Question 1

Authorization can be done only after completing the identification and authentication process.

A. FALSE B. TRUE

Question 2

An SSO token is a master key to get access to multiple systems/applications with a "single" login. Therefore, it is very important to protect the master key from theft, spoofing, or forgery. What are the typical methods to protect an SSO token from various threats?

A. Invalidate the SSO token on server-side for subsequent use after the user logs off from any of the SSO-enabled applications/systems, that is, after Single Sign-Off. B. Digitally sign the SSO token to protect against man-in-the- middle manipulations, and encrypt the token with a time-variant encryption key/algorithm. Exchange the token over SSL. C. If the SSO token is being exchanged using an HTTP cookie, set the "HttpOnly" attribute of the cookie to prevent cookie access via client-side Javascript. D. All the above options

Question 3

In an SSO solution developed for native IOS applications, one of the secure ways to share an SSO token between multiple native IOS apps is to store the token in the device "keychain" store, accessible only to the set of applications signed by a common Apple certificate.

A. TRUE B. FALSE

Question 4

refers to the validity of a claimed identity.

A. Identification B. Authorization C. Authentication

Question 5

What is "credential stuffing"?

A. The process where users reuse the same username/password combination across multiple sites. B. The process where stolen account credentials (usernames and/or email addresses and the corresponding passwords). mostly from a data breach are used to gain unauthorized access C. The process wherein an application stores used passwords and prevents a user from using the last three passwords used.

Question 6

Is an application required to generate a new session after authentication?

A. Mandatory if the application is deployed on multiple application servers. B. Required C. Not required

Question 7

What is "OAuth"?

A. Authentication with an "O". B. An open standard that allows users to share personal resources stored on a site with another site, without having to share their credentials. C. An open standard that allows users to securely share their credentials, typically username and password with other websites or entities. D. None of the above options

Question 8

The SameSite cookie attribute enables to prevent?

A. SQL injection B. Cross-origin information leakage C. Server misconfiguration issues D. XSS

Question 9

A JWT contains which of the following?

A. header, payload, and signature delimited by dots(.) B. header, footer, and signature delimited by by dots(.) C. header, signature, and footer delimited by dots(.)

Question 10

In an SSO solution, what is an identity provider?

A. A system or entity which can verify and prove identity to other systems/entities involved in the SSO mechanism. Typically, this is also the entity that generates and verifies the SSO token. B. A system or entity which encrypts and provides the password of a user to other systems/entities involved in the SSO mechanism so that they can re-authenticate the user. C. None of the above options