SAML and OIDC are commonly found in federated authentication. Which of the following statements about federated authentication is not true?
A. SAML assertions can be viewed as equivalent to OIDC claims.
B. The access token of a subject is trusted and passed across security domains.
C. A user registers only one account in the federated domains to fulfill single sign-on (SSO).
D. The relying party refers to the service provider in SAML or the OAuth2 client using OIDC.
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is C. A user registers only one account in the federated domains to fulfill single sign-on (SSO).
The customer, John Doe, has three user accounts in three separate but federated domains:
The federation of the three domains uses “pseudonym Identifiers” to map one user account in one domain to another, e.g., azqu3H7 and f78q9c0.
Pseudonym Identifiers as Federated Identities
Each domain maintains its own identity store, and each user can have multiple user accounts in the federation to enforce single sign-on (SSO).
SAML Assertions and OIDC Claims
Option A, “SAML assertions can be viewed as equivalent to OIDC claims,” may not be worded or described precisely; what I intend to highlight is the similarity in terms of the “token” that carries pairs of attributes and values about a subject.
OIDC Protocol Suite
- SAML Assertion and OIDC Claim
- Introduction to SAML 2.0
- OpenID Connect Core 1.0 incorporating errata set 1
- The OAuth 2.0 Authorization Framework
- SAML V2.0 Technical Overview
- Scripted OpenID Connect Claims and Custom JWT Contents
- OpenID Connect 1.0
- OpenID Connect vs. SAML 2.0, vs. OAuth 2.0
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.
在聯合身份驗證(federated authentication)中時常可看到SAML及OIDC. 下列有關聯合身份驗證的陳述不正確？
B. 主題的訪問令牌(token)是受信任的，並且可以跨安全域(security domain)傳遞。
C. 用戶只能在聯合域(federated domain)中註冊一個帳戶以完成單點登錄(SSO)。
D. 依賴方(relying party)是指SAML中的服務提供者或使用OIDC的OAuth2客戶端。