Identity and Access Management Architecture: Supporting MFA, SaaS Integration, Risk-Based Policies, and Just-in-Time Provisioning

Authentication Protocols for Identity and Access Management

Prev Question Next Question

Question

An organization is implementing a new identity and access management architecture with the following objectives: -> Supporting MFA against on-premises infrastructure -> Improving the user experience by integrating with SaaS applications -> Applying risk-based policies based on location -> Performing just-in-time provisioning Which of the following authentication protocols should the organization implement to support these requirements?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

A.

https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/migrate-application-authentication-to-azure-active-directory
Manage cost Your organization may have multiple Identity Access Management (IAM) solutions in place. Migrating to one Azure AD infrastructure is an opportunity to reduce dependencies on IAM licenses (on- premises or in the cloud) and infrastructure costs. In cases where you may have already paid for Azure AD via Microsoft 365 licenses, there is no reason to pay the added cost of another IAM solution. With Azure AD, you can reduce infrastructure costs by: * Providing secure remote access to on-premises apps using Azure AD Application Proxy. ‘* Decoupling apps from the on-prem credential approach in your tenant by setting up Azure AD as the trusted universal identity provider.

Based on the given objectives, the authentication protocols that the organization should implement are:

B. SAML and RADIUS

Here is the explanation for each protocol:

  1. SAML (Security Assertion Markup Language): SAML is an XML-based protocol used for exchanging authentication and authorization data between parties, in particular, between an identity provider (IDP) and a service provider (SP). It allows users to authenticate with one service and access other services without having to authenticate again. SAML supports MFA and can integrate with SaaS applications, making it an appropriate choice for the first two objectives. It also supports risk-based policies based on location and just-in-time provisioning, making it a suitable choice for the other two objectives.

  2. RADIUS (Remote Authentication Dial-In User Service): RADIUS is a client/server protocol that provides centralized authentication, authorization, and accounting (AAA) management for users who connect and use a network service. It can provide MFA for on-premises infrastructure, which meets the first objective. It can also support risk-based policies based on location by configuring different access policies for different users and groups based on their location. Additionally, RADIUS can perform just-in-time provisioning by adding or removing users from the RADIUS server's user database as needed, making it an appropriate choice for the fourth objective.

Therefore, option B, SAML and RADIUS, is the most appropriate answer for the given objectives.

Option A, Kerberos and TACACS, is not appropriate because Kerberos is primarily used for authentication within a Windows Active Directory domain, and TACACS is mainly used for network device access control. Neither protocol supports SaaS integration or just-in-time provisioning.

Option C, OAuth and OpenID, is not appropriate because OAuth is an authorization protocol used for granting access to resources, not for authentication. OpenID is an authentication protocol, but it is not designed to support risk-based policies based on location or just-in-time provisioning.

Option D, OTP and 802.1X, is not appropriate because OTP (One-Time Password) is a type of MFA, but it is not a protocol itself. It is used in combination with other protocols, such as RADIUS. 802.1X is a protocol used for port-based network access control and does not support SaaS integration or just-in-time provisioning.

Prev Question Next Question