CISSP PRACTICE QUESTIONS – 20200408

Posted on by

Effective CISSP Questions

SAML refers to Security Assertion Markup Language. Which of the following statements about “assertion” is not true?
A. It is a package of information produced by the relying party
B. It describes an act of authentication performed on a subject
C. It contains attribute information about the subject
D. It may have authorization data for the subject to access a specified resource


Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is A. It is a package of information produced by the relying party.

SAML Assertion

An assertion is a package of information that supplies zero or more statements made by a SAML authority.

Assertion

A piece of data produced by a SAML authority regarding either an act of authentication performed on a subject, attribute information about the subject, or authorization data applying to the subject with respect to a specified resource.

Subject

A principal in the context of a security domain. SAML assertions make declarations about subjects.

Principal

A system entity whose identity can be authenticated.

Identity

  • The essence of an entity.
  • One’s identity is often described by one’s characteristics, among which may be any number of identifiers.

Identifier

  • A data object (for example, a string) mapped to a system entity that uniquely refers to the system entity.
  • A system entity may have multiple distinct identifiers referring to it. An identifier is essentially a “distinguished attribute” of an entity.

Attribute

  • A distinct characteristic of an object (in SAML, of a subject). An object’s attributes are said to describe it.
  • Attributes are often specified in terms of physical traits, such as size, shape, weight, and color, etc., for real-world objects.
  • Objects in cyberspace might have attributes describing size, type of encoding, network address, and so on.
  • Attributes are often represented as pairs of “attribute name” and “attribute value(s)”, e.g. “foo” has the value ‘bar’, “count” has the value 1, “gizmo” has the values “frob” and “2”, etc. Often, these are referred to as “attribute value pairs”.
  • Note that Identifiers are essentially “distinguished attributes”. See also Identifier and XML attribute.

SAML authorities are sometimes referred to as asserting parties in discussions of assertion generation and exchange, and system entities that use received assertions are known as relying parties.

Asserting Party

Formally, the administrative domain that hosts one or more SAML authorities. Informally, an instance of a SAML authority.

  • SAML Authority: an abstract system entity in the SAML domain model that issues assertions.
  • Attribute Authority: A system entity that produces attribute assertions.
  • Authentication Authority: A system entity that produces authentication assertions.

Relying Party

A system entity that decides to take an action based on information from another system entity. For example, a SAML relying party depends on receiving assertions from an asserting party (a SAML authority) about a subject.

Party

Informally, one or more principals participating in some process or communication, such as receiving an assertion or accessing a resource.

SAML Protocols

Those terms about SAML assertions are different from requester and responder, which are reserved for discussions of SAML protocol message exchange.

Requester, SAML Requester

A system entity that utilizes the SAML protocol to request services from another system entity (a SAML authority, a responder). The term “client” for this notion is not used because many system entities simultaneously or serially act as both
clients and servers. In cases where the SOAP binding for SAML is being used, the SAML requester is architecturally distinct from the initial SOAP sender.

Responder, SAML Responder

A system entity (a SAML authority) that utilizes the SAML protocol to respond to a request for services from another system entity (a requester). The term “server” for this notion is not used because many system entities simultaneously or serially
act as both clients and servers. In cases where the SOAP binding for SAML is being used, the SAML responder is architecturally distinct from the ultimate SOAP receiver.

System Entity, Entity

An active element of a computer/network system. For example, an automated process or set of processes, a subsystem, a person or group of persons that incorporates a distinct set of functionality. [RFC2828] [SAMLAgree]

Federation

This term is used in two senses in SAML:

  • a) The act of establishing a relationship between two entities.
  • b) An association comprising any number of service providers and identity providers.

Federate

To link or bind two or more entities together.

Federated Identity

A principal’s identity is said to be federated between a set of Providers when there is an agreement between the providers on a set of identifiers and/or attributes to use to refer to the Principal

Service Provider

A role donned by a system entity where the system entity provides services to principals or other system entities.

Identity Provider

A kind of service provider that creates, maintains, and manages identity information for principals and provides principal authentication to other service providers within a federation, such as with web browser profiles.

Reference

  • Glossary for the OASIS Security Assertion Markup Language (SAML) V2.0

Leave a Reply