Exercises: Identity Governance

DataField.Dev

Exercises: Identity Governance

These exercises move from the vocabulary of identity governance to the judgment a real practitioner exercises when hunting orphaned accounts and designing a lifecycle. Difficulty is marked ⭐ (recall/application), ⭐⭐ (analysis), and ⭐⭐⭐ (synthesis/open-ended). A dagger (†) marks problems with a full worked solution in Appendix: Answers to Selected Exercises — try every problem before you read one.

Work in your own notebook or a private repository. Where an exercise asks you to score, design, or decide, the reasoning matters more than landing on one "correct" answer. Use only documentation values (meridianbank.example, the documentation IP ranges) in anything you draft.

Part A — Core vocabulary and concepts ⭐

1.† In one sentence each, define single sign-on (SSO), federation, directory service, and access certification. Then write one sentence that uses all four correctly in the context of a departing contractor.

2. Distinguish SAML, OAuth 2.0, and OpenID Connect (OIDC) in one line each. State clearly which two answer "who is this user?" and which one answers "what may this app do on the user's behalf?"

3. Explain the difference between Active Directory and Entra ID (formerly Azure AD). Name one protocol AD uses to authenticate that Entra ID does not, and one thing Entra ID does for SaaS apps that AD was not built for.

4.† Define orphaned account and name the three properties that make an orphaned account valuable to an attacker out of all proportion to its raw count.

5. Define the joiner-mover-leaver (JML) lifecycle. For each of the three transitions, name the single security failure most associated with getting it wrong.

6. What is SCIM, and what specific problem does it solve that manual account management does not? Why is its role in deprovisioning especially valuable?

7. Explain the difference between cloud IAM (Chapter 15) and the IAM program / IGA of this chapter. Give one example of each so the distinction is concrete.

Part B — Find the orphan / analyze this ⭐⭐

8.† Find the orphan. You are handed this (illustrative) reconciliation. The left list is enabled accounts exported from Active Directory; the right list is the HR roster of active employees plus the current contractor roster. Identify every orphaned account and, for each, state the single signal that flagged it.

AD enabled accounts          HR + contractor roster (active people)
-------------------          -------------------------------------
jdoe                         jdoe        (employee, active)
asmith                       asmith      (employee, active)
contractor_lee              (not present — engagement ended 4 months ago)
svc_backup                  (not present — no human owner listed)
mwilson                     mwilson     (employee, active)
rgarcia                     (not present — terminated last month)
bchen                        bchen       (contractor, active)

9. Analyze this log. The following (illustrative) authentication events come from Meridian's identity provider; the source IP is in the documentation range 203.0.113.0/24. The account rgarcia belongs to an employee whose HR record shows a termination date of 2026-04-30.

2026-05-18 02:14:07  user=rgarcia  src=203.0.113.88  result=SUCCESS  app=file-share
2026-05-18 02:15:55  user=rgarcia  src=203.0.113.88  result=SUCCESS  app=loan-origination
2026-05-18 02:31:20  user=rgarcia  src=203.0.113.88  result=SUCCESS  app=email

(a) What is the single most alarming fact about these events? (b) Classify rgarcia here — is it a threat, a vulnerability, an exploit, or some combination? (c) Name the one control from this chapter whose failure most directly enabled this, and the one control that would have detected it even if the first failed.

10.† Privilege creep. An employee's entitlements are listed below alongside the roles they have held over six years at the bank. Their current role is Loan Officer.

Held roles (in order): Teller → Branch Operations → Loan Officer (current)
Current entitlements:  teller-app, cash-drawer-recon, branch-ops-admin,
                       loan-origination, wire-INITIATE, wire-APPROVE

(a) Which entitlements are privilege creep (justified by a past role but not the current one)? (b) Which pair of entitlements is a segregation-of-duties problem, and why is it dangerous at a bank? (c) What process failure (name the JML transition) let this accumulate?

11. Read the assertion. Below is a trimmed, illustrative SAML assertion received by a service provider. Identify the four fields that function as security controls and, for each, state what attack it defends against and what goes wrong if the SP ignores it.

<saml:Issuer>https://login.meridianbank.example/idp</saml:Issuer>
<ds:Signature> ...IdP signature... </ds:Signature>
<saml:Conditions NotBefore="2026-06-14T13:02:11Z" NotOnOrAfter="2026-06-14T13:07:11Z">
  <saml:Audience>https://app.example/saml</saml:Audience>
</saml:Conditions>
<saml:Subject><saml:NameID>loanofficer3@meridianbank.example</saml:NameID></saml:Subject>

12. Two findings from an identity review each "feel" urgent. (a) A long-dormant account (no login in 210 days) that belongs to a current employee on extended medical leave. (b) An orphaned contractor account that logged in last week. Which is the higher risk and why? What additional fact about (a) would change your answer?

Part C — Trace the flow ⭐⭐

13.† Trace SSO. Walk through the SAML SSO flow (Figure 18.2) for a Meridian employee opening a SaaS app, in your own words, in numbered steps from the user's first click to a logged-in session. At which step does authentication actually happen, and at which step does the application verify it? State the one credential the application never receives.

14. OAuth vs OIDC in practice. For each scenario, say whether you would use OAuth 2.0 or OIDC, and why: (a) a scheduling app needs to read a user's calendar but must not learn their password; (b) a new web application needs to let users "sign in with your company account" and know who they are; (c) a backup tool needs scoped, revocable permission to read files in a user's cloud storage.

15. ⭐⭐⭐ A developer says: "We don't need OIDC — we already get an OAuth access token when the user logs in, so we just read the user's identity from that." Explain precisely why this is dangerous, name the class of vulnerability it invites, and state what they should do instead.

Part D — Write the policy / design it ⭐⭐–⭐⭐⭐

16.† Write the policy. Draft a contractor account policy for Meridian in five to eight bullet points that would make the CONTRACTOR_X incident structurally impossible. Address: the system of record, account creation, a mandatory technical control, deprovisioning triggers, and the review that catches what automation misses.

17. Design the lifecycle. Sketch (in words or a simple diagram) an automated joiner-mover-leaver pipeline for Meridian driven by the HR system. Show what fires each transition, what each transition does to the directory and target apps, and where SCIM fits. Explicitly mark the gap where contractors fall out and how you close it.

18. Design the access review. Design a quarterly access certification for the Wire-Approvers group. Specify: who reviews, what enrichment each row shows the reviewer (so it is not a rubber stamp), which grants get auto-flagged for scrutiny, the two possible decisions, and what happens to a "revoke" decision afterward. Why must the certification result in removals to count as a control?

19. ⭐⭐⭐ Design it. Meridian is onboarding a SaaS expense-management application for all 1,800 employees. Design how it should integrate with the identity program: authentication (which protocol and why), provisioning and deprovisioning (how accounts are created and removed), and what you require from the vendor before approving it. Name the failure you are specifically engineering against.

20. Harden it. A service provider's SAML integration is configured as follows. Identify every weakness and write the corrected configuration in plain language.

SAML integration "vendor-portal":
  require_signed_assertions:   false
  verify_idp_signature:        false
  enforce_audience:            false
  assertion_max_age_minutes:   1440
  fallback_password_login:     enabled (no MFA)

Part E — Respond to this incident ⭐⭐⭐

21.† Respond. During an access review, you discover that a domain-admin account belonging to an engineer who left the bank three months ago is still enabled and shows a successful login two weeks ago from an unfamiliar IP. Write the first five actions you would take, in order, and justify the order. (Be careful: there is a tension between cutting off access fast and preserving evidence — address it. Lean on Chapters 24 and 25 where relevant, but the identity-specific decisions are yours.)

22. Respond. A SaaS vendor notifies Meridian that one of its applications, integrated via SAML SSO, suffered a breach in which attackers may have captured SAML assertions in transit. A panicked colleague says, "They have our users' passwords now — force a company-wide password reset." Explain why the password-reset reflex is mostly misplaced for the SSO'd app, what the attacker could actually do with a captured assertion, what genuinely limits the damage (reference the assertion's fields from §18.3), and what the right response actually is.

Part F — CTF-style challenge ⭐⭐⭐

23.† The account that shouldn't exist. Reconcile the four (illustrative) lists below to find the one account that is simultaneously an orphan, privileged, and actively used — the single most dangerous account in the environment — and explain the reasoning that isolates it from the others. Then state the order in which you would remediate all the flagged accounts and why.

[A] AD enabled accounts:   alice, bob, carol, dave, svc_etl, ghost_admin
[B] HR active employees:   alice, bob, carol
[C] Members of "Domain Admins": dave, ghost_admin
[D] Logins in last 7 days: alice, ghost_admin, svc_etl
Notes: dave = employee who transferred to Marketing 1 year ago (still in HR? NO — left
       the company 1 year ago). svc_etl = a service account, owner team = Data Eng.
       ghost_admin = no HR record, no owner team, no documentation anywhere.

Part G — Interleaved & forward-looking ⭐⭐

24. (Interleaved with Ch.16–17.) A single identity at the IdP, protected by a phishing-resistant FIDO2 key (Chapter 16), grants access via SSO to forty applications, each of which enforces RBAC (Chapter 17). Write three sentences tracing how authentication (Ch.16), authorization (Ch.17), and governance (Ch.18) each do a distinct job for one user's single request to one app — and what is lost if any of the three is missing.

25. (Interleaved with Ch.1.) Meridian's very first risk register (Chapter 1) listed R2: "orphaned/over-privileged account enables lateral movement," scored 15 (CRITICAL). Using only what you learned in this chapter, write the treatment and the honest residual risk you would now record for R2. How has the risk score changed, and what would you tell an auditor?

26. ⭐⭐⭐ Forward-looking. This chapter says SSO concentrates risk at the identity provider, and that protecting the IdP itself is paramount. Predict two specific controls you expect Chapter 19 (Privileged Access Management) and Chapter 32 (Zero Trust Architecture) to apply to that exact problem. (Revisit this prediction after you read those chapters.)

Solutions to daggered (†) problems are in the Answers appendix. The remaining problems are deliberately open — bring them to a study group or your instructor.