Competencies: Security > Identity & Access Management
Identity & Access Management
Body of Knowledge
| Topic | Description | Relevance | Career Tracks |
|---|---|---|---|
Identity Lifecycle Management |
User provisioning, de-provisioning, joiner-mover-leaver workflows, identity governance, access certification, role management. |
Critical |
IAM Engineer, Security Engineer, HR Systems |
Directory Services (LDAP/AD) |
LDAP protocol, Active Directory, FreeIPA, schema, OUs, groups, GPOs, LDAP queries, replication, federation. |
Critical |
IAM Engineer, Systems Administrator, Security Engineer |
RADIUS/TACACS+ |
AAA protocols for network access, RADIUS attributes, VSAs, TACACS+ command authorization, accounting, proxy configurations. |
Critical |
Network Engineer, Security Engineer, IAM Engineer |
Single Sign-On (SSO) |
Federated identity, session management, SSO protocols, identity provider vs service provider, user experience, security tradeoffs. |
Critical |
IAM Engineer, Security Architect |
SAML 2.0 |
Security Assertion Markup Language, assertions, IdP-initiated vs SP-initiated, metadata exchange, attribute mapping, troubleshooting. |
High |
IAM Engineer, Security Engineer |
OAuth 2.0 / OIDC |
Authorization framework, grant types (code, implicit, client credentials), OpenID Connect, ID tokens, scopes, token validation. |
Critical |
IAM Engineer, Backend Developer, Security Engineer |
Multi-Factor Authentication |
MFA factors (knowledge, possession, biometric), TOTP, FIDO2/WebAuthn, push notifications, risk-based authentication, MFA fatigue attacks. |
Critical |
IAM Engineer, Security Engineer |
Keycloak |
Open-source IAM, realm configuration, client registration, identity federation, user federation, authorization services, themes. |
High |
IAM Engineer, Platform Engineer, Security Engineer |
FreeIPA |
Integrated identity solution for Linux, LDAP+Kerberos+DNS+CA, HBAC, sudo rules, trust relationships with AD. |
Medium |
Linux Systems Administrator, IAM Engineer |
Privileged Access Management (PAM) |
Privileged account management, session recording, just-in-time access, password vaulting, break-glass procedures. |
High |
IAM Engineer, Security Engineer |
Zero Trust Identity |
Continuous verification, identity-aware proxies, BeyondCorp model, device trust, context-aware access, identity as the perimeter. |
High |
Security Architect, IAM Engineer |
Personal Status
| Topic | Level | Evidence | Active Projects | Gaps |
|---|---|---|---|---|
Keycloak |
Beginner |
Initial deployment for SSO evaluation; understand OIDC/SAML concepts, realm configuration, client registration |
No production Keycloak, no custom themes, no federation, no fine-grained authorization |
|
FreeIPA |
Beginner |
Evaluated for Linux identity management; understand LDAP/Kerberos integration concepts; not deployed in production |
No FreeIPA deployment, no trust relationship with Active Directory |