SY0-501 · Question #308
SY0-501 Question #308: Real Exam Question with Answer & Explanation
The correct answer is B: Use of active directory federation between the company and the cloud-based service. To prevent an SSL-inspecting IDS from capturing user credentials or keys during mutual authentication with a cloud service, identity federation is the most effective solution. This approach ensures primary authentication occurs internally, keeping sensitive information off the ne
Question
Company XYZ has decided to make use of a cloud-based service that requires mutual, certificate- based authentication with its users. The company uses SSL-inspecting IDS at its network boundary and is concerned about the confidentiality of the mutual authentication. Which of the following model prevents the IDS from capturing credentials used to authenticate users to the new service or keys to decrypt that communication?
Options
- AUse of OATH between the user and the service and attestation from the company domain
- BUse of active directory federation between the company and the cloud-based service
- CUse of smartcards that store x.509 keys, signed by a global CA
- DUse of a third-party, SAML-based authentication service for attestation
Explanation
To prevent an SSL-inspecting IDS from capturing user credentials or keys during mutual authentication with a cloud service, identity federation is the most effective solution. This approach ensures primary authentication occurs internally, keeping sensitive information off the network boundary.
Common mistakes.
- A. OATH provides strong authentication but does not inherently prevent an SSL-inspecting IDS from performing a Man-in-the-Middle attack on the mutual certificate-based communication itself, which would allow it to decrypt and inspect the session keys.
- C. While smartcards provide strong, certificate-based authentication, the direct communication between the user and the cloud service would still pass through the SSL-inspecting IDS, allowing it to decrypt and re-encrypt the traffic, thus exposing the certificate exchange and session key negotiation.
- D. A generic 'third-party, SAML-based authentication service' for attestation might still require user credentials to be sent across the network boundary to that third party, where the SSL-inspecting IDS could intercept them, failing to guarantee that primary authentication occurs internally within the company.
Concept tested. Identity Federation for secure credential handling
Reference. https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/overview/ad-fs-overview
Community Discussion
No community discussion yet for this question.