Auth

Question 1

When was the original publication of OAuth 2.0?

Answer 1

2012

Question 2

RFC# for Oauth 2.0 original publication

Answer 2

6749

Question 3

RFC 8252

Answer 3

Oauth 2.0 for Native Apps

Question 4

RFC 7636

Answer 4

Proof Key for Code Exchange

Question 5

RFC 6750

Answer 5

Bearer Tokens

Question 6

RFC 6819

Answer 6

Threat Model and Security Considerations

Question 7

RFC 7662

Answer 7

Token Introspection

Question 8

RFC 7009

Answer 8

Token Revocation

Question 9

RFC 7519

Answer 9

JSON Web Token

Question 10

RFC 8414

Answer 10

Authorization Server Metadata

Question 11

RFC 7591

Answer 11

Dynamic Client Registration

Question 12

SCIM

Answer 12

System for Cross-domain Identity Management

Question 13

RFC 7644

Answer 13

Defines SCIM

Question 14

layman definition of shibboleth

Answer 14

any custom or tradition, usually a choice of phrasing or even a single word, that distinguishes one group of people from another.

Question 15

LDAP

Answer 15

Lightweight Directory Access Protocol

Question 16

Lightweight Directory Access Protocol

Answer 16

an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network

Question 17

RFC 4511

Answer 17

LDAP

Question 18

IdM

Answer 18

Identity Management

Question 19

IAM

Answer 19

Identity and Access Management

Question 20

When was SCIM 1.0 released?

Answer 20

2011

Question 21

When was SCIM 2.0 released?

Answer 21

2015

Question 22

SCIM use case example

Answer 22

as a company onboards new employees and separates from existing employees, they are added and removed from the company’s electronic employee directory. SCIM could be used to automatically add/delete (or, provision/de-provision) accounts for those users in external systems such as G Suite, Office 365, or Salesforce.com. Then, a new user account would exist in the external systems for each new employee, and the user accounts for former employees might no longer exist in those systems.

Question 23

In addition to simple user-record management (creating & deleting), SCIM can also be used to

Answer 23

In addition to simple user-record management (creating & deleting), SCIM can also be used to

Question 24

SCIM’s other RFC

Answer 24

7643

Question 25

What is Shibboleth Single Sign-On and Federating Software

Answer 25

a standards based, open source software package for web single sign-on across or within organizational boundaries. It allows sites to make informed authorization decisions for individual access of protected online resources in a privacy-preserving manner.

Question 26

SAML

Answer 26

Security Assertion Markup Language

Question 27

Security Assertion Markup Language

Answer 27

an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider.

Question 28

Security Assertion Markup Language ( other definition)

Answer 28

an open standard that allows identity providers (IdP) to pass authorization credentials to service providers (SP).

Question 29

when was the SAML 1.0 spec created?

Answer 29

Nov 2002

Question 30

The three main players in SAML

Answer 30

Service Provider, Client, and Identity Provider

Question 31

What is a SAML Service Provider called in Oauth2?

Answer 31

Resource Server

Question 32

What is a SAML Identity Provider called in Oauth2?

Answer 32

Authorization Server

Question 33

What is the high level structure of a SAML Assertion?

Answer 33

just an XML node with certain elements

Question 34

The most common SAML flow

Answer 34

Question 35

principal

Answer 35

the user trying to authenticate. You can think of this as the actual human behind the screen

Question 36

Service provider

Answer 36

the services that are requesting authentication and identity information about the principal

Question 37

What does SAML use to sign requests?

Answer 37

XMLDSIG

Question 38

What are the two types of flows SAML supports?

Answer 38

those initiated by the service provider and those initiated by the identity provider

Question 39

XMLDSIG

Answer 39

XML Digital Signatures

Question 40

SP-initiated flow

Answer 40

Service Provider initiated SAML flow

Question 41

Bindings

Answer 41

the format in which data is transferred between service providers and identity providers in SAML

Question 42

most popular SAML bindings

Answer 42

HTTP Redirect Binding and HTTP POST Binding

Question 43

in SAML, HTTP Redirect Bindings transfer data using what?

Answer 43

HTTP redirects and query parameters

Question 45

In SAML, HTTP POST bindings transfer data using what?

Answer 45

HTTP POST forms

Question 46

In SAML, HTTP Redirect Bindings are typically used in what?

Answer 46

authentication requests

Question 47

In SAML, HTTP Post Bindings are typically used in what?

Answer 47

authentication responses

Question 48

Assertions

Answer 48

statements made by the identity provider about the principal.

Question 49

What are some examples of SAML assertions?

Answer 49

the principal’s email address and/or groups/roles the principal may be associated with

Question 50

Assertions are used by _____ to _____

Answer 50

the service provider; to create and configure sessions for a principal.

Question 51

SPML

Answer 51

Service Provisioning Markup Language

Question 52

Step A of typical SAML 2.0 flow

Answer 52

Question 53

Typical step B of SAML 2.0 flow

Question 54

How do you make a Grant sort of equivalent to an Authorization Code Flow?

Answer 54

use Authorization Code Grant option and scope=”openid profile”

Question 55

AuthN

Answer 55

short for Authentication

Question 56

AuthZ

Answer 56

short for Authorization

Question 57

OAuth is short for

Answer 57

OpenAuthentication

Question 58

A SAML service provider manages an _____________endpoint[OS 2] that receives authentication assertions from identity providers

Answer 58

Assertion Consumer Service

Question 59

The entity descriptor for a SAML Service Provider contains an ________ element

Answer 59

< md:SPSSODescriptor > md: SPSSODescriptor>

Question 60

the entity descriptor of a SAML Service Provider Metadata document contains at least one _______ endpoint

Answer 60

< md:AssertionConsumerService >

Question 61

the root element of a SAML Service Provider metadata document

Answer 61

< md:EntityDescriptor >

Question 62

in an RBAC system, an authenticated user usually has what principals?

Answer 62

userId and roleId

Question 63

from the perspective of authorization, what is the difference between principles and subjects?

Answer 63

principals are the actual entities for which access is allowed or disallowed. Subject is just a user/thread/process that holds some principals.

Question 64

ADFS

Answer 64

Active Directory Federation Services (ADFS) is a Single Sign-On (SSO) solution created by Microsoft

Question 65

TIER

Answer 65

trust-identity-education-research

Question 66

WSGI

Answer 66

Web Server Gateway Interface

Question 67

Web Server Gateway Interface

Answer 67

It is a specification that describes how a web server communicates with web applications, and how web applications can be chained together to process one request. WSGI is a Python standard described in detail in PEP 3333.

Question 68

What is the difference between a certificate and a key with respect to SSL?

Answer 68

A certificate contains a public key.

The certificate, in addition to containing the public key, contains additional information such as issuer, what the certificate is supposed to be used for, and other types of metadata.

Typically, a certificate is itself signed by a certificate authority (CA) using CA’s private key. This verifies the authenticity of the certificate.

Question 69

CA

Answer 69

Certificate Authoriy

Question 70

How many root certificates do browsers come preinstalled with?

Answer 70

100-300, as of 2020

Question 71

certificate authority

Answer 71

an entity that issues digital certificates

Question 72

What does a digital certificate do?

Answer 72

certifies the ownership of a public key by the named subject of the certificate

Question 73

What are the two most common ways CAs authenticate the recipient of a certifcate (e.g. the owner of a domain)?

Answer 73

domain validation and extended validation

Question 74

CSR

Answer 74

Certificate Signing Request

Question 75

Certificate Signing Request

Answer 75

a message sent from an applicant to a certificate authority in order to apply for a digital identity certificate

Question 76

How to generate a private key with openssl

Answer 76

openssl genrsa -des3 -out private_key.pem 2048

Question 77

What does the -des3 flag in “openssl genrsa -des3 -out private_key.pem 2048” do?

Answer 77

It brings up a prompt for you to encrypt the private key with a password. -des3 means that it will encrypt the private key with the DES3 cipher

Question 78

how to create a certificate signing request using openssl

Answer 78

openssl.exe req -new -key yourcertname.key -out yourcertname.csr

Question 79

create openssl cert given key and csr

Answer 79

openssl req -x509 -sha256 -days 365 -key frontend.key -in frontend.csr -out frontend.crt