Your company implemented Federated Identity Management (FIM) based on SAML to support Single Sign-On (SSO). Which of the following is not true? (Source: Wentz QOTD)
A. A user may have an identity in each domain and multiple identities across domains.
B. A federated identity is a pseudonym shared between domains to hide a user’s identity.
C. A relying party authorizes access requests based on assertions expressed in XACML.
D. SSO relies on the service provider’s (SP) trust in the Identity Provider (IdP).
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is C. A relying party authorizes access requests based on assertions expressed in XACML.
Source: Security Assertion Markup Language (SAML) V2.0 Technical Overview
As the diagram above shows:
- A user may have an identity in each domain and multiple identities across domains. For example, John Doe registered three accounts in three systems as follows:
- JohnDoe in airline.example.com
- JDoe in cars.example.co.uk
- JohnD in hotels.example.ca
- A federated identity is a pseudonym shared between domains to hide a user’s identity. For instance, both pseudonyms azqu3H7 and f78q9c0 refer to the user, John Doe.
- azqu3H7 is the pseudonym agreed between airline.example.com and cars.example.co.uk.
- f78q9c0 is the pseudonym agreed between airline.example.com and hotels.example.ca.
- A relying party authorizes access requests based on assertions expressed in SAML.
- SAML provides a standard way to render assertions that work across systems and security domains.
- SAML assertions are input for the relying parties or service providers to make authorization decisions. Authorization can be based on XACML.
- SSO relies on the service provider’s (SP) trust in the Identity Provider (IdP).
The OASIS Security Assertion Markup Language (SAML) standard defines an XML-based framework for describing and exchanging security information between on-line business partners. This security information is expressed in the form of portable SAML assertions that applications working across security domain boundaries can trust. The OASIS SAML standard defines precise syntax and rules for requesting, creating, communicating, and using these SAML assertions.
Federated identity
- Users often have individual local user identities within the security domains of each partner with which they interact.
- Identity federation provides a means for these partner services to agree on and establish a common, shared name identifier to refer to the user in order to share information about the user across the organizational boundaries.
- The user is said to have a federated identity when partners have established such an agreement on how to refer to the user.
Single Sign-On
SAML solves the multi-domain SSO (MDSSO) problem by providing a standard vendor-independent grammar and protocol for transferring information about a user from one web server to another independent of the server DNS domains.
Source: Security Assertion Markup Language (SAML) V2.0 Technical Overview
Reference
貴公司基於SAML實施了聯合身份管理(FIM),以支持單一登錄(SSO)。 以下哪一項是不正確的?
A. 用戶在一個的安全域(Security Domain)可以有一個身份, 在多個安全域中則有多個身份。
B. 聯合身份是在安全域之間共享的假名以隱藏用戶真實身份。
C. 依賴方(Relying Party)根據以XACML表達的斷言對訪問請求進行授權。
D. SSO依賴服務提供商(SP)對身份提供方(IdP)的信任。
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.
Pingback: CISSP PRACTICE QUESTIONS – 20200909 - Wentz Wu
Pingback: 基於 SAML 的聯合身份管理 (FIM) 以支持單點登錄 (SSO) – Choson資安大小事