A security professional has been assigned to assess a web application. The assessment report recommends switching to Security Assertion Markup Language (SAML). What is the PRIMARY security benefit in switching to SAML?
A.
It enables single sign-on (SSO) for web applications.
B.
It uses Transport Layer Security (TLS) to address confidentiality.
C.
It limits unnecessary data entry on web forms.
D.
The users' password is not passed during authentication.
SAML SSO (SINGLE SIGN-ON): SAML provides security by eliminating passwords for an app and replacing them with security tokens. Since we do not require any passwords for SAML logins, there is no risk of credentials being stolen by unauthorized users. It provides faster, easier, and trusted access to cloud applications.
https://blogs.sap.com/2017/04/13/configure-saml-sso-for-sap-cloud-platform-using-an-external-identity-provider/
You need (usually) to enter the credentials during the first steps to authenticate to the IDP
The correct answer is D. User passwords are not sent.
SAML (Security Assertion Markup Language) is a protocol that helps realize identity federation and single sign-on (SSO). The main security advantage is that the user's password is not sent to the service provider (SP) during authentication, but is instead authenticated using a token (assertion). This reduces the risk of passwords being intercepted or leaked.
Explanation for each option:
A. Enabling SSO: SAML is commonly used to realize SSO, but this question asks about the "main security advantage," and SSO has a strong aspect of improving convenience.
B. Ensuring confidentiality with TLS: TLS ensures confidentiality at the transport layer, but this is not a feature unique to SAML and can be used with other protocols.
C. Restricting unnecessary data entry: This is not a direct security advantage of SAML.
D. User passwords are not sent: Authentication is performed using a token (assertion) instead of directly exchanging passwords, reducing the risk of password leaks. This is the main security advantage of SAML.
It's understandable why some might initially think the answer is D because it highlights an important security aspect of SAML: passwords are not directly passed during authentication. However, let's clarify:
Why A (SSO) is the correct answer:
SAML’s primary purpose is to enable single sign-on (SSO). This means users can authenticate once (with an identity provider, or IdP) and access multiple web applications without repeatedly logging in.
The mechanism of not passing passwords directly is a secondary security feature of SAML, but it's not the primary reason organizations adopt SAML.
In essence, D is a feature of SAML, while A (SSO) is the overarching primary security benefit that comes with using SAML in web applications.
The actual password isn't transmitted during modern authentication, not just in single sign-on. SAML enables single sign-on, the benefit is that users only need 1 password. So the answer is A.
no wonder so many people fail cissp. So many answers are thinking too technical and closed minding saying SSO isnt a security benefit. How is users needing to remember less credentials and having less password resets not a security benefit?
While using tokens is a benefit of Saml its not the primary one. Infact SAML tokens can be targets just as much as a password, hash, or ticket can
Answer: It enables single sign-on (SSO) for web applications - 1.1 Drivers of SAML Adoption - SSO https://www.oasis-open.org/committees/download.php/20645/sstc-saml-tech-overview-2%200-draft-10.pdf
7.1 Web Browser Single Sign-On (SSO) Profiles Note that user authentication at the source site is explicitly out of scope, as are issues related to this source site authentication
https://docs.oasis-open.org/security/saml/v2.0/saml-sec-consider-2.0-os.pdf
SAML's PRIMARY security benefit is the enablement of Single Sign-On (SSO) for web applications, which enhances security, user experience, and operational efficiency. While not passing the user's password during authentication is a significant security advantage, it is secondary to the core functionality of SAML, which is to facilitate SSO and provide a secure means of identity and access management.
So, the correct answer is:
A. It enables Single Sign-On (SSO) for web applications.
C. is an important aspect of SAML but it is not the PRIMARY security benefit of SAML.
D. The question clearly asks for security benefit. It seems that not sending passwords is the direct security benefit.
"Without SAML or other SSO technologies, applications would have to rely on passwords to verify their users, which is problematic....With SAML, SPs only have to store public keys, which are useless to attackers without the private keys held by the IdP."
https://developer.okta.com/blog/2019/07/30/saml-whats-behind-sso
The question is asking for primary SECURITY benefit. SSO is ease of use benefit, where for D, token is being used instead of password, which is more secure. So the answer id D
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Rollizo
Highly Voted 2 years, 3 months agojackdryan
1 year, 8 months agoRollizo
2 years, 3 months agolifre
Most Recent 2 days, 23 hours agoLexyron
1 week, 4 days agophorus
4 weeks, 1 day agoziyaetuk
1 month, 2 weeks agoJohnBentass
7 months agoCCNPWILL
7 months, 2 weeks agoTheManiac
8 months agoklarak
8 months, 1 week agotheMech
9 months agoeboehm
9 months, 1 week agoeboehm
9 months, 1 week agoGuardianAngel
11 months, 1 week agoSoleandheel
1 year, 1 month agoWoo7
11 months, 1 week agoCoolCat22
1 year, 1 month agoxxxBadManxxx
1 year, 6 months agoHughJassole
1 year, 7 months ago[Removed]
1 year, 10 months ago