CASP+ Chapter 14 Authentication and Authorization
OASIS is a standards group responsible for which standards? (Select all that apply.) A. SAML B. XACML C. SOAP D. SPML
Answer: A, B, D. OASIS is responsible for SAML, SPML, and XACML, as well as other standards.
Examples of SSO include which of the following? (Select all that apply.) A. Kerberos B. OpenID systems C. SOAP D. WSDL
Answer: A, B. Kerberos is an enterprise-level SSO. OpenID is an open standard that defines the use of third parties as authentication systems and can be used to build an SSO. An example is when users employ Facebook to log in to other applications.
Certificate-based authentication systems are characterized by which of the following? (Select all that apply.) A. A fairly extensive infrastructure in the form of public key infrastructures (PKIs) B. A trust relationship between a user and a service provider C. A Distinguished Name and an associated public key, with the entire certificate being signed by a trusted third party D. XML
Answer: A, C. Certificate-based authentication is based on public key cryptography and uses PKI to connect public keys to owners. It is composed of elements such as a Distinguished Name and an associated public key, with the entire certificate being signed by a trusted third party.
XML is used in which standards? (Select all that apply.) A. SAML B. SSO C. SMTP D. XACML
Answer: A, D. SAML and XACML are both constructed using XML.
The advantages of SSO include which of the following? (Choose all that apply.) A. Reduced help desk costs B. Improved security from SAML integration C. Reduced complexity of authentication system D. Improved end-user experience
Answer: A, D. Single sign-on can reduce help desk costs through reduced password reset requests, and it improves the end-user experience because of the reduced number of passwords to remember.
Which of the following IEEE protocols provides port-based authentication for Wi-Fi and wired networks? A. 802.1x B. 802.11 C. SPML D. LDAP
Answer: A. 802.1x provides port-based authentication for Wi-Fi and wired networks.
An attestation is _________________________. A. a statement certifying some element to be true B. used to explain details behind assumed facts C. an element of SAML D. an element of certificate-based authentication
Answer: A. Attestation is the act of certifying some element to be true and doing so in some fashion that provides a form of evidence as to its veracity.
As part of an acquisition of a smaller firm, you now have some IT systems that have federated authentication based on the older Liberty Alliance Identity Federation Framework. You need to integrate this into your existing enterprise solution based on SAML 1.1. What is the best course of action for the enterprise as a whole? (Choose all that apply.) A. Upgrade all federated authentication to a SAML 2.0-compliant solution. B. Nothing, because the two systems are already compatible. C. Examine both SAML and Liberty Alliance and pick the best solution for your circumstances. D. Move to an SPML-based solution.
Answer: A. SAML 2.0 integrates Liberty Alliance Identity Federation Framework elements.
Advantages of a SAML-based authentication system include which of the following? (Select all that apply.) A. A single, synchronized password across all systems B. Platform-neutral authentication C. Reduced costs D. Reduced authentication system complexity
Answer: B, C. Advantages of SAML-based authentication include a platform-neutral, improved user experience; strong commercial and open source support; and reduced costs.
Certificate-based authentication uses which of the following to establish proof of identity? (Select all that apply.) A. SAML elements B. Public key cryptography C. XML D. Trust relationships with third parties
Answer: B, D. Public key cryptography, backed by the trust relationship associated with certificate chains, establishes the proof of identity in certificate-based authentication systems.
What is the correct correlation between the OpenID and OAuth standards? A. OpenID and OAuth both handle authentication. B. OpenID handles authentication, and OAuth handles authorization. C. OpenID handles authorization, and OAuth handles authentication. D. OpenID and OAuth both handle authorization.
Answer: B. OpenID provides authentication services, whereas OAuth provides authorization services.
To use XACML, one needs to have a defined set of which of the following? A. Envelope, body, and fault elements B. Policysets containing policies composed of rules C. Profiles, bindings, and protocols D. Identity Provider (IdP), Service Provider (SP), and asserting party
Answer: B. XACML consists of a hierarchy of policysets containing policies composed of rules.
______ defines a declarative access control policy language implemented in XML and a processing model that describes how to interpret the policies. A. SAML B. XACML C. SOAP D. SSO
Answer: B. XACML stands for eXtensible Access Control Markup Language. It is a declarative access control policy language implemented in XML and a processing model that describes how to interpret the policies.
Your firm has a requirement to protect against man-in-the-middle attacks on SSL connections. The easiest method of doing this would be through the use of which of the following? (Select the best single answer.) A. Digital certificate-based authentication B. SAML C. Mutual authentication D. SSL/TLS handshake
Answer: C. Mutual authentication provides a level of security against man-in-the-middle attacks during the handshake process.
SPML is used for what purpose in the enterprise? A. As a mechanism to consolidate digital identities across federated boundaries B. To trust credentials across multiple distinct systems C. To automate the provisioning of web service requests D. As a declarative access control policy language
Answer: C. SPML permits the sharing of user, resource, and service provisioning information between a group of organizations. It enables organizations to quickly set up user interfaces for web services in an automated manner.
Your firm needs to purchase a third-party application to assist in the exchange of authentication and authorization data between security domains. You want to ensure interoperability, so you insist that the vendor's solutions are compliant with the _____ standard. A. SPML B. XML C. SAML D. SSO
Answer: C. Security Assertion Markup Language (SAML) is an XML-based standard for exchanging authentication and authorization data between security domains.
Which of the following uses public key cryptography to provide a secure means of authentication? A. Basic authentication B. Digest authentication C. Form-based authentication D. Certificate-based authentication
Answer: D. Certificate-based authentication is the most secure authentication scheme. A certificate-based authentication scheme uses public key cryptography and a digital certificate to authenticate a user.
A user requests authentication from an Identity Provider (IdP), which becomes an asserting party across a trust relationship to a Service Provider (SP), which then can use the asserted credentials in making an access control decision for the user. This describes which standard? A. SPML B. XACML C. SSO D. SAML
Answer: D. Identity Providers (IdPs) and Service Providers (SPs) are elements of SAML.
Which of the following standards defines profiles, bindings, protocols, and assertions? A. SOAP B. XACML C. SPML D. SAML
Answer: D. SAML is defined in terms of assertions, protocols, bindings, and profiles.
Which method uses a separate federated identity management system to broker resource access between service providers and identity providers? A. Active Directory B. Kerberos C. SOAP D. WAYF
Answer: D. Where Are You From (WAYF) is a centralized SSO implementation frequently used by university federations to anchor resource access between federated partners. Unlike some SSO methods, WAYF acts as a proxy between federated identity providers and service providers.