r/iam

Anyone interested in casually presenting something at an upcoming IAM community meetup/workshop?

I’m looking for people who’d be open to sharing something useful with others in the IAM/security space.

Could be:

• a cool IAM setup or workflow
• useful tools/resources
• automation ideas
• Entra/Okta lessons learned
• phishing-resistant MFA
• AI + IAM topics
• cert/career advice
• something you wish more IAM people knew

Nothing salesy or overly formal. More “here’s something useful I learned” than “come watch my pitch.”

We’ve been growing a pretty active IAM community in the Zero to Sec Discord, and I’d like to get more community-led sessions going with people sharing real-world knowledge and ideas.

If interested, drop a comment or DM me.

I have been reading this subreddit for months. The same problem comes up constantly - people who understand IAM conceptually but have never touched a real implementation. No lab, no demo, nothing to show in an interview.

I built two free lab environments to fix that in my free time. Posting here because this community is exactly who they are for. Tell me what breaks - I will fix it. [Link to labs in comments]

Lab 1 - IAM (IGA) with full working IAM with one target app and one HR app (OVA download)

A pre-configured VirtualBox VM with a full open-source IGA platform, LDAP as target system, and a simulated HR system already wired together. You import the OVA, start the VM, and you have a working Joiner and Leaver pipeline running on your laptop in under 20 minutes.

• Add an employee in the HR system
• Run reconciliation in IAM/IGA
• Watch the LDAP account appear automatically in ou=people
• Terminate the employee
• Watch the account move to ou=inactive

This is the JML lifecycle that every IGA implementation is built around. You build it yourself, you own it, you can enhance it further to demo it in interviews based on job profile.

Lab 2 - Access Management (CIAM) with Auth0

A separate hands-on classroom covering OIDC, SAML federation, and B2C identity flows using Auth0 (from okta). Built for people who want to understand the access management side and CIAM - SSO, token inspection, real protocol flows, which compliments learnings of Enterprise IAM from Lab 1.

Both classrooms are free inside the SimplifyIAM community on Skool.

Not a course, but a lab you build, together with IAM community.

Note: Not affliated to any of the tools mentioned. All of them are free to use or open-source.

 Ran a full access review in January. Okta clean. Entra clean. Reports looked fine across the board.

A week later someone mentioned an internal billing tool with its own login. No SSO. Just username/password. Pulled users, found 14 accounts. 6 were people who had already left.

Then we started digging. Found two more apps in the same situation. One internal, one from an old vendor setup. All had their own user stores and weren't tied into anything we manage.

Our tooling wasn't wrong. It just wasn't seeing the whole environment.

Everything it showed was accurate. It just missed the parts nobody ever connected or tracked.

How are you finding apps that have their own auth and were never part of your IAM in the first place, especially when you don't have the bandwidth to do it manually?

We have an application that needs to be set up for SSO. So far they have been manually configuring the users and their access within the application and now are hoping to use AD groups

The architect and the team were having a discussion about whether to use AD groups only for authentication and then internal access for authorisation or should AD groups be set up for both authentication and authorisation

If you joined a new organization and had one month before audit season, what would you fix first?

Ownerless apps
Service accounts
Stale group memberships
Secrets that never expire
Something else?

Trying to sanity-check priorities.