nerdexam
(ISC)2

CISSP · Question #141

What is a common challenge when implementing Security Assertion Markup Language (SAML) for identity integration between on-premise environment and an external identity provider service?

The correct answer is A. Some users are not provisioned into the service.. A common challenge with SAML-based identity integration is that users may not be properly provisioned into the external service, as SAML handles authentication but does not inherently handle user provisioning.

Submitted by hans_de· Mar 5, 2026Identity and Access Management

Question

What is a common challenge when implementing Security Assertion Markup Language (SAML) for identity integration between on-premise environment and an external identity provider service?

Options

  • ASome users are not provisioned into the service.
  • BSAML tokens are provided by the on-premise identity provider.
  • CSingle users cannot be revoked from the service.
  • DSAML tokens contain user information.

How the community answered

(46 responses)
  • A
    89% (41)
  • B
    7% (3)
  • C
    2% (1)
  • D
    2% (1)

Why each option

A common challenge with SAML-based identity integration is that users may not be properly provisioned into the external service, as SAML handles authentication but does not inherently handle user provisioning.

ASome users are not provisioned into the service.Correct

SAML provides authentication and single sign-on capabilities but does not natively handle user provisioning or lifecycle management. When integrating on-premise identity with an external identity provider via SAML, a common challenge is that some users may not be provisioned into the service because SAML relies on separate provisioning mechanisms (such as SCIM or manual processes) to ensure user accounts exist in the target service. This gap between authentication and provisioning is a well-known operational challenge in SAML deployments.

BSAML tokens are provided by the on-premise identity provider.

SAML tokens being provided by the on-premise identity provider is expected normal behavior in a SAML federation, not a challenge.

CSingle users cannot be revoked from the service.

SAML does not prevent single user revocation; users can be revoked from the service through administrative controls and provisioning systems, so this is not an inherent SAML limitation.

DSAML tokens contain user information.

SAML tokens containing user information (attributes/claims) is by design and is a core feature of SAML assertions, not a challenge.

Concept tested: SAML identity federation provisioning challenges

Source: https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/plan-sso-deployment

Topics

#SAML#identity integration#user provisioning#federated identity

Community Discussion

No community discussion yet for this question.

Full CISSP Practice