This chapter covers Cloud Identity and Access Management (IAM) and Identity Architecture, a core topic for CompTIA Security+ SY0-701 objective 3.6 (Security Architecture). You will learn how cloud providers implement identity federation, single sign-on (SSO), and authorization frameworks like SAML, OAuth 2.0, and OpenID Connect. Understanding these concepts is critical because misconfigured IAM is the leading cause of cloud data breaches. The exam tests your ability to compare these protocols, identify attack vectors like token theft, and recommend appropriate defenses.
Jump to a section
Imagine a multinational embassy complex with multiple buildings (cloud services). Each employee gets a smart card that stores their identity, role, and access permissions. The embassy's central security office (IdP) issues and manages these cards. When an employee swipes their card at a building entrance, a reader (SP) checks the card's digital signature against the central office's public key. If valid, the reader grants access based on the role encoded on the card (RBAC). Now, an attacker steals a card and tries to use it. The central office can immediately revoke that card's certificate, adding it to a certificate revocation list (CRL). All readers check the CRL before granting access. This mirrors SAML/OIDC: the IdP issues a signed assertion (card), the SP verifies the signature and checks authorization. Revocation is done via short-lived tokens or token revocation lists. If the embassy used OAuth 2.0, the card would be a valet key that grants limited access to specific rooms for a limited time, without revealing the employee's full identity. The central office can also require multi-factor authentication—like a fingerprint scan—before the card works, analogous to MFA in cloud IAM.
What is Cloud IAM and Identity Architecture?
Cloud IAM is the framework for managing digital identities and controlling access to cloud resources. It addresses the threat of unauthorized access, which can lead to data breaches, privilege escalation, and account takeover. In traditional on-premises environments, identity is often managed via Active Directory (AD) with Kerberos and LDAP. In the cloud, identities span multiple providers (e.g., AWS, Azure, Google Cloud) and must work across organizational boundaries. Identity Architecture defines how these identities are created, stored, authenticated, and authorized.
Core Components
Identity Provider (IdP): The system that stores and manages user identities, authenticates users, and issues tokens. Examples: Azure AD, Okta, AWS IAM.
Service Provider (SP): The application or service that trusts the IdP and grants access based on tokens. Example: Salesforce, Slack, a custom web app.
Token: A digital credential issued by the IdP after successful authentication. It contains claims about the user (e.g., name, email, roles). Common formats: SAML assertions (XML), OAuth 2.0 access tokens (JWT), OpenID Connect ID tokens (JWT).
Federation: A trust relationship between an IdP and one or more SPs. The IdP authenticates the user once (SSO), and the SPs accept the IdP's tokens without re-authentication.
How It Works Mechanically: SAML 2.0 Flow
User requests access to an SP (e.g., a cloud CRM). The SP doesn't know the user, so it redirects the user to the IdP with a SAML authentication request (AuthnRequest).
IdP authenticates the user (e.g., via username/password + MFA). If already authenticated (SSO session), this step is skipped.
IdP generates a SAML assertion — an XML document containing the user's identity (NameID), attributes (e.g., role, department), and conditions (e.g., validity timeframe, audience restriction). The IdP signs the assertion with its private key.
IdP sends the assertion to the user's browser via HTTP POST or redirect. The browser forwards it to the SP.
SP verifies the assertion: checks the signature using the IdP's public key, validates time window and audience, and extracts user attributes.
SP grants access based on the attributes (e.g., role='admin' allows full access).
Key Variants and Standards
SAML 2.0: XML-based, mature, widely used in enterprise SSO (e.g., Microsoft 365, Salesforce). Supports IdP-initiated and SP-initiated flows. Uses HTTP POST, Redirect, or Artifact bindings.
OAuth 2.0: Authorization framework, not authentication. Issues access tokens (usually JWT) to allow a third-party app (client) to access resources on behalf of a user. Four grant types: Authorization Code (most secure), Implicit (deprecated), Resource Owner Password Credentials (not recommended), Client Credentials (for server-to-server).
OpenID Connect (OIDC): Identity layer on top of OAuth 2.0. Adds an ID token (JWT) for authentication. The ID token contains standard claims (sub, name, email, etc.) and is signed by the IdP. OIDC is the modern standard for web and mobile SSO.
SCIM: System for Cross-domain Identity Management. Automates provisioning and de-provisioning of users between IdP and SP (e.g., when a user is terminated, SCIM removes their access).
FIDO2/WebAuthn: Passwordless authentication using public-key cryptography. The private key stays on the user's device; the public key is registered with the IdP. Resists phishing because the origin is bound to the key.
Attack Vectors and Exploits
Token Theft: Attacker steals an access token (e.g., via XSS, man-in-the-middle) and uses it to impersonate the user. OAuth 2.0 tokens are bearer tokens — anyone holding the token can use it. Defense: Use token binding (mTLS), short token lifetimes, refresh token rotation, and encrypt tokens in transit.
SAML Assertion Injection: Attacker modifies a SAML assertion (e.g., changes the NameID or role) if the assertion is not properly signed. Defense: Always validate the signature and use XML encryption for sensitive attributes.
IdP Confusion: In OAuth/OIDC, an attacker tricks the SP into using a malicious IdP. The SP trusts the wrong issuer. Defense: Validate the iss claim against a whitelist of trusted IdPs.
Replay Attack: Attacker captures a valid SAML assertion or OIDC token and replays it. Defense: Use timestamps, nonces, and one-time use tokens.
Phishing via Federation: Attacker sets up a fake IdP that looks legitimate. Users enter credentials, and the attacker obtains a token. Defense: Use MFA, FIDO2, and educate users.
Real Command/Tool Examples
SAML Metadata Exchange: IdPs and SPs exchange metadata XML files containing certificates, endpoints, and entity IDs. Example metadata snippet:
<md:EntityDescriptor entityID="https://idp.example.com">
<md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo><ds:X509Data><ds:X509Certificate>...</ds:X509Certificate></ds:X509Data></ds:KeyInfo>
</md:KeyDescriptor>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp.example.com/sso"/>
</md:IDPSSODescriptor>
</md:EntityDescriptor>OAuth 2.0 Authorization Code Flow (cURL):
# Step 1: Get authorization code (user interaction via browser)
# Redirect user to:
https://idp.example.com/authorize?response_type=code&client_id=myclient&redirect_uri=https://sp.example.com/callback&scope=openid%20profile&state=123
# Step 2: Exchange code for tokens
curl -X POST https://idp.example.com/token \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=authorization_code&code=AUTH_CODE&redirect_uri=https://sp.example.com/callback&client_id=myclient&client_secret=mysecret"
# Response includes access_token, id_token, refresh_tokenJWT Token Decoded:
{
"iss": "https://idp.example.com",
"sub": "user123",
"aud": "https://sp.example.com",
"exp": 1700000000,
"iat": 1699996400,
"nonce": "abc123"
}AWS IAM Policy Example:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/*",
"Condition": {
"StringEquals": {
"aws:RequestedRegion": "us-east-1"
}
}
}
]
}Best Practices for Cloud IAM
Use federation instead of creating local accounts in each cloud service.
Implement the principle of least privilege: grant only the permissions needed.
Use roles (RBAC) rather than individual user permissions.
Enable MFA for all users, especially those with privileged roles.
Monitor and audit IAM events (e.g., AWS CloudTrail, Azure Monitor).
Rotate keys and secrets regularly.
Use conditional access policies (e.g., require device compliance).
Configure IdP and SP Trust
The IdP and SP exchange metadata to establish trust. The IdP provides its entity ID, SSO endpoint, and signing certificate. The SP provides its entity ID, ACS (Assertion Consumer Service) URL, and optionally an encryption certificate. Both parties import the metadata and validate each other's certificates. This step is often done manually or via a metadata URL. A common mistake is using self-signed certificates without proper validation, allowing man-in-the-middle attacks.
User Initiates SSO Login
The user attempts to access the SP (e.g., opens a Salesforce URL). The SP detects no existing session and generates a SAML AuthnRequest or OIDC authentication request. The request includes the SP's entity ID, the desired NameID format, and optionally a relay state (for post-login redirect). The SP redirects the user's browser to the IdP's SSO endpoint.
IdP Authenticates the User
The IdP prompts the user for credentials. If the user has an existing session (e.g., already logged into Office 365), the IdP skips this step. The IdP may enforce MFA, device compliance checks, or conditional access policies. After successful authentication, the IdP creates an authentication context (e.g., password + OTP). The IdP then generates a token (SAML assertion or OIDC ID token) containing the user's identity and attributes.
Token Issuance and Transmission
The IdP signs the token with its private key and optionally encrypts it for the SP. The token is sent to the user's browser via HTTP POST (SAML) or redirect (OIDC). The browser forwards the token to the SP's ACS or redirect URI. For OAuth 2.0, the authorization code is first returned, then exchanged for tokens via a back-channel request from the SP to the IdP, which is more secure.
SP Validates and Processes Token
The SP receives the token and performs validation: checks the signature using the IdP's public key, verifies the token's expiration time, ensures the audience (aud) matches the SP's entity ID, and checks for replay by comparing nonces or timestamps. The SP extracts user attributes (e.g., email, role) and creates a local session. If validation fails, the SP rejects the token and may log an error.
Access Granted and Session Management
The SP grants access based on the user's attributes and RBAC policies. The user can now use the SP without re-authenticating until the session expires. The SP may periodically refresh the token or require re-authentication for sensitive actions. The IdP can revoke tokens by invalidating the session or using a token revocation endpoint. The SP should check revocation status periodically.
Scenario 1: OAuth Token Theft in a Cloud SaaS Application A company uses a third-party project management tool (SP) that integrates with their corporate IdP via OAuth 2.0. An attacker exploits a cross-site scripting (XSS) vulnerability in the tool to steal users' access tokens stored in the browser's local storage. The attacker then uses the tokens to access the tool's API and exfiltrate project data. The SOC analyst sees unusual API calls from IPs not associated with the company, and the IdP logs show token usage from unknown locations. The correct response is to revoke all tokens for affected users, force re-authentication, and implement token binding (e.g., using mTLS) to tie tokens to the client's certificate. A common mistake is to only reset passwords, which does not invalidate existing tokens.
Scenario 2: SAML Assertion Replay Attack An attacker captures a SAML assertion by sniffing unencrypted traffic on a public Wi-Fi network. The assertion is valid for 30 minutes. The attacker replays the assertion to the SP's ACS endpoint, gaining access as the user. The SP logs show two identical authentication requests with the same assertion ID within minutes. The SOC analyst detects this by correlating timestamps and assertion IDs. The correct response is to implement assertion cache validation (reject duplicate assertion IDs), use short assertion lifetimes (e.g., 5 minutes), and enforce HTTPS. A common mistake is to assume that signing the assertion prevents replay; but signing does not prevent replay—it only prevents tampering.
Scenario 3: IdP Confusion in OIDC
A company deploys a custom web application that uses OIDC for SSO. The application is configured to trust any IdP that provides a valid ID token. An attacker registers a malicious IdP and tricks a user into logging in via that IdP (e.g., via a phishing email). The attacker's IdP issues an ID token with the user's email claim set to a privileged user's email. The application trusts the token and grants the attacker elevated privileges. The SOC analyst sees a login from an unrecognized IdP issuer in the logs. The correct response is to whitelist the company's IdP issuer in the application and validate the iss claim. A common mistake is to rely on the email claim alone for authorization without verifying the issuer.
What SY0-701 Tests on Objective 3.6 Objective 3.6 is "Explain the importance of cloud identity and access management (IAM) and identity architecture." The exam focuses on comparing federation protocols, understanding SSO, and identifying security implications of each. Specific sub-objectives include:
Differentiate between SAML, OAuth 2.0, and OpenID Connect.
Understand the role of an IdP and SP.
Recognize common attacks: token theft, replay, IdP confusion, assertion injection.
Know how to mitigate with short token lifetimes, signature validation, audience restriction, and MFA.
Understand SCIM for provisioning.
Common Wrong Answers and Why Candidates Choose Them 1. "OAuth 2.0 is an authentication protocol." — Wrong. OAuth 2.0 is authorization only. Candidates confuse it with OIDC. The exam may ask: "Which protocol provides authentication?" Answer: OpenID Connect. 2. "SAML uses JWTs." — Wrong. SAML uses XML-based assertions. Candidates see JWT in OAuth/OIDC and assume SAML also uses it. 3. "Token encryption prevents replay attacks." — Wrong. Encryption prevents sniffing, but replay attacks reuse the same token. Mitigation is short lifetime and nonce/assertion ID tracking. 4. "SSO eliminates the need for passwords." — Wrong. SSO centralizes authentication but still requires passwords (or MFA) at the IdP.
Specific Terms and Values
- SAML 2.0 uses urn:oasis:names:tc:SAML:2.0:assertion for assertion format.
- OIDC ID token is a JWT with standard claims: iss, sub, aud, exp, iat, nonce.
- OAuth 2.0 authorization code flow uses grant_type=authorization_code.
- SCIM uses REST endpoints (e.g., /Users, /Groups) and standard attributes (e.g., userName, emails).
- Common ports: HTTPS (443) for all flows; no specific ports for protocols themselves.
Trick Questions - "Which protocol is used for exchanging authorization tokens between services?" — Both OAuth 2.0 and SAML can do this, but OAuth 2.0 is specifically designed for delegated authorization. SAML is more for authentication. - "Which protocol supports single sign-out?" — SAML has Single Logout (SLO); OAuth/OIDC have token revocation but not standardized single logout.
Decision Rule for Eliminating Wrong Answers If the question involves a user authenticating once and accessing multiple applications, the answer is likely SAML or OIDC. If the question involves a third-party app accessing resources on behalf of a user, the answer is OAuth 2.0. If the question mentions XML or enterprise SSO, it's SAML. If it mentions JWTs or mobile SSO, it's OIDC.
SAML 2.0 is XML-based; OAuth 2.0 is authorization only; OIDC adds authentication via JWT ID tokens.
Token theft is mitigated by short lifetimes, token binding, and refresh token rotation.
Replay attacks are prevented by using timestamps, nonces, and assertion ID tracking.
IdP confusion is prevented by validating the 'iss' claim against a whitelist of trusted issuers.
SCIM (RFC 7644) automates user provisioning via REST endpoints like /Users and /Groups.
Conditional access policies (e.g., device compliance, location) enhance IAM security.
Always validate token signatures using the IdP's public key; never accept unsigned tokens.
These come up on the exam all the time. Here's how to tell them apart.
SAML 2.0
Uses XML-based assertions, signed and optionally encrypted.
Designed for enterprise SSO, often used with Active Directory.
Supports single logout (SLO) via SOAP or redirect.
Heavier protocol; larger message size due to XML.
Mature, widely adopted in large organizations.
OpenID Connect (OIDC)
Uses JSON-based tokens (JWT) for ID tokens and access tokens.
Designed for modern web and mobile applications, RESTful.
No standardized single logout; uses token revocation instead.
Lighter weight; easier to parse and implement.
Gaining popularity; preferred for cloud-native apps.
Mistake
SAML and OAuth 2.0 are interchangeable for authentication.
Correct
SAML is designed for authentication (SSO). OAuth 2.0 is an authorization framework; it does not authenticate the user. OpenID Connect adds authentication on top of OAuth 2.0.
Mistake
JWTs are inherently secure because they are signed.
Correct
Signing ensures integrity and authenticity, but JWTs are still vulnerable to theft, replay, and algorithm confusion attacks (e.g., changing `alg` from `RS256` to `none`). Proper validation is required.
Mistake
Federated identity means no passwords are ever used.
Correct
Federation centralizes authentication at the IdP. Users still authenticate with passwords (or MFA) at the IdP. The SP never sees the password, but the IdP does.
Mistake
SCIM is used for authentication.
Correct
SCIM is for provisioning and de-provisioning user accounts, not authentication. It automates user lifecycle management between IdP and SP.
Mistake
Once a token is issued, it cannot be revoked until it expires.
Correct
Tokens can be revoked via token revocation endpoints (e.g., OAuth 2.0 Token Revocation RFC 7009) or by invalidating the user's session at the IdP. However, short-lived tokens reduce the impact.
SAML 2.0 is an XML-based authentication protocol used for enterprise SSO. It allows an IdP to assert a user's identity to an SP. OAuth 2.0 is an authorization framework that allows a third-party app to access resources on behalf of a user without sharing credentials. OAuth does not authenticate the user; it issues access tokens. OpenID Connect adds authentication on top of OAuth. For the exam, remember: SAML = authentication (XML), OAuth = authorization (JWT), OIDC = authentication + authorization (JWT).
Token theft can be prevented by using short-lived access tokens (e.g., 15 minutes), refresh token rotation (new refresh token issued each time), token binding (mTLS or OAuth 2.0 Token Binding), and encrypting tokens in transit via TLS. Also, never store tokens in client-side storage vulnerable to XSS; use secure cookies or backend storage. The exam may ask: 'Which mechanism prevents an attacker from using a stolen access token?' Answer: Token binding or short expiration.
An IdP is a trusted system that manages user identities, authenticates users, and issues tokens (SAML assertions, OIDC ID tokens) to service providers. The IdP stores credentials, enforces MFA, and can revoke access. Examples: Azure AD, Okta, AWS IAM. The SP trusts the IdP's tokens. In federation, the IdP is the authoritative source for user identity. The exam may ask: 'Which component issues tokens in a federated identity model?' Answer: IdP.
A replay attack occurs when an attacker captures a valid token (e.g., SAML assertion) and resends it to the SP to gain unauthorized access. Prevention includes using short token lifetimes (e.g., 5 minutes), including a unique nonce or assertion ID that the SP tracks, and using timestamps with a tolerance window. The SP should reject duplicate assertion IDs. For OAuth, using one-time authorization codes and PKCE prevents replay. The exam may ask: 'Which field in a SAML assertion helps prevent replay?' Answer: Assertion ID or NotBefore/NotOnOrAfter.
SCIM (System for Cross-domain Identity Management) is a standard for automating the provisioning and de-provisioning of user accounts between an IdP and SP. For example, when a new employee is added to Azure AD, SCIM automatically creates an account in Salesforce. When an employee leaves, SCIM disables or deletes the account. SCIM uses REST APIs with endpoints like /Users and /Groups. It reduces manual administrative errors and ensures timely access changes. The exam may ask: 'Which protocol is used to automate user lifecycle management?' Answer: SCIM.
An access token (OAuth 2.0) is used to authorize access to a resource (e.g., API calls). It contains scopes and is opaque to the client (often a JWT but can be a reference). An ID token (OIDC) authenticates the user and contains identity claims (sub, name, email). It is always a JWT. The client uses the ID token to know who the user is, and the access token to get resources. The exam may ask: 'Which token contains the user's identity information?' Answer: ID token.
PKCE (Proof Key for Code Exchange) is an extension to OAuth 2.0's authorization code flow designed for public clients (e.g., mobile apps, SPAs). The client creates a cryptographic challenge (code verifier and code challenge) and sends the challenge in the authorization request. When exchanging the code for tokens, the client sends the verifier. The IdP verifies that the verifier matches the challenge. This prevents authorization code interception attacks. The exam may ask: 'Which OAuth flow is recommended for mobile apps?' Answer: Authorization Code with PKCE.
You've just covered Cloud IAM and Identity Architecture — now see how well it sticks with free SY0-701 practice questions. Full explanations included, no account needed.
Done with this chapter?