Federated Identity and SSO: SAML, OAuth, OpenID Connect, and Kerberos

Federated identity and Single Sign-On (SSO) are mechanisms that allow a single authentication event to provide access to multiple systems and domains. The CISSP exam tests these topics extensively in Domain 5 because they represent the practical implementation of identity management in modern enterprise and cloud environments. The specific protocols — SAML, OAuth, OpenID Connect, and Kerberos — each have distinct roles and the exam tests whether candidates can distinguish between them.

Single Sign-On: Benefits and Risks

SSO allows a user to authenticate once and gain access to multiple systems without re-authenticating for each one. From a user experience perspective, SSO dramatically reduces authentication friction. From a security perspective, it reduces the number of credentials that need to be managed and reduces password reuse.

SSO benefits: users need fewer passwords (reducing password fatigue and reuse), administrators can revoke access from a single point (disabling the SSO account removes access to all integrated systems), and audit trails for access can be centralised.

SSO risks: the SSO system is a critical single point of failure. If the identity provider is unavailable, all integrated systems may become inaccessible. More critically, a compromised SSO account provides access to all integrated systems simultaneously. This makes SSO accounts high-value targets that require strong authentication and privileged access management.

For the exam: SSO's security risk is that a single compromised account grants access to all integrated systems. The answer to mitigating this risk is strong MFA on the SSO account, not abandoning SSO.

SAML 2.0: Web-Based Federated Authentication

Security Assertion Markup Language (SAML) 2.0 is an XML-based standard for exchanging authentication and authorisation data between an Identity Provider (IdP) and a Service Provider (SP). It is the primary standard for browser-based SSO.

SAML roles: the Identity Provider authenticates the user and issues assertions. The Service Provider provides the application and trusts assertions from the IdP. The user (principal) is the person who authenticates.