CAS-003 · Question #404
CAS-003 Question #404: Real Exam Question with Answer & Explanation
The correct answer is A: The application only supports SP-initiated authentication.. SAML 2.0 supports two authentication flows: (1) IdP-initiated - the user logs into the IdP first and is redirected to the application with a SAML assertion, and (2) SP-initiated - the user navigates to the Service Provider (application) first, the SP redirects the user to the IdP
Question
Options
- AThe application only supports SP-initiated authentication.
- BThe IdP only supports SAML 1.0
- CThere is an SSL certificate mismatch between the IdP and the SaaS application.
- DThe user is not provisioned correctly on the IdP.
Explanation
SAML 2.0 supports two authentication flows: (1) IdP-initiated - the user logs into the IdP first and is redirected to the application with a SAML assertion, and (2) SP-initiated - the user navigates to the Service Provider (application) first, the SP redirects the user to the IdP for authentication, then the IdP sends the assertion back to the SP. When authentication fails if started at the IdP but succeeds when the user browses to the application first, this is a textbook symptom of the application only supporting SP-initiated flow. The fix of redirecting users to the application first is the correct workaround. Option B is wrong because the scenario states SAML 2.0 is in use. Option C (SSL mismatch) would cause errors in both flows. Option D (user provisioning) would also fail in both directions.
Community Discussion
No community discussion yet for this question.