CCT 059: SAML, OAuth, OPENID - CISSP Exam Questions (Domain 5)

What if you could confidently face the CISSP exam knowing you've got a strong grasp of crucial topics like SAML and Identity and Access Management? Join me, Sean Gerber, your guide through the maze of CISSP exam preparation, as I tackle a series of exam-related questions that will significantly bolster your study routine. Together, we'll unpack concepts like the primary purpose of SAML, OAuth2's main function, and the characteristics of multi-factor and biometric authentication. 

Prepare to have your understanding deepened as we delve into the subtle differences between user authentication and user authorization. We'll dissect the concept of single sign-on, and separate the wheat from the chaff in terms of what constitutes biometric authentication. Whether you're an auditory learner or prefer to watch, don't worry - I've got you covered. You can also head to CISSP Cyber Training, where all these questions are available in video and audio format. So, gear up and let's step up your CISSP exam preparation!

Gain access to 30 FREE CISSP Exam Questions each and every month by going to FreeCISSPQuestions.com and sign-up to join the team for Free. 

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started. Hey y'all, it's Sean Gerber with CISSP Cyber Training, and today is CISSP exam Thursday. So we are going to be talking about CISSP questions as it relates to taking the exam and what are some key questions you need to be aware of as you're studying for the exam. So let's get into. This is going to be tied to SAML and Identity and Access Management, and so these are some of the questions that you may end up seeing something similar to these. At least, these won't be the exact questions you'll see, but there'll be some that will be similar. So let's start off with question number one what is the primary purpose of SAML? Okay, so, as we're talking about SAML that deals with identity and authentication question, I should say answer A is one to provide access, an access token. B is the exchange of user authentication and authorization data. C is to provide an ID token or D to validate a user's identity through biometric data. Okay, so the question is again what is the primary purpose of SAML? And then A to provide access token. B to exchange user authentication and authorization data. C to provide an ID token. Or D to validate the identity through biometric data. So, if you deal with SAML, saml is basically designed as a. It's a standard right and it's a standard for an exchanging authentication and authorization data between an identity provider and the service provider. Saml is used out there. There's an open ID, there's various other ones that are available, but SAML is an open standard, and so you want to look at a SAML that does provide tokens, but the main purpose of it is to exchange user data in the form of what they call assertions. So, when you're talking about these questions, the primary purpose of SAML is to exchange user authentication and authorization data. So you don't want to bite off on A, which would be to provide an access token, which it does, but its primary purpose is to exchange user authentication and authorization data. Question two OAuth2 is primarily used for which of the following A user authentication, b user authorization, c data encryption or D data integrity checks. So the easy ones that you would actually throw out obviously would be data encryption it's not tied to that or a data integrity check is usually what would not be tied to OAuth2. Again, it's a protocol that apply is basically application access for the user data and when you're connecting with another application. Now the key question around that is if you're dealing with authorization, then the answer would be B right, so it's designed to be providing. It does provide some level of authentication, but when you're using in conjunction with OpenID. But the primary purpose of OAuth2 is authorization. So we put that in mind. Oauth2 will do user authentication, but that's not its primary purpose. Its primary purpose is authorization. Question three which of the following authentication protocols also provides an ID token? A SAML, b OAuth2, c OpenID Connect or D Kerberos? Okay, again, which of the following authentication protocols also provides an ID token? A SAML, b OAuth2, c OpenID Connect or D-Curb-erose? And the answer would be C OpenID Connect is built on top of OAuth2, but it does add an ID token for accessing provided by OAuth2. So keep that in mind, that it sits on top of OAuth2. Then the ID token contains a set of claims about the user's identity, such as their name, their email address and so on. So keep that in mind. So again, openid is built on top of OAuth2 and it adds an ID token to the access token. You have lots of tokens so it can get a little bit confusing which or what type of token is used by an application in OAuth2 to make API requests on behalf of the user. Okay, so now we're dealing with OAuth2 and we're making API requests, so application programming interfaces A is access token, b refresh token, cid token or D SAML token. Okay, so we know SAML token it's not a token, right? So we're gonna throw that one out. And then when you're dealing with an ID token, it's. That doesn't really make much sense. So what the question coming down to is what type of token is used by the application in an OAuth2 to make an API request on behalf of the user? And the access or the? The answer is a access token, right? So access token is used by the application in OAuth2 to make API requests on behalf of the user. Question six single sign on. Okay, so single sign on eliminates the need, or SSO eliminates the need for multiple logins by allowing users to a share their passwords. Be use one set of credentials to access multiple applications. See bypass the login process entirely. Or D generate temporary passwords. Okay. So the question six single sign on eliminates the need for multiple logins by allowing users to a share passwords. That's not right. Use one set of credentials to access multiple applications. Bypass the login process entirely no. And then D generate temporary passwords. That's not what it's designed to do. So SSO is to use one set of credentials to access multiple applications. So again, single sign on, right? You know, multiple sign ons. This is basically the obvious users to use one set of credentials, a username and password, to access multiple applications. You'll see this with Facebook and Gmail and all these various other things that are out there. They will use one comment or one username and password to allow you the access that you want. Question seven which of the following is not a characteristic of multi factor authentication or MFA? A it requires one or more methods of authentication. B it integrates a single layer defense. C it uses independent categories of credentials. Or D it uses to it is used to verify the user's identity for login transactions. The answer is B it creates a single layer defense, right, so MFA creates a layer defense, not a single layer defense, and so that's basically what they're talking about what is not a characteristic of multi factor authentication. So what is the following? So what is the following is not a characteristic of multi factor authentication? A requires more than one method of authentication. B it creates a single layer defense. C it uses independent categories of authentication. And so that's basically what they're talking about. What is not a characteristic, right? So it is. It's a multi layer, multi level of defense, and what it does is it requires multiple levels of authentication, which allows it much more difficult for an unauthorized person to gain access. Again, focus on this, which is not a characteristic of multi factor. Question 8, what type of authentication relies on unique biological characteristics of an individual? A Single-factor authentication. B Multifactor authentication. C Biometric authentication or D Token-based authentication? Again, what authentication relies on the biological characteristics of an individual? A Single authentication. B Multifactor authentication. C Biometric authentication or D Token-based authentication? And the answer is C Biometrics. Right? Biometrics rely on unique biological characteristics of a person, such as fingerprints, scans or facial recognition. Key factors around that. Okay, so these are I'm on question 8. If you guys like these questions, you can also go to CISSPcybertrainingcom and you can check out all these questions available to you. The great part about CISSP Cyber Training is the fact that these questions I go over, there's also video that goes with them, so that if you are one that listens or one that likes to watch, this is the greatest place to go, because you'll have actually all these CISSP questions in video format as well as in audio format. Okay so, question 9, which of the following is not a type of biometric authentication? A Iris scans. B Passwords. C Facial recognition or D Fingerprint scans. Okay, so, just the last question. We talked about what is biometric. The question here is what is not a type of biometric, and that would be answer B Passwords. Right, passwords are not biometric. It's something you know, but they're not something that you are. Okay, question 10, when an identity provider sends an assertion to a service provider in SAML, which of the following information does it not contain? Again? Let me re-go that question again. When an identity provider sends an assertion to a service provider in SAML, which of the following information does it not contain? I can't get that right even the second time around A Users email. B Users password. C Users username or D Users authentication status. Okay, so which does it not contain? Users email, their password, their username or their authentication status? So if you go through those, you can pretty much narrow out. We do never want to share passwords, right, even any sort of authentication, so the answer would be B right, saml assertions do not include the user's password. Okay, that typically contain information such as username, email and authentication status, but not sensitive data such as passwords. Question 11, in the context of OpenID Connect, what are the claims? A Tokens that are provided by authentication server. B the user's attributes contained in the ID token. C A list of APIs that an application can access. Or, d the user's password and username. Okay, in the context of OpenID Connect, what are claims A Tokens that provide the authorization server. B User attributes contained in ID token. C A list of APIs that application can access. Or D the user name's password and username. Yeah, that's what I meant password and username. And the answer is B User attributes contained in the ID token. Okay, the OpenID Connect claims are user attributes contained in the ID token. These can include information about the user's identity, such as name, email address and more. Question 12, what are the three types of credentials used in multi-factor authentication? A something you know, something you have or something you need. B something you know, something you have and something you are. C something you are, something you need and something you provide. Or D something you know, something you can't provide and something you need, okay. So if we go through this, this is one of the key factors rowing around Multi-factor is it is something you know. Okay, so IE password, something you have, could be a like a token of some kind you know the old RSA type token tokens, or maybe your phone has a multi-factor authentication on it or something you are, ie biometrics or fingerprint scans. So there's those three types that come with that. So something you know as a password, something you have as a physical token or something you are, is a biometric attribute. Question 13, which of the following is not a use case for OAuth 2? A allowing users multiple applications with a single set of credentials. B an application to access user data and other applications. C enabling third-party applications to use services like Google Maps or Twitter. Or D providing one application in the ability to access the data of another application on the user's behalf. So which of the following is not a use case of OAuth 2? The answer is A allowing a user to log in to multiple applications with a single set of credentials. Oauth 2 is not used for allowing users to do that. That is what we call a use case for single sign-on or SSO, or protocols such as SAML and OpenID Connect. We talked about where OAuth 2 sits just previously. What information does ID token in OpenID contain? A a set of user attributes known as claims. B the user login credentials. C the user's biometric data. Or D the encryption key for the user's data. We know this right away. Just going into it, those three the user's login, biometrics and their encryption key would not be something you'd want to have in your ID token with OpenID Connect, so I would throw those out immediately. So it's basically a set of user attributes known as claims. So an ID token in OpenID Connect contains a set of user attributes known as claims. These can include information such as username, email address and so much more. We wouldn't want to put anything that's sensitive, such as passwords or biometric data or anything like that, inside a OpenID Connect token. Last question which of the following best describes a relationship between OpenID Connect and OAuth 2? Okay, the answer question or should, I should say one of the answers? Open ID connect and OAuth2 are completely separate protocols with different purposes. Open ID connect is an extension of OAuth2 and adds additional functionality. Open ID connect is an older version of OAuth2 and OAuth2 is subset of the functionality provided by open ID connect. Well, we talked about this. What does open ID connect do? It sits on top of OAuth2. So it is an extension and it adds additional functionality. That's the whole was again. So. Open ID connect is an extension. We talked about that where it does, specifically around user authentication. But open auth, or OAuth2, provides authorization capabilities and open ID connect extends it to also provide authentication, primarily through the use of an ID token. Okay, so that's getting open ID. It gives you an ID token and it sits on top of OAuth2. All right, thank you very much. I hope you guys have a wonderful day. I hope you enjoy the CISP cyber training questions Also go to CISP cyber training, if you're listening to this on the podcast. You can also go to free CISP questionscom and you can be added to a list that will give you 30, I mean 30, 330 questions every single month over the CISP and you can get those for free just for joining my email list. And you'll get other stuff as well. Right, we have security news and so forth. But go ahead, check it out free CISP questionscom or go to CISP cyber training and sign up today. All right, have a great day and we'll catch you on the flip side, see you.