nerdexam
(ISC)2

CISSP · Question #385

Which of the following authorization standards is built to handle Application Programming Interface (API) access for Federated Identity Management (FIM)?

The correct answer is B. Open Authentication (OAUTH). OAuth is an authorization framework specifically designed to grant third-party applications limited access to APIs without exposing user credentials, making it the standard for API access in Federated Identity Management.

Submitted by yuriko_h· Mar 5, 2026Identity and Access Management

Question

Which of the following authorization standards is built to handle Application Programming Interface (API) access for Federated Identity Management (FIM)?

Options

  • ASecurity Assertion Markup Language (SAML)
  • BOpen Authentication (OAUTH)
  • CRemote Authentication Dial-in User service (RADIUS)
  • DTerminal Access Control Access Control System Plus (TACACS+)

How the community answered

(61 responses)
  • A
    8% (5)
  • B
    87% (53)
  • C
    2% (1)
  • D
    3% (2)

Why each option

OAuth is an authorization framework specifically designed to grant third-party applications limited access to APIs without exposing user credentials, making it the standard for API access in Federated Identity Management.

ASecurity Assertion Markup Language (SAML)

SAML (Security Assertion Markup Language) is an XML-based standard focused on authentication and SSO for web browser-based federated identity, not specifically designed for API access authorization.

BOpen Authentication (OAUTH)Correct

OAuth (Open Authorization) is an open standard authorization framework designed explicitly for delegated API access, allowing applications to obtain limited access tokens to interact with services on behalf of a user. It is the foundational protocol used in Federated Identity Management for API-level authorization, enabling secure token-based access across different identity domains. OAuth 2.0 is widely adopted by major platforms (Google, Microsoft, etc.) specifically to control API access without sharing credentials.

CRemote Authentication Dial-in User service (RADIUS)

RADIUS is a network access authentication, authorization, and accounting (AAA) protocol primarily used for authenticating dial-in and network device users, not for API access or federated identity management.

DTerminal Access Control Access Control System Plus (TACACS+)

TACACS+ is a Cisco-proprietary AAA protocol used for device administration and network access control, not designed for API access or federated identity management scenarios.

Concept tested: OAuth authorization standard for API access in FIM

Source: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow

Topics

#OAuth#API security#Federated Identity Management#Authorization standards

Community Discussion

No community discussion yet for this question.

Full CISSP Practice