CISSP · Question #141
What is a common challenge when implementing Security Assertion Markup Language (SAML) for identity integration between on-premise environment and an external identity provider service?
The correct answer is A. Some users are not provisioned into the service.. A common challenge with SAML-based identity integration is that users may not be properly provisioned into the external service, as SAML handles authentication but does not inherently handle user provisioning.
Question
What is a common challenge when implementing Security Assertion Markup Language (SAML) for identity integration between on-premise environment and an external identity provider service?
Options
- ASome users are not provisioned into the service.
- BSAML tokens are provided by the on-premise identity provider.
- CSingle users cannot be revoked from the service.
- DSAML tokens contain user information.
How the community answered
(46 responses)- A89% (41)
- B7% (3)
- C2% (1)
- D2% (1)
Why each option
A common challenge with SAML-based identity integration is that users may not be properly provisioned into the external service, as SAML handles authentication but does not inherently handle user provisioning.
SAML provides authentication and single sign-on capabilities but does not natively handle user provisioning or lifecycle management. When integrating on-premise identity with an external identity provider via SAML, a common challenge is that some users may not be provisioned into the service because SAML relies on separate provisioning mechanisms (such as SCIM or manual processes) to ensure user accounts exist in the target service. This gap between authentication and provisioning is a well-known operational challenge in SAML deployments.
SAML tokens being provided by the on-premise identity provider is expected normal behavior in a SAML federation, not a challenge.
SAML does not prevent single user revocation; users can be revoked from the service through administrative controls and provisioning systems, so this is not an inherent SAML limitation.
SAML tokens containing user information (attributes/claims) is by design and is a core feature of SAML assertions, not a challenge.
Concept tested: SAML identity federation provisioning challenges
Source: https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/plan-sso-deployment
Topics
Community Discussion
No community discussion yet for this question.