identity-fabriclisted

# Identity Fabric — Concrete Endpoints > Sub-skill of `offensive-osint`. For pipeline and triage context load `osint-methodology`. > Authorized targets only. ## BEHAVIORAL CONTRACT **When triggered:** SSO/IdP fingerprinting, tenant discovery, auth architecture mapping, Microsoft 365 enumeration, Okta/Entra/ADFS probing, OIDC discovery, LinkedIn employee enumeration, or device-code phishing feasibility assessment is needed. **Execute:** 1. Probe OIDC discovery endpoints (§1.1-1.5) on every alive subdomain and known SSO prefixes (auth.*, login.*, sso.*, idp.*, iam.*, identity.*, accounts.*, oauth.*). Probe `/.well-known/openid-configuration` on every alive subdomain regardless of prefix. 2. Extract tenant GUIDs from OIDC metadata issuer fields. 3. Run getuserrealm.srf to classify Managed vs Federated (§1.1). 4. If deep mode authorized, run GetCredentialType user-enum capped at 20 attempts (§1.1). Medium detectability. 5. Probe M365 deep surfaces: SharePoint, OneDrive, Teams federation (§1.8). 6. Check device-code phishing feasibility (§1.8). 7. Extract AWS account IDs, OAuth client_ids, and scopes from JSON/HTML/JS (§1.7). 8. For LinkedIn employee enum: use Google dorking (§2.1), prioritize by role tier (§2.2), derive candidate emails (§2.3), output per §2.4 schema. 9. Feed discovered tenants to `people-breach-intel` for SSO_EXPOSURE correlation. **Output:** Per-tenant and per-person findings. Tenant = asset type `sso_tenant` with GUID. Person = asset type `person` with de