The answer is to establish SAML federation so the SaaS application trusts the corporate identity provider. This is correct because SAML (Security Assertion Markup Language) federation enables cross-domain single sign-on by exchanging digitally signed XML assertions between the identity provider (IdP) and the service provider (SP), allowing the SaaS app to rely on the company’s existing IdP for authentication without ever storing or managing user credentials. On the Security+ SY0-701 exam, this concept tests your understanding of federated identity management and trust relationships, often appearing in scenario-based questions where you must choose between SAML, OAuth, or OpenID Connect; a common trap is confusing SAML’s role in authentication with OAuth’s role in authorization. Remember the key distinction: SAML is for federated SSO across domains using XML assertions, while OAuth is for delegated access. For a quick memory tip, think “SAML sends the SAML assertion to prove who you are, so the app trusts your company’s IdP.”
SY0-701 Security Architecture Practice Question
This SY0-701 practice question tests your understanding of security architecture. Read the scenario carefully and evaluate each option against the stated constraints before committing to an answer. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
Exhibit
SaaS sign-in settings:
- Local accounts: Enabled
- SAML SSO: Disabled
- SCIM provisioning: Disabled
- Password synchronization: Disabled
Requirement: users from the acquired subsidiary must use their existing corporate identities without separate SaaS passwords.
Based on the exhibit, which integration best lets the SaaS application trust the company's existing identity provider so users can sign in with their corporate credentials?
Clue words in this question
Noticing these words before you look at the options changes how you read each choice.
Clue: "best"
Why it matters: Signals that multiple options may be partially correct. Choose the option that most directly solves the exact problem described, not the one that sounds most complete.
SaaS sign-in settings:
- Local accounts: Enabled
- SAML SSO: Disabled
- SCIM provisioning: Disabled
- Password synchronization: Disabled
Requirement: users from the acquired subsidiary must use their existing corporate identities without separate SaaS passwords.
A
Establish SAML federation so the SaaS app trusts the corporate identity provider.
Federation lets the SaaS app accept authentication assertions from the trusted identity provider, eliminating separate passwords.
B
Enable password synchronization so the SaaS app stores the same password as the directory.
Why wrong: Password synchronization still leaves the SaaS app managing credentials instead of trusting the external identity provider.
C
Create a shared local administrator account for all subsidiary users.
Why wrong: A shared account breaks accountability and does not provide individual user authentication or centralized trust.
D
Configure MAC address filtering on company laptops to allow portal access.
Why wrong: MAC filtering controls device access, not user authentication, and it cannot provide federated sign-in.
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
✓
Establish SAML federation so the SaaS app trusts the corporate identity provider.
SAML (Security Assertion Markup Language) federation allows the SaaS application to trust the corporate identity provider (IdP) by exchanging signed XML assertions. This enables users to authenticate against their corporate credentials without the SaaS app ever storing or managing those credentials, providing single sign-on (SSO) across domains.
Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
✓
Establish SAML federation so the SaaS app trusts the corporate identity provider.
Why this is correct
Federation lets the SaaS app accept authentication assertions from the trusted identity provider, eliminating separate passwords.
Clue confirmation
The clue word "best" in the question point toward this answer.
Related concept
Read the scenario before looking for a memorised answer.
✗
Enable password synchronization so the SaaS app stores the same password as the directory.
Why it's wrong here
Password synchronization still leaves the SaaS app managing credentials instead of trusting the external identity provider.
✗
Create a shared local administrator account for all subsidiary users.
Why it's wrong here
A shared account breaks accountability and does not provide individual user authentication or centralized trust.
✗
Configure MAC address filtering on company laptops to allow portal access.
Why it's wrong here
MAC filtering controls device access, not user authentication, and it cannot provide federated sign-in.
Common exam traps
Common exam trap: answer the scenario, not the keyword
The trap here is that candidates confuse password synchronization (a legacy or on-premises approach) with federation (SAML), thinking that syncing passwords achieves the same 'trust' without realizing it requires the SaaS app to handle credentials directly, which is less secure and not true federation.
Detailed technical explanation
How to think about this question
SAML relies on the IdP generating a digitally signed SAML response containing the user's identity and attributes, which the service provider (SaaS app) validates using the IdP's public certificate. The SAML HTTP-POST binding is commonly used for web-based SSO, where the IdP redirects the user's browser to the SaaS app with the assertion. In real-world deployments, metadata XML files are exchanged to automate certificate and endpoint configuration, reducing manual setup errors.
KKey Concepts to Remember
Read the scenario before looking for a memorised answer.
Find the constraint that changes the correct option.
Eliminate answers that are true in general but not in this case.
TExam Day Tips
→Watch for words such as best, first, most likely and least administrative effort.
→Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Real-world example
How this comes up in practice
A security analyst at a medium-sized enterprise encounters this scenario during an investigation or architecture review. The correct answer reflects best practice for the specific threat or control described. Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option. Security exam questions test whether you can match controls to threats in context — not just recall definitions.
Related glossary terms
Concepts from this question explained
These glossary pages explain the core terms tested in this SY0-701 question in full detail.
Security Architecture — This question tests Security Architecture — Read the scenario before looking for a memorised answer..
What is the correct answer to this question?
The correct answer is: Establish SAML federation so the SaaS app trusts the corporate identity provider. — SAML (Security Assertion Markup Language) federation allows the SaaS application to trust the corporate identity provider (IdP) by exchanging signed XML assertions. This enables users to authenticate against their corporate credentials without the SaaS app ever storing or managing those credentials, providing single sign-on (SSO) across domains.
What should I do if I get this SY0-701 question wrong?
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
Are there clue words in this question I should notice?
Yes — watch for: "best". Signals that multiple options may be partially correct. Choose the option that most directly solves the exact problem described, not the one that sounds most complete.
What is the key concept behind this question?
Read the scenario before looking for a memorised answer.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.
Variation 1. A company uses a third-party expense application and wants employees to sign in with their corporate identity once, then automatically lose access in the expense app when they are terminated in the HR system. Which solution best meets both requirements?
medium
A.Create separate local usernames in the expense app and synchronize passwords weekly.
✓ B.Implement federated single sign-on and automated user provisioning and deprovisioning.
C.Require a VPN connection before users can open the expense app.
D.Use a shared generic account for all employees and rotate the password monthly.
Why B: Federated single sign-on (SSO) allows users to authenticate once using their corporate identity (e.g., via SAML or OIDC), and automated provisioning/deprovisioning (often via SCIM) ensures that when an employee is terminated in the HR system, their access to the expense app is automatically revoked. This meets both requirements: seamless sign-in and immediate loss of access upon termination.
Last reviewed: Jun 11, 2026
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
This SY0-701 practice question is part of Courseiva's free CompTIA certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the SY0-701 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.