SIEM tools like Splunk).


Question 2

A company grants all employees "Admin" access to a database "just in case." What principle does this violate?
A) Defense in depth B) Principle of least privilege C) Separation of duties D) Zero trust

Correct Answer: B Explanation: The principle of least privilege states that users should have only the permissions they need to do their jobs.
Why the Distractors Are Tempting:
- A: Defense in depth involves multiple layers of security (e.g., firewalls + MFA), but this is about permissions.
- C: Separation of duties splits critical tasks (e.g., one person approves payments, another executes), but this is about over-permissioning.
- D: Zero trust assumes no trust by default, but this is specifically about permission levels.


Question 3

Which protocol is commonly used for Single Sign-On (SSO) between an app and an IdP?
A) FTP B) SAML C) SMTP D) DNS

Correct Answer: B Explanation: SAML (Security Assertion Markup Language) is a standard for exchanging authentication and authorization data between an IdP and a service provider (app).
Why the Distractors Are Tempting:
- A: FTP is for file transfers, not authentication.
- C: SMTP is for email, not SSO.
- D: DNS resolves domain names to IPs, unrelated to authentication.


Learning Path


Beginner (1–2 Weeks)

  • Learn core concepts: AuthN vs. AuthZ, MFA, SSO.
  • Set up a free Okta/Auth0 account and integrate it with a simple app.
  • Read: Okta’s OIDC Guide, Auth0 Docs.

Intermediate (2–4 Weeks)

  • Implement RBAC in an app (e.g., Node.js + Express).
  • Explore zero-trust principles and tools (e.g., Cloudflare Access).
  • Learn about directory services (LDAP, Active Directory).
  • Project: Build a secure API with JWT authentication.

Advanced (4+ Weeks)

  • Design a zero-trust architecture for a hypothetical company.
  • Learn about identity federation (e.g., SAML, OAuth 2.0 flows).
  • Explore advanced topics: biometric auth, passwordless, decentralized identity (e.g., blockchain-based).
  • Contribute to open-source I&A projects (e.g., Keycloak, Dex).


Further Resources


Books

  • Identity and Access Management: Business Performance Through Connected Intelligence – Ertem Osmanoglu
  • Zero Trust Networks – Evan Gilman & Doug Barth

Courses

Docs & Tools

Communities



30-Second Cheat Sheet

  1. AuthN = Who are you? (Passwords, MFA, biometrics).
  2. AuthZ = What can you do? (RBAC, ABAC, policies).
  3. IdP = Central system for authentication (Okta, Auth0, Entra ID).
  4. Zero Trust = Never trust, always verify (device checks, MFA, least privilege).
  5. SSO = One login for many apps (SAML, OIDC).

Related Topics

  1. Cybersecurity Fundamentals – Understand threats I&A mitigates (e.g., phishing, credential stuffing).
  2. Cloud Security – Secure cloud identities (AWS IAM, Azure AD, GCP IAM).
  3. Compliance & Governance – Learn frameworks (GDPR, HIPAA, SOC 2) that mandate I&A controls.


ADVERTISEMENT