Security is a major concern in the enterprise and treats all aspects of identity and access management. Moreover the proliferation of devices and digital assets connected to the Internet of Things is a massive source of growing geographic information. GeoServer has buit-in a lot of features to manage authentication and authorization but often this kind of problem can be better dealt with a dedicated tool (i.e. Forgerock IAM suite) which allows to provide identities and access policies likewise to several clients. What are the best practices to integrate GeoServer into an existent single sign-on and identity lifecycle? Althought tools like CAS and GeoFence allow to enable such features it's more likely that GeoServer needs a leaner and cleaner path towards the externalization of authentication and authorization for the OGC services and its REST API.