6.5.1. On-Premises and Cloud Identity Platforms
💡 First Principle: Identity platforms are the authoritative source of truth for who exists in the organization, what groups they belong to, and what credentials they hold — every authentication and authorization decision ultimately traces back to the identity platform's data.
On-premises identity platforms:
| Platform | Protocol | Primary Use | Key Characteristics |
|---|---|---|---|
| Active Directory (AD) | Kerberos, NTLM, LDAP | Windows domain authentication | Domain controllers, Group Policy, trust relationships, KRBTGT |
| LDAP directories | LDAPv3 | Cross-platform directory queries | Hierarchical (DN, OU, CN), read-optimized, bind authentication |
| RADIUS | RADIUS (UDP 1812/1813) | Network access authentication | AAA for VPN, WiFi (802.1X), network devices; centralized policy |
Cloud identity platforms:
| Platform | Standards | Use Case |
|---|---|---|
| Microsoft Entra ID (Azure AD) | OIDC, SAML, OAuth 2.0 | Microsoft 365, Azure, hybrid AD environments |
| Okta | OIDC, SAML, SCIM | SaaS SSO, workforce identity, lifecycle management |
| Google Workspace Identity | OIDC, SAML | Google ecosystem, GCP IAM |
| AWS IAM / IAM Identity Center | SAML, OIDC | AWS resource access, cross-account federation |
Hybrid identity connects on-premises AD with cloud identity through synchronization (Azure AD Connect, Okta AD Agent). Users authenticate once and access both on-premises and cloud resources. The synchronization creates a shared identity plane — but also means a compromise of on-premises AD can propagate to cloud resources through synced credentials.
Directory services architecture: LDAP directories use a hierarchical namespace: CN=John Smith,OU=Engineering,DC=company,DC=com. The bind operation is how LDAP authenticates — the client sends a distinguished name (DN) and password, and the directory returns success or failure. Simple bind sends credentials in cleartext; LDAP over TLS (LDAPS, port 636) encrypts the bind operation.
⚠️ Exam Trap: LDAP is a directory access protocol, not an authentication protocol. LDAP can be used for authentication (via the bind operation), but its primary purpose is querying directory information — user attributes, group memberships, organizational structure. The exam distinguishes between protocols designed for authentication (Kerberos, RADIUS) and protocols that can perform authentication as a secondary function (LDAP).
Reflection Question: An organization uses on-premises Active Directory synchronized to Azure AD via Azure AD Connect. An attacker compromises a domain controller on-premises. Explain how this compromise could propagate to cloud resources, what specific artifacts the attacker could leverage, and what architectural controls would limit the blast radius.
