Effective CISSP Questions

Your company sells toys online, supported by an E-Commerce system deployed to a PaaS. The EC system implemented and trusted federated identities from some well-known social media to streamline the order placing process. However, a new customer visiting your company’s web site still has to register for a new user account first to place orders. Which of the following is the best to address this problem?
A. Enforce Identity Assurance Level 3 (IAL3)
B. Implement LDAP to synchronize federated identities
C. Map attributes described in the SAML security assertion to a local identity
D. Create a new account just in time when a new customer logs in using a federated identity

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is D. Create a new account just in time when a new customer logs in using a federated identity.

Just-in-time (JIT) Provisioning

It’s not uncommon nowadays for a web site to create a new account by retrieving the customer’s profile from the identity provider just in time to streamline the registration and provisioning process. This practice is also known as just-in-time provisioning.


IAL3 is not feasible in this context.

IAL3: At IAL3, in-person identity proofing is required. Identifying attributes must be verified by an authorized CSP representative through examination of physical documentation as described in SP 800-63A.

Source: NIST SP 800-63-3


Federated identity is typically fulfilled through SAML or OIDC. LDAP is implemented in the context of LAN for authentication and identity management. Moreover, it’s rare to synchronize federated identities from the identity provider to other domains.

Identity Mapping

Federated identity supports cross-domain SSO. Each security domain maintains its own directory and trusts the security assertions or ID tokens issued by the trusted identity provider. Identity mapping is fulfilled through pseudonyms.

This use case assumes that the user has had identities across domains. The following diagram is excerpted from Security Assertion Markup Language (SAML) V2.0 Technical Overview (Committee Draft 02, 25 March 2008):


您的公司在線銷售玩具,並通過部署到PaaS的電子商務系統提供支持。 為了簡化下訂單流程,EC系統實施並信任了一些知名社交媒體的聯合身份。 但是,訪問您公司網站的新客戶仍然必須先註冊一個新的用戶帳戶才能下訂單。 以下哪項是解決此問題的最佳方法?
A. 強制執行身份保證級別3(IAL3)
B. 實施LDAP以同步聯合身份
C. 將SAML安全聲明中描述的屬性映射到本地身份
D. 在新客戶使用聯合身份登錄時及時創建一個新帳戶

Leave a Reply