Activity
Mon
Wed
Fri
Sun
Aug
Sep
Oct
Nov
Dec
Jan
Feb
Mar
Apr
May
Jun
Jul
What is this?
Less
More

Memberships

SimplifyIAM

557 members • Free

13 contributions to SimplifyIAM
IAM / Access Management: RBAC with Auth0
First of all, thank you, Srinath. The way you explain each IAM concept with a demo is really good and very easy to follow. After the Authentication vs Authorization and RBAC lessons, the Auth0 example you showed in the video gave me the idea to build my own version the same way. Here is what I did: 1. I Set up my app in Auth0 as a Single Page Application. 2. After that, I made two users, one admin and one normal user. 3. Made two roles (admin and user) and assigned them to the users. 4. Added a Post-Login Action so each user's role goes into their login token. 5. Built a small app with four pages (Public, Profile, Protected, Admin) that checks the role. Result: both users can log in (authentication), but only the admin can open the Admin page. The normal user logs in fine but gets a clear "Access Denied" (authorization). This proves: being logged in is not the same as being allowed to access everything.
IAM / Access Management: RBAC with Auth0
1 like • 7d
@Srinath U Thank you, that really means a lot, especially coming from you. The labs and this community have genuinely helped connect the dots for me, so I appreciate you taking the time to look through what I shared. Thanks for answering all my questions and adding new concepts in the IAM, and as I said before, your course is easy to follow and well structured. Looking forward to the next lesson 🙌
New concept lesson: what "identity" actually means in IAM
Just added a new concepts lesson. It clears up the single most common point of confusion for people getting into IAM. In the application world everything is an account. A user in AD, a profile in Salesforce, a service account, an API key. The moment you step into an IAM platform, all of it becomes one thing, an identity, and the identity is the source of truth the accounts hang off. One identity, many accounts, governed as one. It is in the Classroom IAM Concepts here. Drop questions in the comments.
1 like • 7d
Thanks@Srinath U , for explaining Identity, and I really appreciate you adding more IAM concepts. It's true that it's the foundation of everything in IAM. This connected well with the IGA concept, which you explained clearly with the diagrams and explanation under IAM core concepts. In the past, I have completed the SailPoint course on IGA and ISC, so it helped to connect the two together. Still learning, so please correct me: My answers on the check yourself: 1. Non-human identities: AI agents, API keys, Cloud IAM roles.I'm still building depth on the Cloud IAM roles side specifically. But I'd love the opportunity to work with these hands-on in a real IAM platform within an organization. I think this is where the field is heading, and I want my skills to grow with it. 2. Account admin vs identity governance: Account admin = who can create, edit, or disable an account. Identity governance = who should have access, and proving it during an audit. My thinking, but checking : Questions: a) If someone changes role or location, but stays in the same company, does their identity stay the same? I think yes, the identity stays the same, but their attributes change (role, location, department). In this situation, the Mover event is triggered in the JML process, and access is updated through provisioning. Please let me know if there's more to this. b) If a contractor user is rehired for the same project from a contract position to a permanent employment position, and all their old system access was already set up, do they get a new identity, or is the old one reused? I'm not sure what's best practice in this situation. Reusing the identity avoids duplicate records, but a new identity might be a clean process for audits, since old access might be outdated. What's the best practice for small companies vs big companies? Thanks in advance
#BuiltMyL5: OAuth
Interesting one. Done with the OAuth 2.0 M2M lab with Auth0. I executed the Client Credentials flow and decoded the access token. Here is an extra step, in case you experience the same problem: please you need to turn on RBAC on the API and give the app the permission before read:invoices show in the token. If you do not, the permissions list comes back empty. Please check the screenshot for more clarity. Just for your References: Enable Role-Based Access Control for APIs : https://auth0.com/docs/get-started/apis/enable-role-based-access-control-for-apis Adding RBAC Permissions to Access Tokens : https://support.auth0.com/center/s/article/Adding-RBAC-Permissions-to-Access-Tokens
#BuiltMyL5: OAuth
1 like • 9d
Hi @Srinath, the difference is that OAuth 2.0 handles authorization it decides what an app is allowed to access, while OIDC handles authentication, meaning it tells you who the user actually is. OIDC is built on top of OAuth 2.0. The problem was that OAuth 2.0 only gives you an access token (to call APIs) and a refresh token (to get new access tokens) there's no token that identifies the user. So people started to access the tokens and call extra APIs just to check who the user was, which is not safe(security issue). That's why OIDC was created to add a proper identity for the user on top of OAuth.Please let me know if there are any other reasons.
#BuiltMyL4: OIDC Hands-on
Implemented full OpenID Connect flow with Auth0, decoded the ID Token (JWT), and identified the sub, iss, and email claims.
#BuiltMyL4: OIDC Hands-on
Lab L3 (SAML Hands-on)
Thanks @Srinath U . The lab instructions was well structured. I completed Lab L3 (SAML Hands-on): I set up SAML login between Auth0 and samlsp.com, and verified the login worked using SAML-tracer.
Lab L3 (SAML Hands-on)
1-10 of 13
Debjit Das
3
21points to level up
@debjit-das-2997
IAM enthusiast | SSO/MFA/SAML/OIDC support background, building toward an IAM analyst/operations role through Entra labs | UK-based | here to learn

Active 3d ago
Joined Jun 22, 2026
United Kingdom