r/IdentityManagement

I manage IT for a small SaaS company. We currently have 75 employees. Our product is hosted in AWS, and I'm looking for an IGA solution to make it easier for our engineering team to request elevated access as needed, with time constraints and automated approvals when it makes sense. I only just learned about "IGA" a few weeks ago as I started looking for ways to streamline our current process, which includes opening a Jira ticket, human approvals, etc. It has really slowed us down and our CEO (whom I report to) is getting frustrated and wants to find ways to speed things up.

I have spoken to Opti, Conductor One (C1), and Saviynt so far. It has become clear that most of these vendors are not interested in working with a company as small as ours, and they won't do a deal of less than six figures. Additionally, the IdP we use is lesser known (JumpCloud) and most do not integrate with it, which is likely an issue for IGA functionality.

I don't yet have a formal budget number yet, as I haven't proposed any of these solutions to the executive management. But I'm guessing it will be difficult for me to get more than $20K/year or so. Can anyone suggest an IGA vendor that might be a good fit for us? I am thinking of contacting Linx, Omada, and Pathlock next. While the IGA functionality is my primary goal, I am seeing that many of these also provide visibility into AI usage, such as agents. I definitely would like to add that to my stack as well as we have FULLY begun to leveage AI and I have NO idea what people are actually doing with various tools.

Thanks for any advice here!

So..basically I am in a MNC and in a monitoring role just a fresher...

I'm interested to.learn Cyberark / sailpoint..

Are there any better options...for learning a new skill and jumping to diff project / different company ?????

Pls do let me know...

If cyberark and sailpoint are good how to learn them like step-by-step...

Pls guide me

Hi Folks

How do you handle new user onboarding and initial credential communication when using an IAM system?

Our current setup is:

One Identity IAM system integrated with HR System
On-premises Active Directory
Microsoft Entra ID for O365 Email
User login to IAM using Entra ID federated login

The main question is around the first login journey, initial credential communication and birthright access.

How do you communicate the initial username and temporary password to the user?

Do you use SMS, personal email, manager handover, or another secure method?

Trying to understand something around Windows logon MFA.

We already use Windows Hello for Business and most cloud services are protected with MFA. Users can log in with biometrics/PIN just fine, but they still have the option to fall back to their password at Windows logon and that doesn’t trigger any additional verification.

From a security perspective, that feels like a gap. If someone gets the password (or a device is stolen/shared), the login still succeeds without another factor.

For those running Entra/Intune environments:

• Are you disabling password sign-in entirely?
• Enforcing passwordless/WHfB only?
• Using smart cards, security keys, Duo, or another MFA for Windows logon approach?

Curious how others are handling MFA at the actual Windows login layer vs just protecting cloud apps/services.

We sync from HRIS on new hire records. match on first name, last name, department. works fine until it doesn't.

last month it matched a new hire to a former employee with the same name who left four years ago. different person entirely system saw the name department was close enough, merged them.

new hire spent their first week with access to everything that old account had accumulated. some of it elevated. nobody caught it because the account looked normal, just assigned to the wrong person's history.

took three weeks to untangle. the part i still can't fully close is what the new hire actually accessed during that window that they shouldn't have. logging ties to the account not the person so the reconstruction was incomplete.

we added employee ID as a matching field after this. but we provisioned a lot of people before we tracked IDs consistently so i don't know how many historical records would fail the same match if those people got rehired.

how are others handling rehire matching in environments where the historical data is messy. and whether anyone has actually audited their matching logic before something like this surfaced it.

Anyone interested in casually presenting something at an upcoming IAM community meetup/workshop?

I’m looking for people who’d be open to sharing something useful with others in the IAM/security space.

Could be:

• a cool IAM setup or workflow
• useful tools/resources
• automation ideas
• Entra/Okta lessons learned
• phishing-resistant MFA
• AI + IAM topics
• cert/career advice
• something you wish more IAM people knew

Nothing salesy or overly formal. More “here’s something useful I learned” than “come watch my pitch.”

We’ve been growing a pretty active IAM community in the Zero to Sec Discord, and I’d like to get more community-led sessions going with people sharing real-world knowledge and ideas.

If interested, drop a comment or DM me.

Hey all
Attending soon Okta’s conference as a partner.

Theme as shared by them: AI agents as first-class identities, governing and securing them the same way you would a human workforce identity or existing service/technical accounts.

A few Qs I have in mind:
Handling lifecycle for AI agents today or is it still ad hoc like robotic accounts we are seeing in some implementations?

Where does the IGA layer fit when the identity has no HR record?

What are implementing consultants here seeing that existing IAM vendors are not talking about yet?

Curious to hear what others are seeing in their IAMs already.

I have been on both sides of IAM interviews as a candidate early in my career and as the person asking the questions for the last 15+ years. I am curious what others with similar experiences can add.

Most guys show up with a list of products they have used at work and a certification or two. however, for me, a resume with github link would help.

Not polished code. Not a perfect lab. Evidence of implementation thinking.

• Screenshots of a working Joiner workflow with a README explaining what each component does and why
• A decoded JWT with annotations on what each claim means or a SAML assertion captured in SAML-tracer with notes on what the IdP is doing
• Errors faced while configuring JML or access certification processes in your IGA lab
• A short write-up of what broke during a lab and how you fixed it

The troubleshooting notes are often more impressive than the working screenshots. They show you understand what is happening under the hood.

See comment below for free IAM labs you can use to build this out if you are starting from scratch.

Sanity check needed on entitlement-drift cleanup cadence.

1700 ppl, doing time-bound access grants for ~2 years. Contractors die at term end. Projects expire at JIRA close. Temp admin auto-revokes 24-72hr. Okta workflows handle most of it.

The grants themselves are fine. Cleanup of stuff that SHOULD have expired but didn't is where we're getting eaten.

Specific example. 6-month contractor. Project access scoped to ""project alpha"". End date jun-30. 4 months in: project renamed to ""project alpha-v2"" in jira. Reorg. Our workflow was still watching the old name. jun 30 passes. Nothing fires. Contractor keeps access. Caught it on sep review. 3 months late.

Multiply that across 30+ contractors and a dozen long-running projects. True entitlement creep on time-bound grants is something like 3-4% per quarter. Should be zero.

What is everyone using for cleanup cadence here? Quarterly is too slow. Monthly is what im pitching. Weekly automated drift detection is the alternative but it's noisy. curious what people who've been at this longer landed on.

How do you all handle session control at your IdP? Inactivity timeouts get convoluted when trying to account for user experience AND security. IAM walks a tight line between the two, cause you know the org signs your paychecks but you're still responsible to protect said org. They want frictionless and your job may depend on not getting compromised.

Then you have application timeouts that you have little control over besides trying to enforce compliance with a written standard.

Forcing users to sign in to every new app after 5, 10, 15, or 30 mins gets backlash, but then you have the same people walking away from an unlocked computer in the middle of the office.

I think risk based authentication helps grant some leeway, but it's not a solve all (see walking away from computer sentence above).

Any best practices (outside NIST/CIS), tips, tricks, thoughts? Just curious to see how others handle this.

Thanks in advance for any responses!

I have been reading this subreddit for months. The same problem comes up constantly - people who understand IAM conceptually but have never touched a real implementation. No lab, no demo, nothing to show in an interview.

I built two free lab environments to fix that in my free time. Posting here because this community is exactly who they are for. Tell me what breaks - I will fix it. [Link to labs in comments]

Lab 1 - IAM (IGA) with full working IAM with one target app and one HR app (OVA download)

A pre-configured VirtualBox VM with a full open-source IGA platform, LDAP as target system, and a simulated HR system already wired together. You import the OVA, start the VM, and you have a working Joiner and Leaver pipeline running on your laptop in under 20 minutes.

• Add an employee in the HR system
• Run reconciliation in IAM/IGA
• Watch the LDAP account appear automatically in ou=people
• Terminate the employee
• Watch the account move to ou=inactive

This is the JML lifecycle that every IGA implementation is built around. You build it yourself, you own it, you can enhance it further to demo it in interviews based on job profile.

Lab 2 - Access Management (CIAM) with Auth0

A separate hands-on classroom covering OIDC, SAML federation, and B2C identity flows using Auth0 (from okta). Built for people who want to understand the access management side and CIAM - SSO, token inspection, real protocol flows, which compliments learnings of Enterprise IAM from Lab 1.

Both classrooms are free inside the SimplifyIAM community on Skool.

Not a course, but a lab you build, together with IAM community.

Note: Not affliated to any of the tools mentioned. All of them are free to use or open-source.

We’re currently re-evaluating our login flow for a high-security project. Passkeys seem like the logical next step, but the implementation feels a bit fragmented across older devices. At 8ration, we’ve always relied on the native FaceID/TouchID wrappers with secure token storage, but the industry seems to be shifting. Does the added complexity of managing Passkey recovery outweigh the security benefits for a standard user, or is it better to stick with what people are already comfortable with? I’m trying to figure out if the friction of a "passwordless" future is going to hurt our conversion rates.

IAM lead at 1300-person org. Had an incident last quarter worth flagging because i havent seen it discussed.

New hire onboarding day 1. Our AI helpdesk is wired into Okta for routine provisioning. Manager submits the hire ticket in slack, AI provisions automatically.

This hire, manager had copied the dept code from a prior unrelated request. Didnt update it. AI didnt second-guess. Provisioned access to a sensitive analytics tool. New hire (in marketing) had 2 hours of financial planning data access before our daily audit caught it.

No damage but it was a real moment of wait, what guardrails are between AI and Okta. We layered in a 24-hour holdback on any cross-department provisioning request (hire is dept X, requested tool is tagged dept Y -> manual review). Our slack-side AI helpdesk (risotto) supports custom escalation rules so we wired this in. Slowed cross-dept auto-provisioning from 2 minutes to next-day. Eliminated the failure mode.

Whats everyone else doing here? Holdbacks like ours, or something more sophisticated?

We have an application that needs to be set up for SSO. So far they have been manually configuring the users and their access within the application and now are hoping to use AD groups

The architect and the team were having a discussion about whether to use AD groups only for authentication and then internal access for authorisation or should AD groups be set up for both authentication and authorisation

Hi Team,

I'm working as service desk analyst for last 9 years and would like to transition my carrier to IAM or M365 Admin.

Please help me which certificate I need to choose SC 300 or SC 900.

I've only have experience in Active directory , password reset , disable and enable accounts.

So it is possible to transition and get job in IAM roles?

If the above certificates or not a good what is the best plan to make the changes?

Thanks.

I was tired of going back and forth with developers on why SCIM users are not getting synced in their app and never ending debugging calls. So built simple command line SCIM server simulator which developers can use test everything write automations before actually getting it admins involved.

It can simulate user and group events from most popular idps like okta microsoft jumpcloud one identify etc.