AAA and IAM Concepts
Key Takeaways
- AAA separates authentication, authorization, and accounting; do not blend the three in scenario questions.
- IAM controls the full identity lifecycle: provisioning, proofing, access assignment, review, change, and deprovisioning.
- Federation lets one organization trust identity assertions from another identity provider.
- SSO improves user experience but raises the value of the identity provider and session controls.
- Accounting requires useful logs, time synchronization, retention, and review.
AAA and IAM Concepts
Identity questions usually test the order of operations. A user first claims an identity, then proves it, then receives access, and later the organization can show what happened.
| Term | What it answers | Example clue |
|---|---|---|
| Identification | Who are you claiming to be? | Username, employee ID, certificate subject |
| Authentication | Can you prove that identity? | Password, FIDO2 key, smart card, biometric |
| Authorization | What are you allowed to do? | Group membership, role assignment, policy decision |
| Accounting | What did you do? | Login record, admin command log, audit trail |
IAM Lifecycle
| Phase | Security goal | Common control |
|---|---|---|
| Identity proofing | Bind the account to the correct person or workload | HR record, document check, device attestation |
| Provisioning | Create the right account with the right access | Joiner workflow, group assignment, default deny |
| Maintenance | Keep access current as work changes | Mover workflow, access review, recertification |
| Deprovisioning | Remove access when no longer needed | Leaver workflow, account disablement, token revocation |
| Monitoring | Detect abuse or drift | SIEM alerts, UEBA, privileged session recording |
Federation, SSO, and Directory Services
Federation means one domain accepts identity assertions from another. A company might let employees sign in to a cloud SaaS platform using the company identity provider. The SaaS app is not storing the employee password; it trusts a signed assertion or token from the identity provider.
| Concept | Exam-useful description | Watch for |
|---|---|---|
| Directory service | Central store for users, groups, devices, and attributes | LDAP, Active Directory, identity directory |
| SSO | One authentication event allows access to multiple services | Convenience plus higher impact if the session is stolen |
| Federation | Trust relationship across organizations or security domains | IdP, service provider, SAML, OIDC |
| Provisioning | Creating and updating accounts and entitlements | SCIM, HR-driven joiner/mover/leaver flow |
| Deprovisioning | Removing access quickly and completely | Disable account, revoke tokens, remove groups |
Trap Callout: SSO Does Not Mean Same Password Everywhere
SSO should reduce password sprawl. If every app has the same password manually configured, that is password reuse, not true SSO. In true SSO, applications rely on the identity provider and receive a token, assertion, or session result.
Scenario Walkthrough
A sales employee transfers to finance. The old CRM role remains active, the new finance role is added, and no one reviews the combined access. The weakness is not authentication; the user may still log in correctly. The problem is authorization drift. The best response is a mover workflow with access review, removal of the old role, least privilege, and logging.
Quick Drill
| Scenario | Best answer |
|---|---|
| Need proof that an admin changed a firewall rule | Accounting |
| Need one login for many cloud apps | SSO through an identity provider |
| Need a SaaS app to trust corporate login | Federation |
| Need automatic account removal after termination | Deprovisioning |
| Need to prevent old permissions after a job transfer | Recertification or mover workflow |
A terminated contractor can still access a project management SaaS app because the account was never disabled. Which IAM lifecycle control failed?
A user signs in to the corporate identity provider and then accesses several cloud applications without separate passwords for each app. Which concept is most directly shown?
Which items are part of accounting in AAA? Choose two.
Select all that apply