IAM: SSO, MFA, and Identity Governance Guide
Identity and Access Management (IAM) is the discipline of ensuring the right individuals access the right resources at the right times for the right reasons. With the average enterprise managing over 250 SaaS applications and 45,000 user identities according to the 2025 Cisco Duo Trusted Access Report, IAM has become the cornerstone of enterprise security. The CrowdStrike 2025 Global Threat Report identifies credential-based attacks as the primary vector in 63% of breaches. This guide covers single sign-on (SSO), multi-factor authentication (MFA), role-based access control (RBAC), identity governance, and privileged access management (PAM).
Single Sign-On
SSO allows users to authenticate once and access multiple applications without re-entering credentials. It improves user experience and reduces password fatigue while centralizing authentication control.
SAML 2.0
Security Assertion Markup Language (SAML) 2.0 remains the dominant enterprise SSO protocol. In a SAML flow, the Identity Provider (IdP) — Okta, Azure AD, OneLogin, or Keycloak — issues digitally signed XML assertions about user identity and attributes to Service Providers (SPs). SAML’s strengths include mature tooling and broad support across enterprise applications. Its weaknesses: XML complexity, large assertion sizes, and vulnerability to XML signature wrapping attacks if not properly validated. The SAML Raider Burp Suite extension remains a standard tool for penetration testing SAML implementations.
OpenID Connect (OIDC)
OIDC, built on OAuth 2.0, is the modern successor to SAML for web and mobile SSO. Instead of XML assertions, OIDC issues JSON Web Tokens (JWTs) via REST endpoints. The ID Token (a JWT containing user identity claims) and UserInfo endpoint provide identity data. OIDC has largely displaced SAML for new applications: as of 2025, 78% of new SaaS applications support OIDC, compared to 45% supporting SAML. Major IdPs including Auth0, Cognito, and Firebase Authentication use OIDC natively.
Just-in-Time Provisioning
Modern SSO integrates with SCIM (System for Cross-domain Identity Management) to provision user accounts automatically. When a user authenticates via SSO for the first time, the IdP creates their account in the target application with appropriate group memberships. Deprovisioning reverses this on account termination, preventing orphaned accounts.
Multi-Factor Authentication
MFA requires two or more verification factors: something you know (password), something you have (phone, hardware token), and something you are (biometric). Microsoft reports that MFA blocks 99.9% of automated attacks.
MFA Methods Ranked by Security
- FIDO2/WebAuthn: Passwordless authentication using public key cryptography. Each service generates a unique key pair on the user’s device; the private key never leaves the device. Resistant to phishing, man-in-the-middle, and credential stuffing. Google’s 2024 deployment of FIDO2 across 85,000 employees eliminated successful phishing attacks internally.
- TOTP (Time-Based One-Time Password): RFC 6238 — 6-8 digit codes generated from a shared secret and current time. Standard authenticator apps (Google Authenticator, Authy, Microsoft Authenticator) implement TOTP. Vulnerable to real-time phishing where attackers capture both password and TOTP code.
- SMS/Phone OTP: NIST SP 800-63B deprecated SMS OTP as an out-of-band verifier in 2017 due to SIM swapping attacks. The 2024 FCC ruling on SIM swapping liability has reduced but not eliminated this risk.
- Push Notification: IdP-signed push notifications to a mobile app. Users must verify geographic location and device name displayed in the prompt. Vulnerable to MFA fatigue (repeated push spam until the user approves).
Adaptive MFA
Risk-based authentication evaluates context: device posture (managed vs. unmanaged, OS version, antivirus status), geolocation, time of day, network reputation, and user behavior patterns. Low-risk scenarios (corporate network, managed device, working hours) may only require password + device trust. High-risk scenarios (new device, unusual geo, off-hours) trigger step-up authentication with FIDO2 token or biometric verification.
Role-Based Access Control
RBAC assigns permissions to roles, and users to roles. It is simpler and more auditable than individually assigned permissions.
RBAC Design Principles
The NIST RBAC model defines three rule sets: role assignment (users can only exercise permissions through roles), role authorization (subject must be authorized for the role), and permission authorization (subject must be authorized for the permission). When designing roles, use the principle of least privilege: a customer support agent needs read access to customer records but not write access to billing systems. The 2023 Verizon DBIR found that 74% of breaches involved access to privileged accounts.
ABAC vs ReBAC
Attribute-Based Access Control (ABAC) evaluates policies based on user attributes (department, clearance level, location), resource attributes (classification, project), and environmental conditions (time, network). ABAC provides finer-grained control than RBAC at the cost of policy complexity. Relationship-Based Access Control (ReBAC), used by Google Zanzibar and Auth0 FGA, models access through relationships between entities. ReBAC has become the standard architecture for multi-tenant SaaS (e.g., “user X is a member of org Y with role Z on project W”).
Identity Governance
Identity governance ensures that access rights align with business requirements, regulatory mandates, and security policies.
Access Certification
Periodic access reviews require managers to certify that their reports’ access is appropriate for their current roles. Automated certification campaigns, integrated with HR systems (Workday, SuccessFactors), trigger reviews on role changes, promotions, and terminations. SOX, HIPAA, and SOC 2 all require evidence of regular access reviews.
Segregation of Duties (SoD)
SoD prevents any single individual from having conflicting privileges. For example, the same person cannot both create a purchase order and approve payment. IAM platforms enforce SoD rules at provisioning time and flag violations during certification campaigns.
Privileged Access Management
PAM controls and monitors access to critical systems (domain controllers, cloud root accounts, network devices, CI/CD secrets).
Just-in-Time Access
JIT PAM provides time-limited elevation for specific tasks. Instead of permanent admin rights, users request elevation with a business justification, auto-approved based on policies, and automatically revoked after the task. CyberArk, BeyondTrust, and native solutions (AWS IAM Roles Anywhere, Azure PIM, GCP IAM Conditions) implement JIT PAM.
Session Recording
PAM systems can record, monitor, and optionally terminate privileged sessions. Keystroke logging and video recording provide audit trails for forensic analysis. Suspicious command patterns (e.g., rm -rf, mysqldump --all-databases) can trigger session termination.
Identity Threat Detection and Response (ITDR)
ITDR is an emerging discipline that applies incident detection and response principles specifically to identity infrastructure. Gartner included ITDR in its 2025 Security and Risk Management Top Trends, citing the rise of identity-targeted attacks like the 2024 Midnight Blizzard campaign against Microsoft corporate email.
Identity Attack Surface
The identity attack surface includes: Active Directory (Kerberos, NTLM, LDAP), federated identity providers (Azure AD/Entra ID, Okta, Ping), cloud IAM (AWS IAM, GCP IAM), service accounts and secrets, and MFA configurations. Common identity attacks include: Golden Ticket (forged Kerberos TGT), DCSync (replication of AD password hashes), token theft (Azure AD refresh token exfiltration), consent phishing (OAuth application approval), and password spray across federated IdPs.
Detection Strategies
ITDR detection monitors: anomalous authentication patterns (impossible travel, unusual TTPs), privilege escalation events (new admin role grants, sensitive attribute modifications), federation trust modifications (new SAML/OIDC providers added), and service account anomalies (non-human identities authenticating from unexpected IPs). Tools: Microsoft Defender for Identity, CrowdStrike Falcon Identity Protection, Okta Identity Threat Detection, and Semperis Directory Services Protector. Detection rules should trigger on: Kerberos ticket anomalies (RC4 encryption use in modern environments), DCSync detection (replication request from non-domain-controllers), and golden ticket detection (unusual TGT lifetime >10 hours).
Automated Response
ITDR automated responses include: disable compromised user accounts, terminate all active sessions, revoke issued tokens, reset passwords, and force MFA re-registration. Response actions must be coordinated between identity provider, SIEM/SOAR, and endpoint EDR. The 2025 Mandiant M-Trends report found that organizations with automated ITDR response reduced identity breach dwell time from 16 days to 47 minutes.
IAM for Cloud and Multi-Cloud
Cloud IAM extends identity management across AWS, Azure, and GCP — each with distinct models. AWS IAM uses resource-based and identity-based policies; Azure RBAC assigns roles at management group, subscription, and resource group scope; GCP IAM binds roles to principals at project, folder, and organization level. Multi-cloud IAM strategies include: federation via a single IdP (Okta, Azure AD) with SAML/OIDC to each cloud, SCIM provisioning for automated user lifecycle, and cloud-specific privilege escalation paths to monitor (AWS AssumeRole chaining, Azure PIM activation, GCP service account impersonation). Cloud IAM auditing tools — AWS IAM Access Analyzer, Azure AD Identity Protection, and GCP Asset Inventory with IAM analysis — detect privilege escalation paths and over-permissive cross-account trust policies.
FAQ
What is the difference between authentication and authorization? Authentication verifies identity (“who you are”). Authorization determines access (“what you can do”). SSO handles authentication; RBAC/ABAC handles authorization.
Why is SMS OTP considered insecure? SIM swapping attacks let attackers port a victim’s phone number to their SIM, intercepting SMS codes. NIST SP 800-63B deprecated SMS as an out-of-band verifier in 2017.
What is privileged access management? PAM secures, controls, and monitors access to highly sensitive systems and accounts. It implements just-in-time elevation, session recording, and credential rotation.
How often should I run access certifications? Quarterly for critical systems (PAM, finance), semi-annually for standard enterprise access, and event-driven on role changes or security incidents.
What is the strongest MFA available? FIDO2/WebAuthn hardware security keys provide phishing-resistant authentication. Combined with device biometrics, they represent the current gold standard for consumer and enterprise MFA.
For foundational security concepts, see our Security Guide. For OAuth 2.0 implementation details, read OAuth 2.0 and JWT Guide. Learn about Zero Trust Architecture for a no-trust-by-default access model.