ISC2 Certified Secure Software Lifecycle Professional (CSSLP) Practice Question

Security Assertion Markup Language (SAML) 2.0 Web Browser Single Sign-On allows a trusted identity provider-such as AD FS-to issue signed authentication and attribute assertions that the SaaS provider (relying party) can validate. Because only the assertion is passed, end-user passwords never leave the corporate domain, satisfying the requirement to avoid credential storage at the provider. SAML assertions can carry attribute statements (for example, group or role claims) that the provider can consume for fine-grained authorization.

OAuth 2.0 Resource Owner Password Credentials flow requires the user's password to be shared with the client application, violating the stated constraint. OpenID Connect implicit flow would make the SaaS provider the identity provider, reversing the trust direction required. A VPN with LDAP bind simply extends the network boundary and exposes directory credentials to the external service without providing standardized federated SSO or signed attribute assertions.