Exam CISSP topic 1 question 273 discussion

SAML SSO (SINGLE SIGN-ON): SAML provides security by eliminating passwords for an app and replacing them with security tokens. Since we do not require any passwords for SAML logins, there is no risk of credentials being stolen by unauthorized users. It provides faster, easier, and trusted access to cloud applications.

The primary security benefit of switching to Security Assertion Markup Language (SAML) is A. It enables single sign-on (SSO) for web applications.

D is the PRIMARY benefit. A is SECONDARY. Answer is D.

A is the technical part how it helps. But D is the benefit. It asks for the benefit, not implementation.

The actual password isn't transmitted during modern authentication, not just in single sign-on. SAML enables single sign-on, the benefit is that users only need 1 password. So the answer is A.

SSO is the technique but D is the benefit of A.

no wonder so many people fail cissp. So many answers are thinking too technical and closed minding saying SSO isnt a security benefit. How is users needing to remember less credentials and having less password resets not a security benefit? While using tokens is a benefit of Saml its not the primary one. Infact SAML tokens can be targets just as much as a password, hash, or ticket can

Answer: It enables single sign-on (SSO) for web applications - 1.1 Drivers of SAML Adoption - SSO https://www.oasis-open.org/committees/download.php/20645/sstc-saml-tech-overview-2%200-draft-10.pdf 7.1 Web Browser Single Sign-On (SSO) Profiles Note that user authentication at the source site is explicitly out of scope, as are issues related to this source site authentication https://docs.oasis-open.org/security/saml/v2.0/saml-sec-consider-2.0-os.pdf

SAML's PRIMARY security benefit is the enablement of Single Sign-On (SSO) for web applications, which enhances security, user experience, and operational efficiency. While not passing the user's password during authentication is a significant security advantage, it is secondary to the core functionality of SAML, which is to facilitate SSO and provide a secure means of identity and access management. So, the correct answer is: A. It enables Single Sign-On (SSO) for web applications. C. is an important aspect of SAML but it is not the PRIMARY security benefit of SAML.

I think D has a better argument

A: is correct.

D. The question clearly asks for security benefit. It seems that not sending passwords is the direct security benefit. "Without SAML or other SSO technologies, applications would have to rely on passwords to verify their users, which is problematic....With SAML, SPs only have to store public keys, which are useless to attackers without the private keys held by the IdP." https://developer.okta.com/blog/2019/07/30/saml-whats-behind-sso

The question is asking for primary SECURITY benefit. SSO is ease of use benefit, where for D, token is being used instead of password, which is more secure. So the answer id D

CISSP Official Study Guide pg 691 - "Security Assertion Markup Language (SAML) is an open XML-based standard commonly used to exchange authentication and authorization (AA) information between federated organizations. It provides SSO capabilities for browser access."

A. is the answer . It enables single sign-on (SSO) for web applications. SAML primarily enables Single Sign-On (SSO) which allows users to authenticate once and access multiple web applications without needing to enter their credentials multiple times. It also allows for centralization of authentication which makes it easier for IT departments to manage users access and permissions for multiple web applications.

SSO reduces attack surface

SAML Provides Increased Security, SSO is definitely an advantage, but from a security benefit point of view, D is the best answer. SAML provides a single point of authentication, which happens at a secure identity provider. Then, SAML transfers the identity information to the service providers. This form of authentication ensures that credentials are only sent to the IdP directly.