How did I move from Application Development to IAM Domain!!

I started as a Java / J2EE developer, worked on multiple Java development projects as developer, lead, architect, manager for almost 13 years.

Since the Identity & Access Management industry is growing rapidly, I thought of sharing my experience of moving from an application development to IAM domain.

So, how did I land up in IAM domain?

One fine day, my management asked me if I am interested to work on a IAM project. The project is about taking over a legacy IAM application built on Java and migrating this IAM app to a new Identity platform built using a commercial identity product. When I started working on this project, I didn’t have any knowledge on IAM or Single Sign-on, SAML, OIDC, OAuth 2.0 etc.

What did I do to improve my IAM knowledge?

Practice, Practice, Practice !!

Easiest way to learn IAM is to build sample apps using the most commonly used protocols like OIDC, OAuth 2.0, SAML. The greatest advantage of coming from application development background is that you already have programming experience. You don’t need too much of guidance to build a simple web app because there are lots of sample apps available in the internet.

Join Medium with my referral link - karthik

What tools can be used for building sample apps?

• When I started my IAM career, there were not too many IdaaS (Identity as a Service) providers. The only way to learn IAM is to install a commercial identity product in your local system and build PoCs. Nowadays, you can register for a free developer account in products like Okta, Auth0, Microsoft AzureAD, AWS Cognito, Google Cloud etc. and build a PoC.
• Most easiest thing for a person coming from application development background is to build a sample webapp that uses OpenID Connect protocol to authenticate with an Identity Provider. Many products like Okta, Auth0 etc. provide sample apps in their website that can be downloaded and imported in IDEs like eclipse, IntelliJ etc.. They also have step-by-step instructions to compile / run the code and configure the app in the identity provider. Setting up a SAML app is bit tricky and it requires more work when compared to a OIDC app. So, my recommendation is to start with a OIDC app and then proceed with a SAML app.
• There are lots of videos available in Youtube to setup sample apps.

Security in Action 101

• Once you setup a simple web app using OIDC protocol, the best way to learn how this protocol works is to follow the HTTP request / response in a browser developer tool or other browser plug-ins like SAML tracer. As a developer, you might have already used these tools multiple times for debugging browser related issues.
• Another handy tool is Postman which can be used to debug and learn the API calls that are made during a OIDC flow.
• I also recommend checking out sequence diagrams in Identity product documentation (Okta, Auth0, Microsoft Azure AD etc.) and then debug the flow using browser developer tools. In this way, you can easily follow the step-by-step flow. Just google for OpenId connect sequence diagram and you should see lots of websites explaining the basic OIDC flows.

What resources can be used for improving the IAM knowledge?

• The best resource is official documentation for OIDC and SAML
• Microsoft has a very good documentation and also products like Okta, Auth0 etc. have good documentation. Initially, focus on OIDC /OAuth 2.0 protocols followed by SAML.
• Again, practice !! IAM is basically a set of protocols and learning these protocols is the key to success.

How to change your thinking?

• When you come from an application development background, you tend to focus more on a specific application audience or customers. When you move to IAM domain, you should start thinking at an enterprise level because identity platforms are used by organizations for securing all the assets whether it is internal or external apps, network, device etc.. Identity is one of the core components of Zero Trust Architecture and Digital Initiatives.
• Many developers think Identity only refers to humans with a username / password to access various apps. In reality, an Identity can be a human, a machine, a car, a bike, a device etc. Different protocols are used for different use cases.
• There is also a wrong assumption that IAM is used only for Authentication. IAM actually refers to Identity & Access Management i.e. Authentication and Authorization. There might be cases where some organizations are using IAM only for Authentication and not for Authorization. But, it is very rare.

Get an email whenever karthik publishes.

What not to do?

• In the initial days, don’t focus more on learning the identity product. Instead, spend more time on understanding the basic identity protocols like OIDC, OAuth 2.0 and SAML. All the commercial identity products in the market follow these protocol specs. If you understand the basic protocols very well, it will be easier to learn the various features that are built in the Identity product to support these protocols.
• Don’t start experimenting too soon by trying to learn topics like Multi-factor authentication, Authorization, mobile apps integration etc. Focus on the basics.
• Don’t keep reading multiple documents that explains these protocols in different ways. The best way to learn is hands-on experience i.e. build PoCs using your application development knowledge and debugging the application.

I hope you enjoyed this blog. If you have any questions, kindly leave a comment.