Who is this cybersecurity IAM course for?

Security engineers stepping into IAM-focused work; IT engineers moving from on-prem AD into modern identity (Entra ID, Okta, federated SaaS); developers responsible for application-layer identity integration; GRC analysts who need primary-source fluency in 800-63 IAL/AAL/FAL levels; cybersecurity professionals preparing for CISSP or CCSP IAM domain coverage.

What primary sources does this cybersecurity IAM course cite?

NIST SP 800-63-3 Digital Identity Guidelines (Grassi et al. 2017) and the 800-63-4 public draft (NIST 2024), NIST SP 800-63B Authentication and Lifecycle Management, NIST SP 800-207 Zero Trust Architecture (Rose et al. 2020), NIST SP 800-162 ABAC (Hu et al. 2014), OAuth 2.0 (RFC 6749, Hardt 2012), OAuth 2.0 PKCE (RFC 7636), OAuth 2.0 Security BCP (RFC 9700, 2024), OpenID Connect Core 1.0 (Sakimura et al. 2014), SAML 2.0 OASIS standards (2005), W3C WebAuthn Level 2 Recommendation, FIDO Alliance CTAP 2.2, CISA Implementing Phishing-Resistant MFA (2022), Microsoft Entra Privileged Identity Management documentation, BLS OES 2024, ISC2 Workforce Study 2024.

Will this prepare me for an IAM cert?

It is a primary-source-grounded primer. Microsoft Identity and Access Administrator (SC-300), Okta Certified Professional, and the IAM domains of CISSP and CCSP all test against the same protocol foundations (OAuth, OIDC, SAML, FIDO2). Pair the course with the cert provider's official training resource for full exam coverage.

Do I need a paid identity-platform subscription to take the course?

No. Microsoft Entra External ID, Okta Workforce, Auth0, and Google Cloud Identity all offer free tiers that cover the hands-on labs. The course recommends starting with whichever identity provider is closest to your job target.

Primary-source-grounded cybersecurity course

Identity and Access Management Fundamentals

A primary-source-grounded six-module path into IAM engineering and architecture: digital identity assurance per NIST SP 800-63, the OAuth 2.0 and OpenID Connect protocols, SAML 2.0, FIDO2/WebAuthn, zero-trust identity, and the IAM career ladder.

6 modules16 hours$197 one-timeNIST + IETF + OASIS + W3C sourced

What this cybersecurity course is

Identity and Access Management Fundamentals is a 6-module cybersecurity course for security engineers, IT engineers, and developers moving into IAM engineering or architecture roles. Every module is grounded in primary-source standards: NIST SP 800-63-3 Digital Identity Guidelines (Grassi et al. 2017, Revision 4 in active development as of 2024), NIST SP 800-207 Zero Trust Architecture (Rose et al. 2020), NIST SP 800-162 Attribute-Based Access Control Guide (Hu et al. 2014), the OAuth 2.0 RFC 6749 (Hardt 2012) and OpenID Connect Core 1.0 (Sakimura et al. 2014), SAML 2.0 OASIS specifications (2005), and FIDO2 with W3C WebAuthn (2019). The course covers identity proofing and authenticator assurance, federated authentication via SAML and OIDC, modern phishing-resistant MFA via FIDO2, the privilege-management primitives that produce least-privilege IAM, and the workforce-identity blast-radius problem. Designed by Julian Calvo, Ed.D. in Applied Learning Sciences (University of Miami, 2026).

The course sequences six modules around the IAM operational lifecycle: identity proofing, authentication, federation, authorization, privileged access, and lifecycle management. Each module pairs a primary-source standard with a hands-on artifact: read the standard, configure a real federated identity flow against a free-tier identity provider (Microsoft Entra External ID, Okta Workforce or Auth0 free tier, Google Cloud Identity), document the security review the way an IAM engineering team would expect to see it. The pedagogical pattern follows Kolb's experiential learning cycle (1984): concrete IAM configuration, structured reflection against the standard, abstract conceptualization through the protocol specification, then active experimentation in the free-tier environment. Every claim cites NIST, an IETF or OASIS specification, the FIDO Alliance, BLS, ISC2, or peer-reviewed research. No identity-vendor white paper without primary-source backing.

Six modules

Module 01 · 130 min
Digital Identity and the NIST 800-63 Stack
What identity assurance, authenticator assurance, and federation assurance levels mean per NIST SP 800-63-3, why the stack is the most-cited US Government identity standard, and how to apply it to a real authentication flow.
Learning objectives
- Cite the three Identity Assurance Levels (IAL1, IAL2, IAL3), three Authenticator Assurance Levels (AAL1, AAL2, AAL3), and three Federation Assurance Levels (FAL1, FAL2, FAL3) per NIST SP 800-63-3
- Map a real authentication flow (such as US federal agency staff logging into an HSPD-12 PIV-protected resource) to the appropriate IAL/AAL/FAL combination
- Distinguish identity proofing (the IAL question) from authentication (the AAL question) and explain why a system can have high AAL with low IAL or vice versa
Module 02 · 140 min
OAuth 2.0 and OpenID Connect
What OAuth 2.0 actually is (delegated authorization, not authentication), how OpenID Connect adds authentication on top, and why misunderstanding the distinction is the most common IAM engineering error.
Learning objectives
- Cite RFC 6749 (OAuth 2.0 Authorization Framework) and identify the four canonical grant types (authorization code, implicit, resource owner password credentials, client credentials) plus PKCE per RFC 7636
- Explain how OpenID Connect Core 1.0 layers ID Token authentication on top of OAuth 2.0, and why an OAuth 2.0 access token alone is not proof of authentication
- Identify three common OAuth/OIDC implementation mistakes (using implicit grant for SPAs in 2024, accepting an unverified ID Token, treating the access token's audience as the authenticated user) and the correct pattern for each
Module 03 · 110 min
SAML 2.0 and Federated Workforce Identity
Why SAML 2.0 still dominates enterprise workforce SSO, what the SP-initiated and IdP-initiated flows look like, and how to read a SAML response message.
Learning objectives
- Cite SAML 2.0 OASIS specifications (Core, Bindings, Profiles) and identify when each governs the protocol behavior
- Distinguish SP-initiated and IdP-initiated SAML flows by the order of operations and the security implications of each
- Read a SAML response (XML) and identify the assertion, the conditions (NotBefore, NotOnOrAfter), the authentication context, and the signature scope
Module 04 · 120 min
FIDO2, WebAuthn, and Phishing-Resistant MFA
Why phishing-resistant MFA matters more than any other authentication control, what FIDO2 and WebAuthn actually do, and how to deploy them at organizational scale.
Learning objectives
- Cite the FIDO2 specification stack (W3C WebAuthn Level 3 + FIDO Alliance CTAP 2.2) and explain how the cryptographic challenge-response prevents phishing
- Distinguish platform authenticators (TouchID, Windows Hello, Android biometric) from roaming authenticators (YubiKey, Titan Security Key, smart card)
- Cite CISA's 2022 'Implementing Phishing-Resistant MFA' guidance and Microsoft's 2023 internal data on conditional-access enforcement of phishing-resistant MFA
Module 05 · 110 min
Least Privilege and Privileged Access Management
What least privilege actually means in practice, how PAM (Privileged Access Management) systems implement it, and the difference between standing privilege and just-in-time elevation.
Learning objectives
- Cite NIST SP 800-162 (Hu et al. 2014) Attribute-Based Access Control and identify how ABAC differs from role-based access control
- Distinguish standing privileged access (an admin account that holds privilege continuously) from just-in-time elevation (privilege granted on request, expires automatically)
- Identify the minimum-viable PAM controls: privileged account vault, session recording, just-in-time elevation, separation of duties, periodic access review
Module 06 · 100 min
The IAM Career Trajectory
What the IAM engineer, IAM architect, IAM program manager, and identity-platform-engineering ladder looks like, the credentials hiring managers price into the offer, and the BLS, ISC2, and CIAM industry data behind compensation.
Learning objectives
- Distinguish IAM engineer, IAM architect, IAM program manager, and identity-platform engineer by daily decisions and credentials
- Cite BLS OES 2024 and ISC2 2024 data on IAM compensation and identify the regulated-industry premium
- Build a 12-month plan from current state to a target IAM role with credentialed milestones (Security+ or Identity Management Institute CIMP, plus CISSP for senior roles, plus a portfolio of working IAM configurations)

Target audience

Security engineers stepping into IAM-focused engineering or architecture
IT engineers moving from on-prem Active Directory work into modern IAM (Entra ID, Okta, federated SaaS)
Developers responsible for the application-layer identity integration (OAuth, OIDC, SCIM)
GRC analysts who need primary-source fluency in identity controls (NIST 800-63 IAL/AAL/FAL levels)
Cybersecurity professionals preparing for the CISSP or CCSP examinations whose IAM domain coverage exceeds prior preparation

Prerequisites

Working comfort with at least one identity provider (Active Directory, Microsoft Entra ID, Okta, Auth0, Google Workspace)
Basic understanding of TLS, public-key cryptography, and HTTP
Familiarity with reading RFC-style specifications and JSON Web Tokens
Willingness to commit 8 to 10 weeks of 4 to 6 hours per week study

Sources

NIST SP 800-63-3: Digital Identity Guidelines — Grassi, Garcia, Fenton (2017). Public-domain US Government work.
NIST SP 800-63-4 Public Draft — NIST (2024). Public-domain draft revision.
NIST SP 800-63B: Authentication and Lifecycle Management — Grassi et al. (2017). Public-domain.
NIST SP 800-207: Zero Trust Architecture — Rose, Borchert, Mitchell, Connelly (2020).
NIST SP 800-162: Guide to Attribute Based Access Control (ABAC) — Hu et al. (2014).
OAuth 2.0 Authorization Framework (RFC 6749) — Hardt (2012). IETF open standard.
OAuth 2.0 PKCE (RFC 7636) — Sakimura, Bradley, Agarwal (2015).
OAuth 2.0 Security Best Current Practice (RFC 9700) — Lodderstedt, Bradley, Labunets, Fett (2024).
OpenID Connect Core 1.0 — Sakimura, Bradley, Jones, de Medeiros, Mortimore (2014).
SAML 2.0 (OASIS Standard) — OASIS Security Services TC (2005).
W3C WebAuthn Level 2 Recommendation — World Wide Web Consortium (2021).
FIDO Alliance CTAP 2.2 — FIDO Alliance (2024).
CISA Implementing Phishing-Resistant MFA — CISA (2022).
BLS OES May 2024: Information Security Analysts — U.S. Bureau of Labor Statistics.
ISC2 Cybersecurity Workforce Study 2024 — Workforce gap and compensation by tier and region.

Disclaimer

This course is for educational purposes only. IAM decisions affect access to production systems and personal data; readers must adapt course content to the specific platform, threat model, and regulatory context of the consuming organization. NIST publications cited here are public-domain US Government works. IETF RFCs and OASIS / W3C specifications are open standards. FIDO2 and WebAuthn specifications are public. AWS, Microsoft Entra, Okta, Auth0, Google Cloud Identity, and other named platforms are trademarks of their respective owners. DecipherU is not affiliated with any IAM vendor.

Identity and Access Management Fundamentals

6 modules16 hours$197 one-timeNIST + IETF + OASIS + W3C sourced

What this cybersecurity course is

Six modules

Module 01 · 130 min

Digital Identity and the NIST 800-63 Stack

What identity assurance, authenticator assurance, and federation assurance levels mean per NIST SP 800-63-3, why the stack is the most-cited US Government identity standard, and how to apply it to a real authentication flow.

Learning objectives

Cite the three Identity Assurance Levels (IAL1, IAL2, IAL3), three Authenticator Assurance Levels (AAL1, AAL2, AAL3), and three Federation Assurance Levels (FAL1, FAL2, FAL3) per NIST SP 800-63-3
Map a real authentication flow (such as US federal agency staff logging into an HSPD-12 PIV-protected resource) to the appropriate IAL/AAL/FAL combination
Distinguish identity proofing (the IAL question) from authentication (the AAL question) and explain why a system can have high AAL with low IAL or vice versa

Module 02 · 140 min

OAuth 2.0 and OpenID Connect

What OAuth 2.0 actually is (delegated authorization, not authentication), how OpenID Connect adds authentication on top, and why misunderstanding the distinction is the most common IAM engineering error.

Learning objectives

Cite RFC 6749 (OAuth 2.0 Authorization Framework) and identify the four canonical grant types (authorization code, implicit, resource owner password credentials, client credentials) plus PKCE per RFC 7636
Explain how OpenID Connect Core 1.0 layers ID Token authentication on top of OAuth 2.0, and why an OAuth 2.0 access token alone is not proof of authentication
Identify three common OAuth/OIDC implementation mistakes (using implicit grant for SPAs in 2024, accepting an unverified ID Token, treating the access token's audience as the authenticated user) and the correct pattern for each

Module 03 · 110 min

SAML 2.0 and Federated Workforce Identity

Why SAML 2.0 still dominates enterprise workforce SSO, what the SP-initiated and IdP-initiated flows look like, and how to read a SAML response message.

Learning objectives

Cite SAML 2.0 OASIS specifications (Core, Bindings, Profiles) and identify when each governs the protocol behavior
Distinguish SP-initiated and IdP-initiated SAML flows by the order of operations and the security implications of each
Read a SAML response (XML) and identify the assertion, the conditions (NotBefore, NotOnOrAfter), the authentication context, and the signature scope

Module 04 · 120 min

FIDO2, WebAuthn, and Phishing-Resistant MFA

Why phishing-resistant MFA matters more than any other authentication control, what FIDO2 and WebAuthn actually do, and how to deploy them at organizational scale.

Learning objectives

Cite the FIDO2 specification stack (W3C WebAuthn Level 3 + FIDO Alliance CTAP 2.2) and explain how the cryptographic challenge-response prevents phishing
Distinguish platform authenticators (TouchID, Windows Hello, Android biometric) from roaming authenticators (YubiKey, Titan Security Key, smart card)
Cite CISA's 2022 'Implementing Phishing-Resistant MFA' guidance and Microsoft's 2023 internal data on conditional-access enforcement of phishing-resistant MFA

Module 05 · 110 min

Least Privilege and Privileged Access Management

What least privilege actually means in practice, how PAM (Privileged Access Management) systems implement it, and the difference between standing privilege and just-in-time elevation.

Learning objectives

Cite NIST SP 800-162 (Hu et al. 2014) Attribute-Based Access Control and identify how ABAC differs from role-based access control
Distinguish standing privileged access (an admin account that holds privilege continuously) from just-in-time elevation (privilege granted on request, expires automatically)
Identify the minimum-viable PAM controls: privileged account vault, session recording, just-in-time elevation, separation of duties, periodic access review

Module 06 · 100 min

The IAM Career Trajectory

What the IAM engineer, IAM architect, IAM program manager, and identity-platform-engineering ladder looks like, the credentials hiring managers price into the offer, and the BLS, ISC2, and CIAM industry data behind compensation.

Learning objectives

Distinguish IAM engineer, IAM architect, IAM program manager, and identity-platform engineer by daily decisions and credentials
Cite BLS OES 2024 and ISC2 2024 data on IAM compensation and identify the regulated-industry premium
Build a 12-month plan from current state to a target IAM role with credentialed milestones (Security+ or Identity Management Institute CIMP, plus CISSP for senior roles, plus a portfolio of working IAM configurations)

Target audience

Security engineers stepping into IAM-focused engineering or architecture

IT engineers moving from on-prem Active Directory work into modern IAM (Entra ID, Okta, federated SaaS)

Developers responsible for the application-layer identity integration (OAuth, OIDC, SCIM)

GRC analysts who need primary-source fluency in identity controls (NIST 800-63 IAL/AAL/FAL levels)

Cybersecurity professionals preparing for the CISSP or CCSP examinations whose IAM domain coverage exceeds prior preparation

Prerequisites

Working comfort with at least one identity provider (Active Directory, Microsoft Entra ID, Okta, Auth0, Google Workspace)

Basic understanding of TLS, public-key cryptography, and HTTP

Familiarity with reading RFC-style specifications and JSON Web Tokens

Willingness to commit 8 to 10 weeks of 4 to 6 hours per week study

Disclaimer

Identity and Access Management Fundamentals

What this cybersecurity course is

Six modules

Digital Identity and the NIST 800-63 Stack

OAuth 2.0 and OpenID Connect

SAML 2.0 and Federated Workforce Identity

FIDO2, WebAuthn, and Phishing-Resistant MFA

Least Privilege and Privileged Access Management

The IAM Career Trajectory

Target audience

Prerequisites

Related cybersecurity content

Sources

Disclaimer

Identity and Access Management Fundamentals

What this cybersecurity course is

Six modules

Digital Identity and the NIST 800-63 Stack

OAuth 2.0 and OpenID Connect

SAML 2.0 and Federated Workforce Identity

FIDO2, WebAuthn, and Phishing-Resistant MFA

Least Privilege and Privileged Access Management

The IAM Career Trajectory

Target audience

Prerequisites

Related cybersecurity content

Sources

Disclaimer