Skip to main content

IAM - Overview

Identity IAM

What is IAM

The core of IAM is the AAA principle. AAA revolves around Authentication, Auhthorization and Accounting. This is used for access control, alongside SSO for seamless logins, directory services and lifecycle management for user provisioning/deprovisioning. Governance ensures compliance, while PAM, password tools and shadow IT detection address advanced risks in hybrid environments

AAA Framework

AAA verifies user identity (authentication via MFA/passwordless), grant permissions (authorization per role/policy), and logs activities (accounting for audits). It underpins IAM protocols like RADIUS, LDAP, OpenID, SAML2 to do the effective authentication.

  • Authentication: Verifies user identity using credentials like passwords, tokens, biometrics, or certificates to confirm "who you are" before granting access
  • Authorization: Determines what authenticated users can do or access, based on roles, policies, and permissions, following least privilege principles.
  • Accounting: Logs user activities, including session duration, data usage, and actions taken, for auditing, billing, compliance, and security analysis.

Imagine entering an exclusive nightclub as a real-world example of the AAA framework in action.

  • Authentication: The bouncer at the door checks your ID and matches it to the guest list to verify you're the person you claim to be, preventing imposters from sneaking in.

  • Authorization: Once confirmed, the bouncer decides your access level—VIPs go straight to the upstairs lounge with free drinks, while regular guests stay on the main floor with basic privileges.

  • Accounting: Throughout the night, security logs your entry time, drinks ordered, areas visited, and exit time for billing the club owner, tracking behavior, and ensuring compliance with liquor laws.

Supports MFA at IdP for all apps, with session timeouts for security

Single Sign-On (SSO)

Single Sign-On (SSO) lets users log in once with one set of credentials to access multiple apps or services seamlessly, reducing password fatigue and boosting security through centralized identity management.

Key Components:

  • Identity Provider (IdP): Central service (e.g., Okta, Microsoft Entra ID, or JumpCloud) that authenticates users and issues tokens verifying identity.

  • Service Provider (SP): Apps or sites (e.g., email, Slack, VPN) that trust the IdP and grant access based on its tokens.

  • Tokens: Secure digital passes (e.g., SAML, OAuth, OIDC) shared between IdP and SPs, containing user info like email without exposing passwords

How It Works

  • User enters credentials at IdP login page.
  • IdP verifies and sends token to browser/SP.
  • SP checks token validity and grants access; subsequent apps reuse the token without re-login. ​

Protocols in Enterprise Networking

  • SAML/OIDC: XML/JSON tokens for web/enterprise SSO.
  • OAuth: Token-based for APIs (e.g., API access in cloud security).

Identity Lifecycle Management

Identity Lifecycle Management (ILM) automates the creation, updates, and removal of user identities and access rights throughout their association with an organization, ensuring security and compliance from onboarding to offboarding. ​ Key Components:

  • Onboarding/Provisioning: Create digital identity for new hires (e.g., employee at Kappa Data), assign role-based accounts in JumpCloud/Onelogin, email, VPN, and apps based on least privilege—often automated via HR system integration.
  • Maintenance/Updates: Adjust access during role changes (promotion, team switch), recertify privileges quarterly, prevent privilege creep with audits, and enforce MFA/SSO across tools like Cato Networks or other applications.
  • Offboarding/Deactivation: Immediately revoke all access upon termination/resignation, delete/disable accounts, reclaim devices/licenses, and log for compliance (e.g., GDPR in Europe).

Governance & Administration

Identity Governance and Administration (IGA) is a policy framework and software suite that automates oversight of user identities, access rights, and compliance across hybrid IT environments, building on IAM by adding governance layers like audits and role controls.

Key Components:

  • Role Management: Defines RBAC roles (e.g., "Systems Architect" gets Sophos VPN + Juniper NAC), automates role assignment/mining to cut manual work.
  • Access Certifications/Reviews: Managers periodically attest subordinate access; AI flags risky entitlements like privilege creep.
  • Segregation of Duties (SoD): Blocks conflicting perms (e.g., no user approves + executes payments), with violation reports for compliance.
  • Provisioning/Deprovisioning: Automates user creation in 100+ connectors (LDAP, SAML apps), joins HR events for instant offboarding.
  • **Analytics & Reporting: **Dashboards track orphan accounts, compliance (GDPR/NIS2), audit-ready logs for regulators

PAM & Password Management

  • PAM secures elevated access rights in IT environments. It controls, monitors, and audits privileged accounts to minimize risks from misuse or breaches. The principle behind PAM is least privilege. It grants users only necessary permissions for specific tasks. It promotes just-in-time access, temporary elevation based on context like time, location, or threat data, and separation of duties to prevent overlap in roles.

  • Regarding Password Management, an enterprise environment needs other tools than Bitwarden, Latpass, Dashlane,… That’s why for example JumpCloud Password Manager uses a decentralized architecture to store credentials locally on devices while enabling centralized oversight. This approach promotes strong, unique passwords and reduces breach risks from weak or shared credentials. Passwords reside securely on users’ devices, avoiding single master password vulnerabilities common in traditional vaults. Users generate complex credentials easily, stored without relying on a central server for every access.