A security architect is determining the best solution for a new project. The project is developing a new intranet with advanced authentication capabilities, SSO for users, and automated provisioning to streamline Day 1 access to systems. The security architect has identified the following requirements:
1. Information should be sourced from the trusted master data source.
2. There must be future requirements for identity proofing of devices and users.
3. A generic identity connector that can be reused must be developed.
4. The current project scope is for internally hosted applications only.
Which of the following solution building blocks should the security architect use to BEST meet the requirements?
A. LDAP, multifactor authentication, oAuth, XACML
B. AD, certificate-based authentication, Kerberos, SPML
C. SAML, context-aware authentication, oAuth, WAYF
D. NAC, radius, 802.1x, centralized active directory
How to PASS CAS-004 in First Attempt?FULL Printable PDF and Software. VALID exam to help you PASS. |
 |
OAuth is what kills A as the answer. It’s for sharing account information with third parties, which breaks requirement 4.
I go with B.
B – meets all the requirements and is the ONLY one that meets the “automated provisioning to streamline Day 1 access to systems.” as outlined in the narrative with SPML.
A doesn’t really make sense as XACML is more for between web vendors and allows automated access control
B Kerberos allows for generic identity connector, and meets the SSO requirement
C is a hard no as once again oAuth and WAYF is rarely for just internal use.
D doesn’t make sense NAC and 802.1x? so no
oAuth is more for for third party integration…
Automated provisioning is SPML
SPML also provisions for users
One could say attestation for the first requirement is covered by certificates.
I’m going to go with a tentative B on this one.
Advanced authentication is covered by AD/LDAP
1. Information should be sourced from the trusted master data source.
2. There must be future requirements for identity proofing of devices and users.
3. A generic identity connector that can be reused must be developed.
4. The current project scope is for internally hosted applications only.
I like B on this one too because Active Directory is a trusted master data source. Identify proofing of devices and users can be done using client side certificates and the very last requirement states internal use. Kerberos is a known SSO and internally used protocol.
Anyone have any thoughts on this one?
Seems like certificates could prove identity of users and devices?