EpochZero Learn
EpochZero LearnMulti-Domain Tech Learning Hub
Courses
LeaderboardAbout
Dashboard
EpochZero
EpochZero Learn
Multi-Domain Tech Learning Hub

Structured learning for Reverse Engineering, Cloud Security, Cryptography, and Web Development. Articles, videos, tests, and peer discussion.

Learn

  • Learning Path
  • All Articles
  • Video Lessons
  • Podcast
  • eBooks & PDFs
  • Question Banks
  • Cheatsheets
  • MCQ Banks

Tests & Forum

  • All Tests
  • REMA Tests
  • Cloud Tests
  • Forum
  • REMA Forum
  • Cloud Forum
  • Crypto Forum
  • Web Dev Forum

Campus

  • REMA Club
  • Full Stack Dev Club
  • Extension Activity
  • Events
  • CTF Competitions
  • Workshops
  • Industrial Visits

Platform

  • Dashboard
  • Leaderboard
  • About
  • Verify Certificate

© 2026 EpochZero Learn. Educational content for learning purposes.

Course Instructor: Ashish Revar

All articles
cloud-securityIAMSSOSAML

Cloud Identity, Federation & Single Sign-On

Identity is the new perimeter. SAML 2.0, OpenID Connect, and OAuth 2.0 enable organisations to federate their corporate identity into cloud platforms — eliminating the need for per-service passwords while centralising authentication and audit.

Ashish Revar3 July 202620 min read1 views

Sign in to mark this article as read and track your progress.

Related to this topic

Continue learning

Listen

Tech Talk EP 07 — The Hypervisor Is Your True Security Perimeter

Audio deep-dive covering NIST SP 800-145, the SPI stack, shared responsibility, deployment models, Type-1/2 hypervisors, and Spectre/Meltdown side-channel attacks. ~30 min.

Reference material

eBook
Cloud Security — eBook
v2026
Open resource
Cheatsheet
Cloud Security — Cheatsheet
v2026
Open resource
MCQ Bank
Cloud Security — MCQ Bank
v2026
Open resource
Question Bank
Cloud Security — Question Bank
v2026
Open resource

External references

NIST SP 800-63-3: Digital Identity Guidelines

NIST digital identity framework covering authentication assurance levels and MFA.

NIST SP 800-63-3: Digital Identity Guidelines

NIST digital identity framework covering authentication assurance levels and MFA.

AWS IAM Identity Center User Guide

AWS IAM Identity Center documentation covering SSO, SAML, SCIM, and permission sets.

AWS IAM Identity Center User Guide

AWS IAM Identity Center documentation covering SSO, SAML, SCIM, and permission sets.

OASIS SAML 2.0 Standard

Official OASIS SAML 2.0 specification and conformance documentation.

OASIS SAML 2.0 Standard

Official OASIS SAML 2.0 specification and conformance documentation.

OpenID Connect Core 1.0

The OpenID Foundation specification for OpenID Connect authentication protocol.

OpenID Connect Core 1.0

The OpenID Foundation specification for OpenID Connect authentication protocol.

More articlesTest your knowledge

Why Identity Is the Perimeter

The phrase "identity is the new perimeter" has become standard in cloud security for a specific reason: in a cloud environment, there is no physical boundary around resources. An S3 bucket, a Lambda function, or an EC2 instance can be accessed from any location. The only barrier between an attacker and those resources is authentication and authorisation — which are both identity functions.

The 2022 Uber breach began with an attacker purchasing an Uber contractor's VPN credentials on the dark web and then exploiting weak MFA (push notification fatigue) to gain access. No network firewall was involved; the entire attack surface was the identity layer.

Core Identity Concepts

TermDefinitionCloud Example
Authentication (AuthN)Proving who you areMFA challenge when logging into AWS Console
Authorisation (AuthZ)Proving what you are allowed to doIAM policy allowing s3:GetObject on a specific bucket
Identity Provider (IdP)The system that stores and verifies identitiesAzure Entra ID, Okta, JumpCloud
Service Provider (SP)The application that delegates authentication to the IdPAWS SSO, Salesforce, GitHub Enterprise
FederationAllowing an SP to trust identities from an external IdPAWS trusting Okta for console login

SAML 2.0: How It Works

Security Assertion Markup Language (SAML) 2.0 is an XML-based open standard for exchanging authentication data between an IdP and an SP.

Typical SP-initiated flow:

  1. User accesses the AWS Console (SP)
  2. AWS detects no active session; redirects to configured IdP (e.g., Okta)
  3. User authenticates at Okta (password + MFA)
  4. Okta issues a signed XML assertion: "This user is john@example.com; their roles are [SecurityAudit, ReadOnlyAccess]"
  5. Browser posts the assertion to AWS SSO; AWS validates the signature against the IdP's certificate
  6. AWS creates a temporary session with the asserted roles

The XML assertion is signed using the IdP's private key; the SP verifies using the IdP's public key certificate registered at setup. An attacker who intercepts a SAML assertion cannot replay it beyond the assertion's expiry (typically 5 minutes).

Key security control: Always verify the IdP certificate is up-to-date and rotate it before expiry. A SAML federation with an expired certificate silently breaks authentication.

OpenID Connect (OIDC)

OIDC is an identity layer built on top of OAuth 2.0, using JSON Web Tokens (JWTs) instead of XML. It is lighter than SAML and has become the standard for API-to-API authentication and modern web application SSO.

ComponentSAML 2.0OIDC
Token formatXML AssertionJWT (JSON Web Token)
Primary useEnterprise SSO (web browser)API auth, mobile, SPA, OIDC SSO
DiscoveryManual metadata file exchangeWell-Known URL (/.well-known/openid-configuration)
SigningXML Digital Signature (RSA/SHA-256)RS256 / ES256 JWT signature

OIDC in cloud context: GitHub Actions uses OIDC to authenticate to AWS. When a CI/CD pipeline runs, GitHub generates an OIDC token that AWS STS validates. AWS grants a temporary IAM role to the pipeline — no long-lived access keys stored in GitHub Secrets.

OAuth 2.0 and Its Relationship to OIDC

OAuth 2.0 is an authorisation framework, not an authentication protocol. It allows an application to obtain delegated access to a resource on behalf of a user (access tokens) or on behalf of itself (client credentials).

Common grant types:

Grant TypeUse CaseSecurity Note
Authorization Code + PKCEWeb/mobile apps, user-facingMost secure; PKCE prevents code interception
Client CredentialsMachine-to-machine (no user)Rotate client secrets; use short expiry
Implicit (deprecated)Old SPAsDo not use; vulnerable to token leakage
Device CodeIoT, CLI toolsLimited time window; displayed code is the second factor

Multi-Factor Authentication (MFA)

MFA is the single highest-impact security control in cloud environments. AWS's own threat intelligence team has stated that enabling MFA would have prevented more than 99% of the account compromises they responded to.

MFA MethodPhishing Resistant?Recommended For
TOTP (Authenticator App)No — real-time phishing possibleStandard user accounts
SMS OTPNo — SS7 attack, SIM swap possibleAvoid for privileged accounts
FIDO2/WebAuthn (Hardware Key)YesPrivileged users, administrators, root account
Push NotificationNo — push fatigue attacksDisable for privileged users

For the AWS root account: use a hardware FIDO2 key (YubiKey). Store it physically in a secure location. The root account should log in fewer than five times per year.

AWS IAM Identity Center (formerly AWS SSO)

AWS IAM Identity Center is the recommended way to provide human users access to multiple AWS accounts and applications:

  • Connects to external IdP (Okta, Azure AD, ADFS) via SAML 2.0 or SCIM
  • SCIM (System for Cross-domain Identity Management) provisions users/groups automatically from the IdP directory
  • Permission sets map IdP groups to IAM roles across accounts
  • All console and CLI access goes through temporary credentials; no long-lived access keys

This approach eliminates per-account IAM users, centralises audit in the IdP, and ensures that when an employee leaves and their Okta account is deprovisioned, they lose access to all AWS accounts automatically.