4.4 Identity & access management
📘CompTIA Security+ (SY0-701)
1. Overview
In modern organizations, users often need to access many systems — such as email, cloud storage, HR platforms, and internal applications.
Instead of creating a separate username and password for every system, Federation and Single Sign-On (SSO) allow users to access multiple systems securely with a single set of credentials.
These technologies are part of Identity and Access Management (IAM) and help improve:
- Security (fewer passwords reduce risk of attacks),
- User convenience, and
- Centralized access control.
2. Federation
Definition
Federation is a trust relationship between two or more different organizations (or security domains) that allows users to access each other’s resources without needing a separate account.
In a federated environment:
- Each organization keeps its own user directory.
- They trust each other’s authentication systems.
- A user can log in once in their home organization, and access systems of another organization that is part of the federation.
How It Works
- A federation agreement is established between organizations.
- One organization acts as the Identity Provider (IdP) — the one that verifies the user’s identity.
- Another acts as the Service Provider (SP) — the one that provides the service (like an app or cloud resource).
- The IdP sends authentication data (a token or assertion) to the SP, proving the user’s identity.
This allows the SP to trust the user is legitimate without re-authenticating them.
Benefits
- Centralized authentication between multiple systems or organizations.
- Improved user experience — no need to manage multiple logins.
- Stronger security — trust is based on secure protocols and certificates.
- Reduced administrative workload — fewer accounts to create and manage.
3. Single Sign-On (SSO)
Definition
Single Sign-On (SSO) allows a user to log in once and gain access to multiple systems or applications without having to log in again.
SSO is often used within an organization or across federated systems.
How It Works
- The user logs in once with a username and password (or multifactor authentication).
- After successful login, an authentication token or session is created.
- That token is used to automatically authenticate the user to other connected systems.
- The user does not need to re-enter credentials again until they log out or the token expires.
Benefits
- Convenience – one login for many services.
- Security – fewer passwords mean lower chances of password fatigue or reuse.
- Centralized management – IT teams can enforce strong authentication in one place.
- Compliance – easier auditing of login events and user activities.
4. Key SSO and Federation Technologies
Now let’s look at the main technologies you must understand for the Security+ exam: LDAP, OAuth, and SAML.
4.1 LDAP (Lightweight Directory Access Protocol)
Definition
LDAP is a protocol used to access and manage directory information services over a network — such as user accounts, groups, and permissions.
It’s often used as part of an organization’s authentication system.
Purpose
LDAP is used to query and authenticate users stored in a directory service, such as:
- Microsoft Active Directory
- OpenLDAP
How It Works
- The client (e.g., a login system) sends a request to the LDAP server.
- The LDAP server checks the credentials (username, password).
- If the credentials match, the server authenticates the user and sends back their account details or permissions.
Common Use
LDAP is the back-end directory protocol often used in internal authentication systems and can be part of SSO when integrated with other protocols like Kerberos or SAML.
Security
- Always use LDAPS (LDAP over SSL/TLS) to protect credentials in transit.
4.2 OAuth (Open Authorization)
Definition
OAuth is an authorization framework (not authentication) used to allow one application to access another application’s data on behalf of the user.
Purpose
OAuth enables secure access delegation — it allows a user to give a third-party app limited access to their data without sharing their password.
How It Works
- The user authenticates to a trusted service (Identity Provider).
- The trusted service issues an access token to another application (Service Provider).
- The application uses this token to access resources on behalf of the user.
Example in IT terms:
- A cloud-based HR system uses OAuth to access a user’s company profile data stored in another system, without storing or knowing the user’s password.
Key Components
- Resource Owner: The user.
- Client: The app requesting access.
- Resource Server: The system hosting user data.
- Authorization Server: The system that issues the access tokens.
Security Notes
- OAuth focuses on authorization, not user identity verification.
- Often paired with OpenID Connect (OIDC) for authentication.
- Uses tokens (usually JSON Web Tokens – JWT) that expire after a short time.
4.3 SAML (Security Assertion Markup Language)
Definition
SAML is an XML-based open standard used for authentication and authorization between an Identity Provider (IdP) and a Service Provider (SP).
It’s a common standard used for SSO in web-based environments — especially in enterprise and cloud services.
Purpose
SAML allows users to log in once (at the IdP) and access multiple web applications (SPs) without re-entering credentials.
How It Works
- The user tries to access a Service Provider (SP) website.
- The SP redirects the user to the Identity Provider (IdP) for authentication.
- The user authenticates at the IdP.
- The IdP sends a SAML assertion (an XML file) back to the SP.
- The SP validates the assertion and grants access.
Key Terms
- SAML Assertion: The XML message sent from IdP to SP containing authentication and authorization information.
- IdP: The system that authenticates the user.
- SP: The system providing access to the application or service.
Security
- Assertions are digitally signed to ensure integrity.
- Typically uses HTTPS for secure transmission.
Common Use
SAML is widely used for enterprise web SSO, especially between organizations and cloud services.
5. Comparison Table
| Feature | LDAP | OAuth | SAML |
|---|---|---|---|
| Type | Directory Access Protocol | Authorization Framework | Authentication & Authorization Standard |
| Format | Hierarchical Directory | JSON (Tokens) | XML (Assertions) |
| Purpose | Authenticate users in internal networks | Delegate access between apps | Provide SSO between web services |
| Common Use | Enterprise authentication | Cloud & API authorization | Web-based enterprise SSO |
| Example Use | Accessing Active Directory | Granting app access to data | Logging into multiple cloud apps with one login |
6. Summary
- Federation: A trust relationship between organizations that allows cross-domain authentication.
- Single Sign-On (SSO): One login gives access to multiple applications.
- LDAP: Used to access and manage user directories (internal authentication).
- OAuth: Used for secure delegated authorization (app-to-app access).
- SAML: Used for federated web-based authentication (SSO across domains).
These concepts help ensure secure, efficient, and user-friendly access management — and are crucial for both enterprise IT environments and the Security+ exam.
✅ Exam Tip Summary:
- Federation = trust between domains.
- SSO = one login for multiple systems.
- LDAP = directory authentication (internal).
- OAuth = authorization (tokens).
- SAML = authentication + authorization (SSO for web).
- OpenID Connect (OIDC) often extends OAuth for identity verification.
