As an ID provider, Taiwan Airline federated with a chain of a car rental company and a five-star chain hotel. Customers can log into the airline website supported by single sign-on (SSO) and reserve hotels or rent a car. Which of the following is least likely to happen? (Wentz QOTD)
A. Assertions or claims about a customer may be described in the JSON format.
B. A customer typically has a user account on each airline, car rental, and hotel domain.
C. If the airline system goes down, customers cannot log into other federated systems.
D. Car rental and hotel systems may send a query to the airline for customer data.
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is C. If the airline system goes down, customers cannot log into other federated systems.
A federation is “a collection of realms (domains) that have established trust among themselves. The level of trust may vary, but typically includes authentication and may include authorization” (NIST SP 800-95). Common federation protocols that establish trust between domains are SAML (XML-based), OIDC (JSON-based), etc.
An identity federation refers to “a group of organizations that agree to follow the rules of a trust framework” (NISTIR 8149). In this question, the identity federation comprises three organizations: the Taiwan airline, the car rental company, and the chain hotel.
One Customer, Multiple Accounts
According to SAML V2.0 Technical Overview, “users often have individual local user identities within the security domains of each partner with which they interact. Identity federation provides a means for these partner services to agree on and establish a common, shared name identifier to refer to the user in order to share information about the user across the organizational boundaries.”
For example, the user, John Doe, has three user accounts in each security domain: johndoe in the Taiwan airline, jdoe in the car rental company, and johnd in the chain hotel, as depicted in the diagram above. John navigates between domains through the so-called “pseudonym” that maps the user from one domain to the other. If the airline system goes down, customers can still log into other federated systems using the local user account.
Federated systems can send a query to the airline for customer data if necessary. For example, when a new customer is signing up to the car rental company, the system in car rental can query the customer profile with the user’s consent. It’s also common to retrieve more information about the user for authorization.
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.
作為ID提供者，台灣航空公司聯合(federate)了一家汽車租賃公司和一家五星級連鎖酒店的連鎖店。 客戶可以單點登錄(SSO)航空公司網站並預訂酒店或租車。 以下哪項最不可能發生？(Wentz QOTD)