Intermediate-Advanced|24 hours|48 lessons

Identity and Trust for DevOps Engineers

A scenario-driven course on identity and trust for DevOps and platform engineers. Covers cryptographic primitives, TLS and PKI, OAuth 2.0 and OpenID Connect, SAML, LDAP and Active Directory, IdP-as-a-service (Okta), JWTs and key rotation, mTLS and service identity, authorization patterns (RBAC, ABAC, ReBAC), operational SSO, debugging identity and TLS flows, threat modeling, and a full enterprise-identity capstone.

Text-based, no videos
16 modules, 48 lessons
Lifetime access

What you'll learn

The identity stack from first principles: trust models, the identity-to-bytes pipeline, and why identity is the hardest problem in DevOps
Cryptographic primitives that everything else builds on: hashing, symmetric and asymmetric encryption, digital signatures, and key management
TLS, X.509 certificates, and PKI in production: the handshake step by step, certificate lifecycle, monitoring, and incident response
OAuth 2.0 from first principles: the five grant types, when to use each, scopes, tokens, and the deprecated flows that still bite
OpenID Connect, ID tokens, JWKS, key rotation, and OIDC flows for CLI, CI/CD, and Kubernetes
SAML 2.0 mechanics, LDAP and Kerberos integration, and how legacy identity coexists with modern infrastructure
IdP-as-a-service (Okta) configuration via Terraform, AWS, and Kubernetes, plus IdP incident playbooks
Service-to-service identity, mTLS, and the choice between tokens and certificates
Authorization patterns (RBAC, ABAC, ReBAC), policy engines (OPA, Cedar, Zanzibar), and Kubernetes authz from RBAC to admission
Operational SSO for kubectl, Vault, ArgoCD, Grafana, MFA and step-up auth
Debugging identity and TLS flows: TLS failures, OAuth/OIDC issues, Kubernetes identity bugs
Identity threat modeling with STRIDE, common attacks and defenses, and zero trust identity architecture
Capstone: design an enterprise identity architecture, run an identity-breach incident response, and migrate from legacy to modern identity

Curriculum

16 modules · 48 lessons
01

The Identity and Trust Problem

What identity actually means in DevOps systems, the trust models that decide what to believe, and the layered identity stack from raw bytes to business logic.

3 lessons
Why Identity Is the Hardest Problem in DevOps30 minFREETrust Models: How Systems Decide What to Believe35 minFREEThe Identity Stack: From Bytes to Business Logic30 minFREE
02

Cryptographic Primitives, Just Enough

The math you cannot avoid: hashing, symmetric and asymmetric encryption, digital signatures, and where keys live.

3 lessons
Hashing, Symmetric, and Asymmetric Encryption35 minDigital Signatures and Key Pairs30 minKey Management: Where Keys Live and Die35 min
03

TLS and Certificates

The handshake step by step, what an X.509 certificate actually contains, and the failure modes that cause production outages.

3 lessons
The TLS Handshake: What Actually Happens40 minX.509 Certificates: Anatomy and Validation35 minTLS in Practice: Termination, Passthrough, and Common Failures35 min
04

Public Key Infrastructure and Certificate Operations

Building a chain of trust, the certificate lifecycle, and the operational practice that keeps PKI from becoming an outage.

3 lessons
PKI Architecture: Building a Chain of Trust35 minCertificate Lifecycle: Issuance, Renewal, and Revocation40 minCertificate Operations: Monitoring, Debugging, and Incident Response35 min
05

OAuth 2.0 from First Principles

What OAuth actually solves, the five grant types and when each fits, and the production-grade configuration that does not get breached.

3 lessons
The Problem OAuth Solves30 minOAuth 2.0 Grant Types: When to Use Which40 minOAuth 2.0 in Practice: Tokens, Scopes, and Common Mistakes40 min
06

OpenID Connect

OIDC adds identity on top of OAuth: ID tokens, JWKS, and the flows DevOps engineers actually run.

3 lessons
OIDC: Adding Identity to OAuth30 minID Tokens, JWKS, and Token Validation40 minOIDC Flows for DevOps: CLI, CI/CD, and Kubernetes40 min
07

SAML 2.0

Why SAML still runs the enterprise, the assertion model, and how to interoperate with the OIDC world.

3 lessons
SAML: Why It Still Exists30 minSAML Flows and Assertions40 minSAML vs OIDC: Comparison and Migration35 min
08

Directory and Domain Identity (LDAP, Kerberos, Active Directory)

The identity stack of the enterprise: LDAP directories, Kerberos tickets, and Active Directory in modern infrastructure.

3 lessons
LDAP: The Directory That Won't Die35 minKerberos and Active Directory40 minIntegrating Legacy Identity with Modern Infrastructure35 min
09

Okta and IdP-as-a-Service

What Okta actually does, configuring it as code, and the playbook for when your IdP goes down.

3 lessons
IdP Architecture: What Okta Actually Does35 minConfiguring Okta for DevOps: Terraform, AWS, and Kubernetes40 minIdP Incidents: When Your Login System Goes Down35 min
10

Token Validation and Key Rotation

JWT internals, JWKS-based key discovery, and the token-exchange / refresh / revocation flows.

3 lessons
JWT Deep Dive: Anatomy, Signing, and Verification40 minJWKS, Key Discovery, and Key Rotation35 minToken Exchange, Refresh, and Revocation35 min
11

Service-to-Service Identity and mTLS

How services prove who they are to each other, mTLS in production meshes, and choosing tokens vs certificates.

3 lessons
The Service Identity Problem35 minmTLS in Practice: Service Mesh and Beyond40 minChoosing Between Tokens and Certificates for Service Identity35 min
12

Authorization Patterns

Picking the right authorization model, the policy engines worth knowing, and Kubernetes authorization end to end.

3 lessons
RBAC, ABAC, and ReBAC: Choosing Your Model40 minPolicy Engines: OPA, Cedar, and Zanzibar40 minAuthorization in Kubernetes: From RBAC to Admission40 min
13

Operational SSO

SSO for the internal tools your engineers actually use, session lifecycle, and the MFA / step-up patterns.

3 lessons
SSO for Internal Tools: kubectl, Vault, ArgoCD, Grafana40 minSession Management and Token Lifecycle35 minMulti-Factor Authentication and Step-Up Auth35 min
14

Debugging Identity and TLS Flows

The diagnostic toolkit for TLS, OAuth, OIDC, and Kubernetes identity bugs.

3 lessons
Debugging TLS Failures in Production40 minDebugging OAuth and OIDC Flows40 minDebugging Kubernetes Identity Issues35 min
15

Security and Threat Model

Identity-specific threat modeling, the canonical attacks and their defenses, and what zero trust really means for identity.

3 lessons
Identity Threat Model: STRIDE for Authentication40 minCommon Identity Attacks and Defenses40 minZero Trust Identity Architecture40 min
16

Capstone Scenario

Three end-to-end exercises: design an enterprise identity architecture, respond to an identity breach, and migrate from legacy to modern identity.

3 lessons
Design Exercise: Enterprise Identity Architecture60 minIncident Response: Identity Breach Simulation60 minMigration Exercise: From Legacy to Modern Identity60 min

About the Author

Sharon Sahadevan

Sharon Sahadevan

AI Infrastructure Engineer

Building production GPU clusters on Kubernetes. H100s, large-scale model serving, and end-to-end ML infrastructure across Azure and AWS.

10+ years designing cloud-native platforms with deep expertise in Kubernetes orchestration, GitOps (Argo CD), Terraform, and MLOps pipelines for LLM deployment.

Author of KubeNatives, a weekly newsletter read by 3,000+ DevOps and ML engineers for production insights on K8s internals, GPU scheduling, and model-serving patterns.

Ready to master this topic?

Start with the free preview lesson and see for yourself.