Question 1,096 of 1,152
Security ArchitecturemediumMultiple ChoiceObjective-mapped

Quick Answer

The answer is to establish SAML federation so the SaaS application trusts the corporate identity provider. This is correct because SAML (Security Assertion Markup Language) federation enables cross-domain single sign-on by exchanging digitally signed XML assertions between the identity provider (IdP) and the service provider (SP), allowing the SaaS app to rely on the company’s existing IdP for authentication without ever storing or managing user credentials. On the Security+ SY0-701 exam, this concept tests your understanding of federated identity management and trust relationships, often appearing in scenario-based questions where you must choose between SAML, OAuth, or OpenID Connect; a common trap is confusing SAML’s role in authentication with OAuth’s role in authorization. Remember the key distinction: SAML is for federated SSO across domains using XML assertions, while OAuth is for delegated access. For a quick memory tip, think “SAML sends the SAML assertion to prove who you are, so the app trusts your company’s IdP.”

SY0-701 Security Architecture Practice Question

This SY0-701 practice question tests your understanding of security architecture. Read the scenario carefully and evaluate each option against the stated constraints before committing to an answer. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

Exhibit

SaaS sign-in settings:
- Local accounts: Enabled
- SAML SSO: Disabled
- SCIM provisioning: Disabled
- Password synchronization: Disabled
Requirement: users from the acquired subsidiary must use their existing corporate identities without separate SaaS passwords.

Based on the exhibit, which integration best lets the SaaS application trust the company's existing identity provider so users can sign in with their corporate credentials?

Clue words in this question

Noticing these words before you look at the options changes how you read each choice.

  • Clue: "best"

    Why it matters: Signals that multiple options may be partially correct. Choose the option that most directly solves the exact problem described, not the one that sounds most complete.

Question 1mediummultiple choice
Full question →

Exhibit

SaaS sign-in settings:
- Local accounts: Enabled
- SAML SSO: Disabled
- SCIM provisioning: Disabled
- Password synchronization: Disabled
Requirement: users from the acquired subsidiary must use their existing corporate identities without separate SaaS passwords.

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Establish SAML federation so the SaaS app trusts the corporate identity provider.

SAML (Security Assertion Markup Language) federation allows the SaaS application to trust the corporate identity provider (IdP) by exchanging signed XML assertions. This enables users to authenticate against their corporate credentials without the SaaS app ever storing or managing those credentials, providing single sign-on (SSO) across domains.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Establish SAML federation so the SaaS app trusts the corporate identity provider.

    Why this is correct

    Federation lets the SaaS app accept authentication assertions from the trusted identity provider, eliminating separate passwords.

    Clue confirmation

    The clue word "best" in the question point toward this answer.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Enable password synchronization so the SaaS app stores the same password as the directory.

    Why it's wrong here

    Password synchronization still leaves the SaaS app managing credentials instead of trusting the external identity provider.

  • Create a shared local administrator account for all subsidiary users.

    Why it's wrong here

    A shared account breaks accountability and does not provide individual user authentication or centralized trust.

  • Configure MAC address filtering on company laptops to allow portal access.

    Why it's wrong here

    MAC filtering controls device access, not user authentication, and it cannot provide federated sign-in.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates confuse password synchronization (a legacy or on-premises approach) with federation (SAML), thinking that syncing passwords achieves the same 'trust' without realizing it requires the SaaS app to handle credentials directly, which is less secure and not true federation.

Detailed technical explanation

How to think about this question

SAML relies on the IdP generating a digitally signed SAML response containing the user's identity and attributes, which the service provider (SaaS app) validates using the IdP's public certificate. The SAML HTTP-POST binding is commonly used for web-based SSO, where the IdP redirects the user's browser to the SaaS app with the assertion. In real-world deployments, metadata XML files are exchanged to automate certificate and endpoint configuration, reducing manual setup errors.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A security analyst at a medium-sized enterprise encounters this scenario during an investigation or architecture review. The correct answer reflects best practice for the specific threat or control described. Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option. Security exam questions test whether you can match controls to threats in context — not just recall definitions.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related SY0-701 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free SY0-701 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this SY0-701 question test?

Security Architecture — This question tests Security Architecture — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: Establish SAML federation so the SaaS app trusts the corporate identity provider. — SAML (Security Assertion Markup Language) federation allows the SaaS application to trust the corporate identity provider (IdP) by exchanging signed XML assertions. This enables users to authenticate against their corporate credentials without the SaaS app ever storing or managing those credentials, providing single sign-on (SSO) across domains.

What should I do if I get this SY0-701 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Are there clue words in this question I should notice?

Yes — watch for: "best". Signals that multiple options may be partially correct. Choose the option that most directly solves the exact problem described, not the one that sounds most complete.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Same concept, more angles

1 more ways this is tested on SY0-701

These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.

Variation 1. A company uses a third-party expense application and wants employees to sign in with their corporate identity once, then automatically lose access in the expense app when they are terminated in the HR system. Which solution best meets both requirements?

medium
  • A.Create separate local usernames in the expense app and synchronize passwords weekly.
  • B.Implement federated single sign-on and automated user provisioning and deprovisioning.
  • C.Require a VPN connection before users can open the expense app.
  • D.Use a shared generic account for all employees and rotate the password monthly.

Why B: Federated single sign-on (SSO) allows users to authenticate once using their corporate identity (e.g., via SAML or OIDC), and automated provisioning/deprovisioning (often via SCIM) ensures that when an employee is terminated in the HR system, their access to the expense app is automatically revoked. This meets both requirements: seamless sign-in and immediate loss of access upon termination.

Last reviewed: Jun 11, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This SY0-701 practice question is part of Courseiva's free CompTIA certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the SY0-701 exam.