Effective CISSP Questions

SAML and OIDC are commonly found in federated authentication. Which of the following statements about federated authentication is not true?
A. SAML assertions can be viewed as equivalent to OIDC claims.
B. The access token of a subject is trusted and passed across security domains.
C. A user registers only one account in the federated domains to fulfill single sign-on (SSO).
D. The relying party refers to the service provider in SAML or the OAuth2 client using OIDC.

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is C. A user registers only one account in the federated domains to fulfill single sign-on (SSO).

The customer, John Doe, has three user accounts in three separate but federated domains:


The federation of the three domains uses “pseudonym Identifiers” to map one user account in one domain to another, e.g., azqu3H7 and f78q9c0.

General Identity Federation Use Case

Pseudonym Identifiers as Federated Identities

Each domain maintains its own identity store, and each user can have multiple user accounts in the federation to enforce single sign-on (SSO).

SP-Initiated Identity Federation with Persistent Pseudonym (Source: SAML V2.0 Technical Overview)

SAML Assertions and OIDC Claims

Option A, “SAML assertions can be viewed as equivalent to OIDC claims,” may not be worded or described precisely; what I intend to highlight is the similarity in terms of the “token” that carries pairs of attributes and values about a subject.

SAML Assertions

SAML Assertion

OIDC Claims

OIDC Claims (Source: Akana)

SAML Participants

SAML Participants

OIDC Protocol Suite

OAuth2 Protocol Flow
OIDC Protocol Suite (Source: Orange)



My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

在聯合身份驗證(federated authentication)中時常可看到SAML及OIDC. 下列有關聯合身份驗證的陳述不正確?
A. SAML斷言(assertions)可以視為等同於OIDC聲明(claims)。
B. 主題的訪問令牌(token)是受信任的,並且可以跨安全域(security domain)傳遞。
C. 用戶只能在聯合域(federated domain)中註冊一個帳戶以完成單點登錄(SSO)。
D. 依賴方(relying party)是指SAML中的服務提供者或使用OIDC的OAuth2客戶端。

Leave a Reply