This chapter covers Federated Identity Management, a critical Security+ SY0-701 topic under Domain 4.0: Security Operations, specifically Objective 4.6: Given a scenario, implement and maintain identity and access management. Federated identity allows users to access multiple organizations' systems using a single set of credentials, reducing password fatigue and improving security. You'll learn the mechanisms, standards (SAML, OAuth, OpenID Connect), and common attacks like token theft and assertion manipulation.
Jump to a section
Imagine you're a frequent international traveler. Instead of showing your passport and answering customs questions at every country you visit, you enroll in a trusted traveler program like Global Entry. You provide your biometric data (fingerprints, photo) and background check to your home country's trusted agent (your Identity Provider, IdP). Once approved, you receive a known traveler number (a token or assertion). When you arrive in a partner country (a Relying Party, RP), you skip the long line and go to a kiosk. The kiosk scans your passport and your fingerprint, then sends a query to the home country's system (the IdP) to verify your identity and trust status. The home country responds with a digital assertion: 'This traveler is who they claim to be and is cleared for entry.' The kiosk then prints a receipt (the token) and you proceed. The partner country never sees your full background check data—they only receive the verified assertion. If the home country revokes your Global Entry status, all partner countries automatically deny your kiosk access because the assertion fails. This mirrors federated identity: the IdP authenticates you once, issues a token (SAML assertion or OIDC ID token), and multiple RPs accept that token without re-authenticating you. The RP never stores your credentials—they trust the IdP's assertion. The mechanism of token validation, trust establishment (metadata exchange), and session management maps directly to SAML, OAuth, and OpenID Connect flows.
What is Federated Identity Management?
Federated identity management (FIM) is a system that allows users to use the same digital identity across multiple organizations or domains. Instead of maintaining separate user accounts for each service, a user authenticates once with their home Identity Provider (IdP), and then accesses Service Providers (SPs) or Relying Parties (RPs) without re-entering credentials. The trust is established through a federation agreement between organizations, often governed by standards like SAML (Security Assertion Markup Language), OAuth 2.0, and OpenID Connect (OIDC).
How It Works Mechanically
The core process involves three parties: the user (principal), the IdP, and the SP. The flow typically follows these steps: 1. User attempts to access a resource on an SP (e.g., a cloud application). 2. SP redirects the user to the IdP for authentication. This may involve an HTTP redirect with a SAML authentication request or an OAuth authorization request. 3. User authenticates to the IdP (providing username/password, MFA, etc.). 4. IdP generates an assertion (SAML) or ID token (OIDC) containing claims about the user (e.g., identity, attributes, roles). The assertion is digitally signed by the IdP using its private key. 5. User is redirected back to the SP with the assertion/token. The SP validates the signature using the IdP's public key (obtained via metadata exchange) and grants access.
The key security property is that the SP never sees the user's credentials—it only receives a cryptographically verified assertion.
Key Components, Variants, and Standards
SAML 2.0 (RFC 7522): Uses XML-based assertions. Common in enterprise SSO. Ports: HTTPS (443) for binding. Assertions contain Subject, Conditions (validity window), AttributeStatement (user attributes), and AuthnStatement (authentication event). SAML supports SP-initiated and IdP-initiated SSO.
OAuth 2.0 (RFC 6749): An authorization framework, not authentication. Issues access tokens (opaque or JWT) to allow delegated access to APIs. Roles: Resource Owner (user), Client (application), Authorization Server (AS), Resource Server (RS). Grant types: Authorization Code, Implicit, Client Credentials, Resource Owner Password Credentials. OAuth 2.0 does not define user identity—it's for authorization.
OpenID Connect (OIDC) (OIDC Core 1.0): An authentication layer built on OAuth 2.0. Issues an ID Token (JWT) containing identity claims. Standard scope: openid, profile, email, etc. OIDC adds the id_token and UserInfo endpoint. Commonly used in consumer SSO (Google, Microsoft).
WS-Federation: Microsoft-centric protocol using XML and SOAP. Less common today.
Attack Vectors and Defenses
Token Theft: Attackers intercept SAML assertions or OIDC ID tokens via man-in-the-middle (MITM) or cross-site scripting (XSS). Defense: Use HTTPS everywhere, short token lifetimes, and token binding (e.g., OAuth 2.0 Token Binding RFC 8471).
Assertion Manipulation: An attacker modifies a SAML assertion (e.g., changes user role) if not signed. Defense: Always sign assertions; SP must validate signature and check conditions (NotBefore/NotOnOrAfter).
Replay Attacks: An attacker captures a valid token and reuses it. Defense: Include timestamps, nonces, and One-Time Use tokens. OIDC uses nonce parameter.
IdP Confusion: An attacker tricks the SP into accepting an assertion from a malicious IdP. Defense: SP must validate the Issuer field and use a pre-configured list of trusted IdPs.
Cross-Site Request Forgery (CSRF): In OAuth, an attacker tricks a user into authorizing a malicious client. Defense: Use state parameter (anti-CSRF token).
Real Command/Tool Examples
SAML Tracer (Browser Extension): View SAML requests/responses in plaintext. Useful for debugging.
OpenSSL for SAML signature verification:
openssl dgst -sha256 -verify idp_public.pem -signature assertion.sig assertion.xmlOIDC token validation with jose CLI:
jose jws verify -k provider_jwks.json -t id_token.jwtCommon CVE: CVE-2017-11427 (SAML XML signature wrapping in OneLogin).
Federation Protocols Comparison
SAML 2.0: Enterprise, on-prem, SOAP/HTTP redirect. Uses XML. Supports IdP/SP-initiated.
OAuth 2.0: Delegated authorization, no user identity. Uses JSON. Four grant types.
OpenID Connect: User authentication, JWT tokens. Built on OAuth 2.0. Uses id_token.
WS-Federation: Legacy, Microsoft-centric, SOAP.
Trust Establishment
Before federation, IdP and SP exchange metadata: certificates, endpoints, entity IDs. This can be manual (copying XML metadata) or dynamic (via OpenID Connect Discovery). The SP must trust the IdP's signing certificate to validate assertions.
User requests SP resource
The user attempts to access a protected resource on a Service Provider (e.g., a cloud HR application). The SP checks for an existing session. If none, the SP generates a SAML authentication request or OAuth authorization request. The request includes the SP's entity ID, the requested assertion consumer service URL, and optionally a relay state (to return the user to the original page). The SP redirects the user's browser to the IdP's SSO URL with the request as a query parameter (HTTP Redirect binding) or embedded in a form (HTTP POST binding).
IdP authenticates user
The IdP receives the request and presents a login page to the user. The user provides credentials (e.g., password + MFA). The IdP validates the credentials against its directory (e.g., Active Directory). Optionally, the IdP may check for existing session (SSO). Upon successful authentication, the IdP creates an authentication context (e.g., password-based, smart card). The IdP then generates an assertion (SAML) or ID token (OIDC) containing the user's identity and attributes. The assertion is signed with the IdP's private key and includes timestamps (NotBefore, NotOnOrAfter) and a unique ID to prevent replay.
IdP sends assertion to SP
The IdP sends the assertion back to the user's browser, typically via an HTML form auto-submission (HTTP POST binding) or redirect (HTTP Redirect binding). The assertion is base64-encoded and may be encrypted for additional confidentiality. The SP receives the assertion at its Assertion Consumer Service (ACS) URL. The SP extracts the assertion, decodes it, and validates the signature using the IdP's public key (obtained from metadata). The SP also checks the conditions: current time must be within the validity window, the audience must match the SP's entity ID, and the assertion must not have been replayed (via cache of assertion IDs).
SP grants access
After successful validation, the SP extracts user attributes (e.g., username, roles) from the assertion and creates a local session for the user. The user is then granted access to the requested resource. The SP may also map the federated identity to a local account (just-in-time provisioning). The entire process is transparent to the user after authentication. The session on the SP lasts until timeout or logout, which may trigger Single Logout (SLO) across all SPs.
Token refresh and logout
For OAuth/OIDC, the access token may have a short lifetime (e.g., 1 hour) and the client can use a refresh token to obtain a new access token without user interaction. The refresh token is long-lived and must be stored securely. Single Logout (SLO) in SAML: the user logs out from one SP, which sends a logout request to the IdP, which then broadcasts logout requests to all other SPs in the session. SLO is often not fully implemented due to complexity.
Scenario 1: SAML Assertion Replay Attack
A SOC analyst detects multiple failed logins from the same IP but with different SAML assertions. The SIEM shows repeated use of the same assertion ID within a short time. The analyst uses SAML Tracer to capture the assertion and sees the same AssertionID repeated. The correct response: configure the SP to cache assertion IDs and reject duplicates. The analyst also recommends reducing assertion lifetime to 5 minutes and enabling OneTimeUse condition. Common mistake: focusing on blocking the IP rather than fixing the replay vulnerability.
Scenario 2: OIDC Token Theft via XSS
A web application stores the OIDC ID token in localStorage. An XSS vulnerability allows an attacker to exfiltrate the token. The attacker uses the token to access the UserInfo endpoint and impersonate the user. The SOC engineer sees a login from a new device without MFA. The correct response: patch XSS, use HttpOnly cookies for tokens, implement token binding (DPoP), and rotate tokens on each request. Common mistake: blaming the IdP for weak authentication.
Scenario 3: IdP Confusion Attack
An attacker registers a malicious IdP and tricks an SP into accepting its assertions. The SP's metadata only includes the legitimate IdP, but the attacker's assertion has a spoofed Issuer field. The SP fails to validate the Issuer against the trusted list. The SOC analyst sees successful logins from unknown users. The correct response: configure the SP to strictly validate the Issuer against a whitelist and use signed metadata. Common mistake: assuming that signature validation alone prevents this attack.
What SY0-701 Tests on This Objective
Objective 4.6 requires you to implement and maintain identity and access management, including federated identity. The exam focuses on:
Distinguishing between SAML, OAuth, and OpenID Connect.
Understanding the flow: user -> SP -> IdP -> token -> SP.
Identifying common attacks: token theft, replay, assertion manipulation, IdP confusion.
Knowing that SAML is for SSO (authentication + attributes), OAuth is for delegated authorization, and OIDC is for authentication (built on OAuth).
Recognizing that federation reduces password fatigue but introduces trust dependencies.
Common Wrong Answers and Why
'OAuth 2.0 is for authentication.' Wrong: OAuth 2.0 is for authorization only. Candidates confuse it because OIDC uses OAuth 2.0 for authentication.
'SAML uses JSON.' Wrong: SAML uses XML. OIDC uses JSON (JWT). Candidates often mix formats.
'The SP stores the user's password.' Wrong: In federation, the SP never sees credentials; only the IdP authenticates.
'WS-Federation is the modern standard.' Wrong: WS-Federation is legacy; SAML and OIDC are modern.
Specific Terms and Values
Assertion: SAML term for identity data.
ID Token: OIDC term for identity data (JWT).
Access Token: OAuth term for authorization.
Entity ID: Unique identifier for IdP/SP in SAML.
Issuer: The entity that issued the assertion/token.
Audience: Intended recipient of the token.
Nonce: Replay prevention in OIDC.
State: CSRF protection in OAuth.
SAML bindings: HTTP Redirect, HTTP POST, Artifact.
OAuth grant types: Authorization Code, Implicit, Client Credentials, ROPC.
Trick Questions
Question asks about 'federated identity' but gives scenario of social login (which is OIDC). Answer is OpenID Connect, not SAML.
Question describes 'delegated access to API' — answer is OAuth, not SAML.
Question mentions 'single sign-on across multiple organizations' — answer is SAML or OIDC, but if XML is mentioned, it's SAML.
Decision Rule
If the scenario involves authentication and identity transfer (user logs in once and accesses multiple apps) → SAML or OIDC. If it involves delegated access (app accessing user's data) → OAuth. If the scenario mentions XML → SAML. If it mentions JWT → OIDC. If it mentions Microsoft → could be WS-Federation or SAML.
Federated identity allows users to authenticate once with an IdP and access multiple SPs without re-entering credentials.
SAML 2.0 uses XML assertions and is common in enterprise SSO; it requires signature validation and condition checks.
OpenID Connect (OIDC) is built on OAuth 2.0 and uses JWT ID tokens for authentication.
OAuth 2.0 is for authorization only; it does not provide user identity.
Common attacks: token theft, assertion manipulation, replay, IdP confusion.
Defenses: HTTPS, short token lifetimes, signature validation, nonce/state parameters, token binding.
The SP must validate the Issuer, Audience, timestamps, and signature of the assertion/token.
SAML uses HTTP Redirect and HTTP POST bindings; OIDC uses REST endpoints.
Federation reduces password fatigue but creates a single point of failure at the IdP.
WS-Federation is legacy; SAML and OIDC are the primary modern standards.
These come up on the exam all the time. Here's how to tell them apart.
SAML 2.0
Uses XML for assertions
Common in enterprise on-premises SSO
Heavier protocol; uses HTTP POST/Redirect bindings
Supports both authentication and attribute exchange
More complex to implement; mature
OpenID Connect (OIDC)
Uses JSON (JWT) for ID tokens
Common in consumer and modern cloud SSO
Lighter; uses REST APIs and JSON
Built on OAuth 2.0; focuses on authentication
Simpler to implement; growing adoption
OAuth 2.0
Authorization only; no user identity
Issues access tokens (opaque or JWT)
Does not define user info format
Used for delegated access to APIs
Grant types: Auth Code, Implicit, Client Credentials, ROPC
OpenID Connect (OIDC)
Authentication on top of OAuth 2.0
Issues ID token (JWT) plus access token
Defines UserInfo endpoint and standard claims
Used for SSO and identity verification
Adds 'openid' scope and nonce parameter
Mistake
Federation means the IdP shares the user's password with the SP.
Correct
The IdP never shares the password. It only sends an assertion/token that proves authentication. The SP trusts the IdP's assertion without seeing credentials.
Mistake
OAuth 2.0 is an authentication protocol.
Correct
OAuth 2.0 is an authorization framework. It issues access tokens for delegated access, not identity. OpenID Connect adds authentication on top of OAuth 2.0.
Mistake
SAML assertions are always encrypted.
Correct
SAML assertions are typically signed but not necessarily encrypted. Encryption is optional and adds confidentiality. The exam may test that signing is mandatory for integrity.
Mistake
Federation eliminates all password-related risks.
Correct
Federation reduces password fatigue but introduces new risks: single point of failure (IdP compromise), token theft, and trust issues. Strong MFA at the IdP is critical.
Mistake
WS-Federation is the most widely used federation standard.
Correct
WS-Federation is legacy and mostly used in Microsoft-centric environments. SAML 2.0 and OpenID Connect are the modern, widely adopted standards.
SAML uses XML assertions and is older, heavier, and common in enterprise on-premises SSO. OpenID Connect uses JSON (JWT) and is newer, lighter, and common in cloud and consumer SSO. Both provide authentication, but OIDC is built on OAuth 2.0 and is simpler to implement. For the exam, remember that SAML = XML, OIDC = JSON/JWT.
The SP checks the signature using the IdP's public key (from metadata), verifies the Issuer matches a trusted IdP, ensures the current time is within NotBefore and NotOnOrAfter, checks that the Audience includes the SP's entity ID, and optionally checks for replay using the AssertionID. The SP may also decrypt the assertion if encrypted.
The 'state' parameter is used to prevent Cross-Site Request Forgery (CSRF) attacks. The client generates a random value and includes it in the authorization request. The authorization server returns the same value in the redirect. The client verifies that the returned state matches the original. Without it, an attacker could trick a user into authorizing a malicious client.
No, OAuth 2.0 is an authorization framework, not an authentication protocol. It does not define how to verify user identity. OpenID Connect extends OAuth 2.0 with an ID token that contains identity claims. Using OAuth alone for authentication is insecure and not recommended.
A common attack is assertion manipulation, where an attacker modifies the assertion (e.g., changes user role) before it reaches the SP. Prevention: the IdP must digitally sign the assertion, and the SP must validate the signature. Another attack is replay; prevention: use short assertion lifetimes and cache assertion IDs to detect duplicates.
The Identity Provider (IdP) is the trusted entity that authenticates users and issues assertions/tokens to Service Providers. The IdP manages user credentials and attributes, and is responsible for authentication, MFA, and session management. The SP relies on the IdP's assertion to grant access without re-authentication.
JIT provisioning is when a Service Provider automatically creates a local user account based on the attributes received in the SAML assertion or OIDC ID token. This eliminates the need for manual account creation. The account may be temporary or permanent. This is common in cloud applications like Salesforce or Office 365.
You've just covered Federated Identity Management — now see how well it sticks with free SY0-701 practice questions. Full explanations included, no account needed.
Done with this chapter?