An organization is implementing a new identity and access management architecture with the following objectives:
✑ Supporting MFA against on-premises infrastructure
✑ Improving the user experience by integrating with SaaS applications
✑ Applying risk-based policies based on location
✑ Performing just-in-time provisioning
Which of the following authentication protocols should the organization implement to support these requirements?
D
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/migrate-application-authentication-to-azure-active-directory
SAML and RADIUS
I don't see how the answer could not be B... 1. The cited reference just points to an Azure AD manual. 2. JIT Provisioning uses SAML. 3. RADIUS is a true AAA; whereas, TACACS did not separate the AAA functionality until XTACACS and TACACS+. 4. Windows services tie you to Kerberos in their stack, but not all SaaS are Windows based. ...maybe I'm wrong
Definitely SAML and RADIUS (SAML because of just-in-time, and RADIUS because of AAA)
OAuth and OpenID Connect are excellent for modern, web-based authentication scenarios, especially for integrating with SaaS applications and providing seamless SSO. However, OAuth and OpenID Connect do not inherently support MFA for on-premises infrastructure. They are more geared towards web and mobile applications and may require additional components to fully support MFA and risk-based policies for on-premises systems.
Oauth and OpenID
You could make arguments for B, however C will be the correct answer on the test. The phrase "Identity and Access Management" aka IAM, is generally associated with OAuth, OIDC and SAML - but not RADIUS. Additionally, the requirement of SaaS integration would take RADIUS off of the table completely.
I agree with this. Narrowed it down to the two choices as well and RADIUS threw me off. Figured authorization (oAuth) and Authentication (OpenID) would be the best choice
Source: Verifying each answer against Chat GPT, my experience, other test banks, a written book, and weighing in the discussion from all users to create a 100% accurate guide for myself before I take the exam. (It isn't easy because of the time needed, but it is doing my diligence)
C. OAuth and OpenID OAuth and OpenID Connect are the most suitable options to achieve these objectives: OAuth 2.0: It is an open-standard authorization protocol that allows third-party applications to access resources on behalf of a user without sharing their credentials. OAuth is widely used for granting permission to SaaS applications, supporting MFA, and implementing risk-based policies. OpenID Connect (OIDC): OIDC is a simple identity layer built on top of the OAuth 2.0 protocol, allowing clients to verify the identity of the end-user. It can be used for just-in-time provisioning. Kerberos, TACACS, and RADIUS are older protocols that lack direct support for SaaS integration and modern provisioning approaches. OTP is a type of MFA and 802.1X is a standard for network access control, both are not authentication protocols per se.
A. Kerberos and TACACS: [INCORRECT] Kerberos for on-premises auth within a domain but doesn't directly support integration with SaaS . TACACS doesn't support SaaS applications or risk-based policies based on location. B. SAML and RADIUS: [INCORRECT] SAML supports SSO, integrating with SaaS applications and applying risk-based policies based on location. RADIUS is used for NAC but doesn't directly support integration with SaaS applications. SAML aligns with the objectives, but RADIUS doesn't . C. OAuth and OpenID: [CORRECT] OAuth can grant access to resources, including SaaS applications, and can be used for MFA. OpenID provides SSO and user authentication, supports risk-based policies and just-in-time provisioning. D. OTP and 802.1X: [INCORRECT] OTP supports MFA, but is not ideal for integrating with SaaS applications or just-in-time provisioning. 802.1X is used for network access control and doesn't directly support the objectives.
C. OAuth and OpenID OAuth (Open Authorization) and OpenID are modern, open-standard protocols that provide secure delegated access. They’re widely used for single sign-on (SSO) and identity federation. OAuth is a protocol that allows an application to authenticate against a server as a user, without requiring passwords or tokens to be passed to the application itself. This is particularly useful for SaaS applications. OpenID Connect (an extension of OAuth) is a protocol that allows clients to verify the identity of an end-user based on the authentication performed by an authorization server. Both OAuth and OpenID support just-in-time provisioning, which is the ability to create a user account within an application at the time of authentication2.
C. OAuth and OpenID Explanation: OAuth (Open Authorization) is commonly used for authorization and delegated access. It is suitable for scenarios where a user wants to grant a third-party application limited access to their resources without sharing their credentials. OAuth is often used in conjunction with OpenID Connect (OIDC) for authentication. OpenID Connect (OIDC) is an identity layer built on top of OAuth 2.0. It provides an authentication layer, allowing clients to verify the identity of end-users based on the authentication performed by an authorization server.
OAuth and OpenID
While B is a valid answer, the MOST correct answer is C. According to ChatGPT, OAuth/OpenID is considered a more versatile and modern solution.
Two popular authentication protocols for SaaS applications are OAuth and OpenID Connect (OIDC).
OAuth and OpenID is the only widely supported method for SaaS
The correct answer is: SAML and RADIUS
To support the specified objectives, the organization should implement the following authentication protocols: C. OAuth and OpenID Explanation: OAuth: OAuth is commonly used for delegated authorization and is suitable for integrating with SaaS applications. It allows secure access to resources without sharing the user's credentials. OpenID: OpenID is an authentication protocol that enables single sign-on (SSO) and is often used in conjunction with OAuth for user authentication. It is useful for improving the user experience by providing seamless access to multiple applications. This combination of OAuth and OpenID can help achieve multi-factor authentication (MFA), integrate with SaaS applications, and enhance the overall user experience.
The organization's objectives involve supporting multi-factor authentication (MFA), integrating with SaaS applications, applying risk-based policies, and performing just-in-time provisioning. The most suitable authentication protocols for these requirements are: C. OAuth and OpenID Explanation: OAuth (Open Authorization): OAuth is commonly used for authorization and enables secure API authorization flows, making it suitable for integrating with SaaS applications. It allows users to grant third-party applications limited access to their resources without sharing their credentials. OpenID: OpenID is an authentication protocol built on top of OAuth. It allows users to authenticate on one website and share their identity securely with other websites without the need to expose credentials. OpenID is beneficial for improving the user experience by enabling single sign-on (SSO) and supporting just-in-time provisioning.