Which protocol allows for Single Sign-On (SSO) across multiple organizations?

A.  OAuth

B.  SAML

C.  RADIUS

D.  LDAP

Answer:  B

Explanation:
A. OAuth (Open Authorization)
OAuth is primarily an Authorization framework, not an authentication protocol, though it is often used alongside them (like OpenID Connect).

The Goal: OAuth allows a user to grant a third-party application access to their resources (like their Google Photos or Twitter feed) without sharing their actual password. It uses Access Tokens to facilitate this permission.

The Scope: While it is vital for modern web security, OAuth alone does not handle the "Identity" assertion required for cross-organizational SSO in a corporate sense.

B. SAML (Security Assertion Markup Language)
SAML is an XML-based framework used to exchange authentication and authorization data between an Identity Provider (IdP) and a Service Provider (SP).

Why it's the Answer: SAML is the backbone of Federated Identity. It allows an employee at "Company A" to use their corporate credentials to log into a cloud service provided by "Company B."

The Mechanism: The IdP authenticates the user and passes a "SAML Assertion" (a digitally signed XML document) to the SP. Because the SP trusts the IdP, it allows the user access. This is the definition of Single Sign-On (SSO) across distinct security domains.

C. RADIUS (Remote Authentication Dial-In User Service)
RADIUS is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA) management.

The Use Case: It is traditionally used for users connecting to a network via VPNs, 802.1X wireless access points, or dial-up modems.

The Limitation: RADIUS is typically confined to a single organization’s infrastructure (though "Roaming RADIUS" exists, it is not a web-based SSO standard). It uses a client-server model rather than the browser-based assertion model used in modern federation.

D. LDAP (Lightweight Directory Access Protocol)
LDAP is a protocol used to query and manage information in a directory service, such as Microsoft Active Directory.

The Role: It is the "language" used to look up user attributes, group memberships, and credentials within a private network.

The Constraint: LDAP is highly effective for SSO inside an organization’s perimeter (intranet). However, exposing LDAP to the open internet for cross-organizational access is a significant security risk. SAML was designed to solve this exact problem by acting as a secure, web-friendly wrapper for identity exchange.

Key Takeaway for the CISSP Exam
Federation Terminology:

• Identity Provider (IdP): The entity that holds the user's credentials and verifies their identity (e.g., Okta, Azure AD).
• Service Provider (SP): The entity providing the resource or application (e.g., Salesforce, Slack).
• Trust Relationship: For federation to work, the SP must be configured to trust the digital signatures of the IdP.