Further Reading: Identity Governance

Curated, annotated resources to deepen this chapter. Each entry notes which learning path it serves most (🛡️ SOC, 🏗️ Engineer, 📋 GRC, 📜 Cert) and its citation tier. Start with the suggested order below; you do not need to read everything before Chapter 19.

Suggested order

  1. Read the NIST SP 800-63 overview (especially 800-63A on identity proofing and the lifecycle ideas) to ground identity in the federal standard the field defers to.
  2. Skim the SAML 2.0 technical overview and one accessible OIDC explainer side by side until the SAML-vs-OIDC-vs-OAuth distinction is reflexive.
  3. Read the CISA / NSA guidance on identity and access management to see the defender's priorities (phishing-resistant MFA, deprovisioning, monitoring) stated by the agencies that respond to breaches.
  4. Keep a Security+ or CISSP IAM-domain chapter nearby as a reference for the exam mapping.

Standards & primary documents (Tier 1)

  • NIST SP 800-63 series, Digital Identity Guidelines (800-63A Identity Proofing; 800-63B Authentication & Lifecycle Management; 800-63C Federation & Assertions). 📋🏗️📜 The authoritative U.S. treatment of identity assurance, the credential lifecycle, and federation/assertion requirements — 800-63C in particular formalizes exactly the assertion-validation discipline of §18.3. The reference for this whole part.
  • OASIS, SAML 2.0 (Assertions and Protocols; Technical Overview). 🏗️📜 The primary specification for SAML and its best entry point (the Technical Overview, not the raw normative spec, for a first read). Read it to understand the assertion structure and why each field is a control.
  • IETF RFC 6749, The OAuth 2.0 Authorization Framework (and RFC 6750 on bearer tokens). 🏗️📜 The authorization framework itself — read it to internalize that OAuth is about delegated access, scopes, and tokens, not identity.
  • OpenID Foundation, OpenID Connect Core 1.0. 🏗️📜 The specification for the identity layer on OAuth; the source of truth for the ID token and the claims (iss, aud, exp, sub) that prove who the user is. Pair it with RFC 6749 to see how OIDC builds on OAuth.
  • IETF RFC 7644 (SCIM 2.0 Protocol) and RFC 7643 (SCIM Core Schema). 🏗️ The standard for automated cross-system provisioning and deprovisioning — the protocol that makes "disable everywhere" real (§18.4).
  • NIST SP 800-207, Zero Trust Architecture. 🏗️📋📜 Read the identity sections now to see how the governed, verifiable identity of this chapter becomes the foundation of the post-perimeter model (Chapter 32 covers it fully).
  • CIS Controls v8 — Control 5 (Account Management) and Control 6 (Access Control Management). 📋🏗️ The concise control statements for the lifecycle, orphaned-account, and access-review practices of this chapter; excellent for building a checklist and for audit mapping.

Vendor & agency guidance (Tier 1)

  • CISA / NSA, Identity and Access Management guidance and Cross-Sector Cybersecurity Performance Goals. 🛡️📋 The defender's priorities from the agencies that work real incidents: phishing-resistant MFA, centralized identity, prompt deprovisioning, and monitoring of identity events — the §18.4–18.5 agenda stated as national guidance.
  • Microsoft, Entra ID (Azure AD) documentation — Conditional Access, hybrid identity (Entra Connect), and provisioning. 🏗️ The practical reference for the directory most readers will operate, including the hybrid-sync behavior behind the §18.2 "disable at the source" lesson.
  • MITRE ATT&CK — Valid Accounts (T1078) and Account Manipulation (T1098). 🛡️🏗️ The attacker techniques that orphaned and over-privileged accounts enable; read these to see the §18.5 "Defender's Lens" from the adversary's catalog and to build detections.

Books (Tier 1)

  • Chapple, M., & Seidl, D., CompTIA Security+ Study Guide (IAM / Security Operations chapters). 📜 A clean, exam-aligned tour of SSO, federation, SAML/OAuth/OIDC, and the identity lifecycle at an approachable depth.
  • Harris, S., & Maymí, F., CISSP All-in-One Exam Guide (Identity and Access Management domain). 📜📋 Broader and deeper, with strong treatment of provisioning/deprovisioning, federation, and access reviews for the management track.
  • Anderson, R., Security Engineering (3rd ed.) — chapters on access control and distributed systems. 🏗️ Opinionated, durable analysis of how identity and access mechanisms fail in the real world; return to it throughout your career.

Free online & talks (Tier 1 / Tier 2)

  • The "SAML raider" / SAML-security explainer talks and write-ups from major security conferences. 🏗️🛡️ Accessible explanations of how service providers fail to validate assertions (the §18.3 vulnerability class) — study them to defend, not to attack. (Tier 2: specific talks vary; choose a well-sourced, reputable one.)
  • OWASP Cheat Sheets — Authentication, SAML Security, and Access Control. 🏗️ Concise, practical hardening guidance for the integrations you will build; the SAML cheat sheet is the §18.3 checklist in expanded form.
  • Vendor and community write-ups on identity-provider token-theft incidents. 🛡️📋 Reputable analyses of real breaches where attackers stole or forged identity tokens illustrate why SSO concentrates risk at the IdP (the §18.3 pitfall). (Tier 2: read well-sourced post-incident reports; treat single-source specifics cautiously.)

Tools to explore (in your own lab only)

  • A Microsoft 365 / Entra ID developer tenant. 🏗️ Stand up users, groups, Conditional Access, and a SAML or OIDC app integration in a sandbox; run the §18.5 access-review and "disable at the source" exercises hands-on. Free for development.
  • Your own account's connected-apps and OAuth-grants page (Google, Microsoft, GitHub). 🛡️📋 The smallest possible access review: list every app with a token, ask the §18.5 questions, and revoke the orphans. The best first lab needs no setup.
  • A JWT decoder (offline, in your browser/lab). 🏗️ Decode an OIDC ID token to see the iss, aud, exp, and sub claims that §18.3 describes — but never paste production tokens into an online tool.

⚖️ Authorization & Ethics reminder: Several resources here describe how attackers abuse stale accounts and weak assertion validation. Study them to defend — to harden your integrations and find your own orphans. Apply any hands-on technique only to systems you own or are explicitly authorized to test (Chapter 39).