CompTIA
CAS-002 · Question #230
CAS-002 Question #230: Real Exam Question with Answer & Explanation
The correct answer is A: Transient identifiers. SAML transient identifiers are randomly generated, session-scoped pseudonyms that expire after use and cannot be correlated across sessions, preventing third parties from tracking a user's SSO activity.
Question
Which of the following does SAML uses to prevent government auditors or law enforcement from identifying specific entities as having already connected to a service provider through an SSO operation?
Options
- ATransient identifiers
- BDirectory services
- CRestful interfaces
- DSecurity bindings
Explanation
SAML transient identifiers are randomly generated, session-scoped pseudonyms that expire after use and cannot be correlated across sessions, preventing third parties from tracking a user's SSO activity.
Common mistakes.
- B. Directory services such as LDAP or Active Directory store and retrieve persistent identity attributes - they do not generate anonymous or transient identifiers and would make identification of users easier, not harder.
- C. RESTful interfaces are an HTTP-based architectural style for APIs and have no role within the SAML protocol stack for anonymizing or obscuring user identities across SSO operations.
- D. Security bindings in SAML define how SAML messages are transported over specific protocols (HTTP redirect, POST, SOAP) and have nothing to do with protecting the anonymity of the identifier used in the assertion.
Concept tested. SAML transient identifiers for cross-session SSO anonymity
Reference. https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
Community Discussion
No community discussion yet for this question.