To prevent a third party from identifying a specific user as having previously accessed a service
provider through an SSO operation, SAML uses which of the following?
provider through an SSO operation, SAML uses which of the following?
A.Transient identifiers
B.SOAP calls
C.Discovery profiles
D.Security bindings
In an SSO operation using SAML, what is the transient identifier designed to prevent?
A. a third party from identifying a specific user as having previously accessed a service provider
B. a third party from capturing data en route
C. the identity provider from creating multiple IDs
D. the service provider from performing multiple authentications
Answer: A
Explanation: To prevent a third party from identifying a specific user as having previously accessed a service provider through an SSO operation, SAML uses transient identifiers (only valid for a single login session) that will be different each time the user authenticates again but will stay the same as long as the user is authenticated.
SAML entities can operate in a variety of different roles. Valid SAML roles include which of the
following?
A. Attribute authority and certificate authority
B. Certificate authority and attribute requestor
C. Identity provider and service provider
D. Service provider and administrator
--------
The weakness in the SAML identity chain is the integrity of users. To mitigate risk, SAML systems need to use timed sessions, HTTPS, and SSL/TLS.
----------------------
Fiddler
The most important tool for troubleshooting ADFS is a free one called Fiddler. Fiddler is an HTTP proxy that allows you to look at the HTTP traffic in a friendly GUI. If you’ve used Wireshark or Netmon before for network tracing, you can think of Fiddler as an application-layer version of those tools. Get a copy of Fiddler and install it on your workstation. Next, go to this link and install the add-ons for Fiddler that enable you to easily work with HTML, XML, and so forth.
Download the Fiddler federation inspector from this site. This add-on will enable Fiddler to decode WS-Federation and SAML markup. Extract the .zip file and browse to the bin\Debug folder. Copy Thinktecture.FederationInspector.dll to C:\Program Files (x86)\Fiddler2\Inspectors. or wherever you installed Fiddler on your machine.
In order to look at encrypted ADFS traffic, you’ll need to configure Fiddler to intercept HTTPS traffic. To do this, launch Fiddler and go to Tools→Fiddler Options. On the HTTPS tab, check “Capture HTTPS CONNECTs” and “Decrypt HTTPs traffic.” Next, you will be prompted to generate a certificate for Fiddler to intercept SSL traffic and to configure Windows to trust the certificate. You’ll receive another confirmation to import the certificate and then finally a final confirmation after a User Account Control (UAC) prompt. Answer Yes to all of these prompts.
No comments:
Post a Comment