IAM Concepts - Interview preparation guide
Thilan Dissanayaka Interview Guides March 13, 2020

IAM Concepts - Interview preparation guide

What is IAM (Identity and Access Management)?

IAM is a framework of policies, processes, and technologies used to manage digital identities and control access to resources. It ensures the right users have the right access to the right resources at the right time.

What are the core components of IAM?

  • Authentication – Verifying identity (e.g., password, OTP).
  • Authorization – Granting access to resources based on identity.
  • User Management – Creating, modifying, and deleting identities.
  • Access Control – Mechanisms like RBAC, ABAC, or PBAC.
  • Audit & Logging – Tracking user actions for compliance and monitoring.

What is the difference between Authentication and Authorization?

  • Authentication: Confirms who you are (e.g., login).
  • Authorization: Determines what you can access (e.g., read/write privileges).

Explain Role-Based Access Control (RBAC).

RBAC assigns permissions to roles, and users are assigned roles. For example, a “Manager” role may have access to employee records.

How is RBAC different from ABAC (Attribute-Based Access Control)?

  • RBAC: Access is based on predefined roles.

  • ABAC: Access is based on attributes like user role, resource type, location, time, etc., allowing more dynamic and context-aware access control.

What is the Principle of Least Privilege (PoLP)?

PoLP means users should be granted the minimum access necessary to perform their duties, reducing the risk of misuse or attack.

What is SSO (Single Sign-On)?

SSO allows users to authenticate once and gain access to multiple applications or systems without re-entering credentials. It improves user experience and security.

What is MFA (Multi-Factor Authentication)?

MFA adds an extra layer of security by requiring two or more verification factors (e.g., password + OTP or biometric).

What is Federation in IAM?

Federation enables authentication across different identity providers or domains. For example, logging into a third-party app using Google or Facebook credentials.

What protocols are commonly used in IAM?

  • LDAP – Directory access.
  • SAML – Federated identity, especially in enterprise SSO.
  • OAuth 2.0 – Delegated authorization.
  • OpenID Connect – Identity layer built on OAuth 2.0.
  • Kerberos – Network authentication protocol.

What is LDAP and how is it used in IAM?

LDAP (Lightweight Directory Access Protocol) is used to access and manage directory services over IP networks. It’s commonly used in:

  • Centralized authentication (e.g., AD/LDAP directory),
  • Storing user attributes and credentials,
  • Access control (via user groups and policies).

What’s the difference between LDAP and Active Directory?

LDAP is a protocol, while Active Directory is Microsoft’s directory service implementation that uses LDAP, Kerberos, and other protocols.

What are the security concerns in using LDAP?

  • Data in plaintext if not secured (use LDAPS),
  • Weak bind credentials,
  • Unauthorized enumeration or modification if misconfigured.

Mitigation:

  • Always use LDAPS (LDAP over SSL),
  • Enforce strong ACLs,
  • Disable anonymous binds.

What is SAML and how does it work?

SAML (Security Assertion Markup Language) is an XML-based protocol used for federated identity. It allows an Identity Provider (IdP) to authenticate users and pass identity assertions to a Service Provider (SP).

What are the components of SAML?

  • IdP (Identity Provider)
  • SP (Service Provider)
  • Assertions (authn, attributes, and authz)
  • Bindings (HTTP POST, Redirect)
  • Metadata (configuration of IdP/SP)

What are some SAML security risks and mitigations?

Risks:

  • Signature wrapping attacks
  • Replay attacks
  • XML External Entity (XXE) attacks

Mitigations:

  • Enforce strict XML validation,
  • Use signed and encrypted assertions,
  • Implement short token lifetimes and timestamps.

What is OAuth 2.0 and how is it different from SAML?

OAuth 2.0 is a protocol for delegated authorization, not authentication. It allows a user to grant limited access to their resources (e.g., profile, files) without sharing credentials.

Difference:

SAML is mainly used for authentication in enterprise SSO,

OAuth 2.0 is used for authorization, especially in web/mobile APIs.

Describe the OAuth 2.0 flows.

Authorization Code Flow – Most secure; used by server-side apps.

Client Credentials Flow – Used by backend services (no user context).

Resource Owner Password Flow – Deprecated; user provides credentials directly.

Implicit Flow – Deprecated; used in SPAs.

Device Authorization Flow – Used for devices with no browser (TVs, IoT).

What are scopes in OAuth 2.0?

Scopes define what access is being requested. E.g., scope=read:user allows only reading user data.

What are the security best practices for OAuth 2.0?

  • Use PKCE with public clients (mobile, SPAs).
  • Use Authorization Code Flow instead of Implicit.
  • Store tokens securely and use HTTPS.
  • Validate state, aud, and iss claims in tokens.

What is OpenID Connect (OIDC)? How is it different from OAuth 2.0?

OIDC is an identity layer on top of OAuth 2.0. It provides authentication (who the user is) using an ID token (usually JWT).

OAuth 2.0 = Authorization OIDC = Authorization + Authentication

What is an ID Token in OIDC?

ID Token is a signed JWT that contains claims about the authenticated user (e.g., sub, name, email). It’s issued by the Authorization Server after user login.

What is the difference between Access Token and ID Token?

  • Access Token: Used to access APIs (authorization).
  • ID Token: Used to identify the user (authentication).

What are common OIDC security vulnerabilities?

  • ID Token replay
  • Misconfigured token validation
  • Mixing up authentication and authorization

Mitigation:

  • Validate all claims (iss, aud, exp)
  • Use HTTPS and short lifetimes
  • Don’t use access tokens to assert identity

What is Kerberos and how does it work?

Kerberos is a network authentication protocol using tickets and symmetric key cryptography. It authenticates clients and services in a trusted network.

Process:

Client authenticates to KDC (Key Distribution Center).

Gets TGT (Ticket Granting Ticket).

Requests access to a service (gets service ticket).

Presents ticket to the service.

🔹 16. What are Kerberos vulnerabilities and limitations? Answer:

Replay attacks if timestamps not checked

Golden Ticket attacks (if KDC compromise)

Time synchronization is critical

Limited to trusted intranets (not ideal for web apps)

🔹 17. When would you use SAML vs OIDC? Answer:

Use SAML in legacy or enterprise SSO (e.g., between corporate IdP and internal web app).

Use OIDC for modern web/mobile applications needing authentication via OAuth.

🔹 18. How does a WSO2 Identity Server support these protocols? Answer: WSO2 IS supports:

SAML 2.0 for SSO,

OAuth 2.0 and OIDC for API security,

LDAP and SCIM for provisioning and directory integration,

Custom policies and workflows for federated IdP integration.

How do you secure IAM systems?

  • Use MFA.
  • Monitor login attempts and failed authentications.
  • Apply least privilege.
  • Rotate credentials and access keys.
  • Enable audit logging.
  • Review permissions regularly.

What is an IAM policy?

IAM policies are JSON documents that define what actions are allowed or denied on which resources, by whom, and under what conditions.

What is just-in-time (JIT) access provisioning?

JIT grants access to users only when needed and for a limited time, reducing attack surfaces and privilege abuse.

What is Identity Lifecycle Management?

Answer: Managing the lifecycle of identities from creation (onboarding), changes (role updates), and revocation (offboarding), ensuring accurate and timely access.

What are Service Accounts and why should they be secured?

Service accounts are non-human identities used by applications or services. They must be secured using strong credentials, rotated frequently, and monitored to prevent misuse.

What is the risk of excessive permissions?

Users with excessive permissions may unintentionally or maliciously access sensitive resources, leading to data breaches or privilege escalation.

What are IAM challenges in cloud environments?

  • Managing identities across hybrid or multi-cloud environments.
  • Monitoring dynamic access.
  • Implementing consistent policies.
  • Securing APIs and microservices.

How do you detect and handle orphaned accounts?

  • Run periodic access reviews.
  • Integrate IAM with HR systems.
  • Automate de-provisioning on user exit.

How do OAuth 2.0 scopes work?

Scopes limit what access the token grants. For example, read:user allows viewing user info, while repo grants access to private repositories.

What is an Access Token vs ID Token in OpenID Connect?

  • Access Token: Used to access APIs/resources.
  • ID Token: Contains identity claims (user info) and is used for authentication.

How does Kubernetes use IAM?

  • Uses RBAC for cluster role-based access control.
  • Integrates with external IdPs via OIDC.
  • Controls access to resources like pods, secrets, and services.

🔹 26. What are the latest trends in IAM? Answer:

Passwordless authentication (e.g., biometrics, WebAuthn).

Decentralized identity (Self-Sovereign Identity using blockchain).

Identity as a Service (IDaaS) platforms (e.g., Auth0, Okta).

Zero Trust Architecture – Trust nothing, verify everything.

Behavioral biometrics – Continuous authentication based on user behavior.

AI/ML-based access analytics – Detect abnormal access behavior.

🔹 27. What is Zero Trust and how does IAM support it? Answer: Zero Trust enforces strict identity verification for every person or device trying to access resources, whether inside or outside the network. IAM supports this by:

Strong authentication (MFA, biometrics),

Least privilege access, and

Continuous verification.

🔹 28. What is Identity Federation Abuse? Answer: This happens when attackers exploit misconfigured federated SSO setups to impersonate users across trusted systems, often due to trust mismanagement between IdP and SP.

🔹 29. What is Session Fixation and how do you prevent it? Answer: Session Fixation is when an attacker sets a known session ID for a victim. Mitigation:

Regenerate session ID upon login.

Use secure, unpredictable tokens.

Enforce session expiration.

🔹 30. What is the “Confused Deputy” problem in IAM? Answer: Occurs when a more privileged system (e.g., API gateway) is tricked into performing actions on behalf of an attacker. Example: Misused OAuth token scopes. Fix: Validate scopes and identity claims strictly.

🔹 31. Explain an attack involving stolen OAuth tokens. Answer: If access tokens are stolen (e.g., via XSS or insecure storage), attackers can impersonate users without needing credentials. Mitigation:

Use short-lived tokens with refresh tokens.

Use HTTPS, secure storage, and rotate tokens.

🔹 32. What are common IAM-related vulnerabilities? Answer:

Insecure direct object references (IDOR)

Poor session management

Insecure token storage

Overprivileged access

Lack of MFA

Weak password policies

🔹 33. What is IDOR and how does IAM help mitigate it? Answer: IDOR (Insecure Direct Object Reference) allows attackers to access other users’ data by modifying parameters (e.g., /profile?userId=123). IAM helps by:

Enforcing authorization checks,

Using opaque identifiers,

Validating access control for every request.

🔹 34. How do you implement access delegation securely? Answer: Use protocols like OAuth 2.0 with clearly defined scopes, consent screens, token expiration, and revocation endpoints. Validate all claims before granting access.

🔹 35. What are claims in identity tokens? Answer: Claims are attributes about the user (e.g., email, name, roles) embedded in identity tokens (e.g., JWTs). They’re used for both authentication and authorization decisions.

🔹 36. What is Identity Sprawl and how do you control it? Answer: Occurs when user identities exist across multiple platforms without central control. Solution:

Use centralized IAM or federated identity systems.

Integrate with directory services (LDAP, AD).

Automate provisioning/de-provisioning.

🔹 37. How do attackers abuse misconfigured IAM in the cloud? Answer:

Use overly permissive IAM roles (e.g., * in AWS policies).

Enumerate IAM users and roles via API (recon).

Lateral movement via role chaining.

Privilege escalation via trust relationships.

🔹 38. What are best practices for securing JWTs? Answer:

Use strong signing algorithms (e.g., RS256).

Avoid storing sensitive data inside the token.

Validate expiration and issuer/audience claims.

Rotate keys regularly.

Use HTTPS to prevent MITM attacks.

🔹 39. What is Account Takeover (ATO) and how does IAM mitigate it? Answer: ATO is when an attacker gains control of a user’s account through phishing, credential stuffing, or weak authentication. IAM protections:

MFA

Rate limiting and lockout mechanisms

Suspicious login detection

Device fingerprinting

🔹 40. What’s the difference between Implicit, Authorization Code, and Client Credentials OAuth flows? Answer:

Authorization Code (most secure): Used by web apps; involves exchange of code for token.

Implicit (deprecated): No code exchange; tokens are returned directly—not recommended.

Client Credentials: Used by services (non-user context).

🔹 41. What is SCIM (System for Cross-domain Identity Management)? Answer: SCIM is a standard protocol for automating user provisioning and deprovisioning across systems. Widely used in cloud-based IAM solutions.

🔹 42. What are some IAM metrics to monitor for security? Answer:

Failed login attempts

Login locations and device anomalies

Token issuance rate

Privilege escalation events

Number of inactive accounts

🔹 43. How does IAM help in compliance and audits? Answer:

Audit trails of access

Access reviews

Least privilege enforcement

Policy enforcement

Role definitions and user mapping to controls (for ISO 27001, SOC2, etc.)

🔹 44. What is Role Explosion? How do you prevent it? Answer: Role Explosion is when too many roles are created for edge cases, making access control complex. Prevention:

Use ABAC instead of just RBAC

Hierarchical roles or permissions-based access

Use policy-driven access models

🔹 45. How would you assess the IAM posture of a system? Answer:

Review policies and roles.

Analyze user and service account activity.

Test MFA and session policies.

Check logs for anomalies.

Perform least privilege and orphan account audits.

ALSO READ
Blockchain 0x000 – Understanding the Fundamentals
May 21, 2020 Web3 Development
Blockchain 0x000 – Understanding the Fundamentals

Imagine a world where strangers can exchange money, share data, or execute agreements without ever needing to trust a central authority. No banks, no intermediaries, no single point of failure yet...

Identity and Access Management (IAM)
May 11, 2020 Identity & Access Management
Identity and Access Management (IAM)

Who are you — and what are you allowed to do? That's the fundamental question every secure system must answer. And it's exactly what Identity and Access Management (IAM) is built to solve.

How I built a web based CPU Simulator
May 07, 2020 Pet Projects
How I built a web based CPU Simulator

As someone passionate about computer engineering, reverse engineering, and system internals, I've always been fascinated by what happens "under the hood" of a computer. This curiosity led me to...

Writing a Shell Code for Linux
Apr 21, 2020 Exploit Development
Writing a Shell Code for Linux

Shellcode is a small piece of machine code used as the payload in exploit development. In this post, we write Linux shellcode from scratch — starting with a simple exit, building up to spawning a shell, and explaining every decision along the way.

Exploiting a Stack Buffer Overflow on Windows
Apr 12, 2020 Exploit Development
Exploiting a Stack Buffer Overflow on Windows

In a previous tutorial we discusses how we can exploit a buffer overflow vulnerability on a Linux machine. I wen through all theories in depth and explained each step. Now today we are going to jump...

Access Control Models
Apr 08, 2020 Identity & Access Management
Access Control Models

Access control is one of the most fundamental concepts in security. Every time you set file permissions, assign user roles, or restrict access to a resource, you're implementing some form of access control. But not all access control is created equal...

Exploiting a Stack Buffer Overflow on Linux
Apr 01, 2020 Exploit Development
Exploiting a Stack Buffer Overflow on Linux

Have you ever wondered how attackers gain control over remote servers? How do they just run some exploit and compromise a computer? If we dive into the actual context, there is no magic happening....

Basic concepts of Cryptography
Mar 01, 2020 Cryptography
Basic concepts of Cryptography

Ever notice that little padlock icon in your browser's address bar? That's cryptography working silently in the background, protecting everything you do online. Whether you're sending an email,...

Common Web Application Attacks
Feb 05, 2020 Application Security
Common Web Application Attacks

Web applications are one of the most targeted surfaces by attackers. This is primarily because they are accessible over the internet, making them exposed and potentially vulnerable. Since these...

Remote Code Execution (RCE)
Jan 02, 2020 Application Security
Remote Code Execution (RCE)

Remote Code Execution (RCE) is the holy grail of application security vulnerabilities. It allows an attacker to execute arbitrary code on a remote server — and the consequences are as bad as it sounds. In this post, we'll go deep into RCE across multiple languages, including PHP, Java, Python, and Node.js.

AUTHOR
Thilan Dissanayaka

Thilan Dissanayaka

Security Engineer at WSO2. Passionate about clean code and cybersecurity. Building secure, scalable applications with modern technologies.

CATEGORIES