Effective CISSP Questions

As an ID provider, Taiwan Airline federated with a chain of a car rental company and a five-star chain hotel. Customers can log into the airline website supported by single sign-on (SSO) and reserve hotels or rent a car. Which of the following is least likely to happen? (Wentz QOTD)
A. Assertions or claims about a customer may be described in the JSON format.
B. A customer typically has a user account on each airline, car rental, and hotel domain.
C. If the airline system goes down, customers cannot log into other federated systems.
D. Car rental and hotel systems may send a query to the airline for customer data.

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is C. If the airline system goes down, customers cannot log into other federated systems.

General Identity Federation Use Case
General Identity Federation Use Case (Source: SAML V2.0 Technical Overview)

A federation is “a collection of realms (domains) that have established trust among themselves. The level of trust may vary, but typically includes authentication and may include authorization” (NIST SP 800-95). Common federation protocols that establish trust between domains are SAML (XML-based), OIDC (JSON-based), etc.

An identity federation refers to “a group of organizations that agree to follow the rules of a trust framework” (NISTIR 8149). In this question, the identity federation comprises three organizations: the Taiwan airline, the car rental company, and the chain hotel.

One Customer, Multiple Accounts

According to SAML V2.0 Technical Overview, “users often have individual local user identities within the security domains of each partner with which they interact. Identity federation provides a means for these partner services to agree on and establish a common, shared name identifier to refer to the user in order to share information about the user across the organizational boundaries.”

For example, the user, John Doe, has three user accounts in each security domain: johndoe in the Taiwan airline, jdoe in the car rental company, and johnd in the chain hotel, as depicted in the diagram above. John navigates between domains through the so-called “pseudonym” that maps the user from one domain to the other. If the airline system goes down, customers can still log into other federated systems using the local user account.

Information Query

Federated systems can send a query to the airline for customer data if necessary. For example, when a new customer is signing up to the car rental company, the system in car rental can query the customer profile with the user’s consent. It’s also common to retrieve more information about the user for authorization.

SAML Participants
SAML Participants



My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

作為ID提供者,台灣航空公司聯合(federate)了一家汽車租賃公司和一家五星級連鎖酒店的連鎖店。 客戶可以單點登錄(SSO)航空公司網站並預訂酒店或租車。 以下哪項最不可能發生?(Wentz QOTD)
A. 關於客戶的斷言(assertion)或宣稱(claim)可以用JSON格式描述。
B. 客戶通常在航空公司、汽車租賃和酒店的網域上都有一個用戶帳戶。
C. 如果航空公司系統出現故障,客戶將無法登錄其他聯盟系統。
D. 租車和酒店系統可能會向航空公司發送查詢以獲取客戶數據。

Leave a Reply