A contractor signs in to a project portal that integrates several SaaS apps. Access should be granted only while the user is on a managed device, assigned to the project, and using a fresh second factor. The business also wants the contractor to avoid separate logins to each app. Which three controls best fit this design? Select three.
Federation and SSO allow one trusted identity provider to authenticate the user once and then pass that identity to approved applications. That matches the business requirement to avoid separate logins to each SaaS app. It also centralizes authentication control so access can be revoked or adjusted from one place.
Why this answer
Option A is correct because federation or SSO allows the identity provider to issue a single session token (e.g., SAML assertion or OIDC ID token) that is accepted by all integrated SaaS apps. This eliminates the need for separate logins, directly meeting the requirement to avoid multiple authentication prompts while maintaining centralized session control.
Exam trap
The trap here is that candidates may think a shared account (Option D) simplifies revocation, but it actually destroys audit trails and fails to meet the requirements for per-user MFA and device compliance, which are essential for the described zero-trust architecture.