Quiz: Identity Governance

A 26-question self-check covering directories, SSO and federation, the identity lifecycle, and access reviews. Several questions are tagged with the certification domain they map to — [Sec+] for CompTIA Security+ and [CISSP] for the (ISC)² CISSP — so certification candidates can self-assess. Answers and one-line explanations are at the end; try the whole quiz before checking.

Section 1 — Multiple choice (1 pt each)

1. [Sec+] An XML-based open standard for exchanging signed authentication assertions between an identity provider and a service provider is: A. OAuth 2.0 B. SAML C. SCIM D. LDAP

2. [Sec+] Which protocol is an authorization framework that issues scoped access tokens, designed to let one app act on a user's behalf without sharing the user's password? A. OAuth 2.0 B. OIDC C. SAML D. Kerberos

3. OpenID Connect (OIDC) primarily provides: A. delegated authorization B. authentication (proving who the user is) C. directory replication D. password hashing

4. [Sec+] The protocol used to query and modify directory data, spoken by Active Directory among others, is: A. SCIM B. SAML C. LDAP D. RADIUS

5. An account that no longer has a valid owner or business purpose — for example, an enabled account for a person who has left the organization — is called a(n): A. service account B. orphaned account C. break-glass account D. birthright account

6. [CISSP] The accumulation of access over time as a person changes roles but never loses old entitlements is called: A. separation of duties B. privilege creep C. federation D. least privilege

7. [Sec+] The open standard for automatically provisioning and deprovisioning user accounts across systems via a REST/JSON API is: A. SAML B. SCIM C. OIDC D. LDAP

8. In the joiner-mover-leaver lifecycle, the transition that is most security-critical and most commonly botched — and the one that left Meridian's contractor account active — is the: A. joiner B. mover C. leaver D. none of these

9. [CISSP] Single sign-on concentrates authentication at one identity provider. The corresponding risk a defender must manage is that: A. users must remember more passwords B. a compromise of the IdP or an SSO session can reach everything that trusts it C. SAML cannot be signed D. it prevents the use of MFA

10. Microsoft's cloud identity service for authenticating users to SaaS apps and cloud resources (formerly Azure AD) is: A. Active Directory B. Entra ID C. LDAP D. Kerberos

11. [Sec+] The periodic process in which a manager or resource owner confirms that each person's access is still appropriate (or flags it for removal) is: A. provisioning B. access certification / access review C. federation D. authentication

12. In a hybrid environment where on-prem AD is synchronized upward to Entra ID, disabling a departing user only in Entra ID is dangerous because: A. Entra ID does not support disabling B. the next sync can re-enable the account from the authoritative on-prem source C. it deletes the user's mailbox D. it breaks Kerberos

13. [CISSP] A teller who can both initiate and approve a wire transfer holds a toxic combination that violates: A. least privilege only B. segregation (separation) of duties C. defense in depth D. federation

14. The strongest single signal that a directory account is an orphan is: A. it has a long password B. it has no corresponding record in the HR or contractor system of record C. it belongs to a manager D. it is a member of many groups

Section 2 — True / False with justification (1 pt each)

For each, mark T or F and give a one-sentence reason.

15. [Sec+] "A raw OAuth 2.0 access token is a reliable proof of who the user is, so it is fine to use it for login."

16. "Disabling a departed employee's account is enough; there is no security reason to prefer disabling over deleting it immediately."

17. [CISSP] "Because SSO lets users log in once and reach many apps, it makes deprovisioning harder than managing separate accounts."

18. "An access certification that comes back 100% 'keep,' completed within minutes by every manager, is strong evidence the access is correct."

19. "A SAML assertion's audience restriction and short validity window limit the damage if an assertion is captured in transit."

20. [Sec+] "Setting an expiration date on a contractor account when it is created is a fail-safe control that closes the account even if the leaver process is forgotten."

Section 3 — Fill in the blank (1 pt each)

21. In federation, the organization that vouches for the user is the _ _ (IdP); the application that trusts it is the _ _ (SP).

22. [Sec+] The three things an IAM program combines are administration (the lifecycle), _ (Chapter 16, often via SSO), and _ (reviews and certification).

23. The set of entitlements every member of a role receives automatically on joining is called __ access.

Section 4 — Short answer (2 pts each)

24. [CISSP] In two or three sentences, explain the precise difference between OAuth 2.0 and OIDC, and give one concrete example of a task each is the right tool for.

25. Explain why an orphaned account is dangerous out of proportion to its raw count. Name the three properties that make it attractive to an attacker and connect at least one of them to lateral movement.

Section 5 — Applied scenario (5 pts)

26. [Sec+] A quarterly review of Meridian's Loan-Approvers group (entitlement: approve wire disbursements) reconciles 41 members against HR, the contractor roster, and last-login data. It surfaces: two members terminated months ago but still enabled; one contractor whose engagement ended last year and who is in no roster; two members who transferred to Operations a year ago; and one teller who can also initiate disbursements. (a) Categorize each of the six problems using this chapter's vocabulary (orphan, mover/privilege creep, segregation-of-duties). (b) For the orphaned accounts, state where you disable them and why. (c) Name the root-cause control failure that produced the orphaned contractor, and the single technical control that would prevent it from recurring.

Answer Key

Click to reveal answers and explanations 1. **B** — SAML is the signed-XML federation standard. 2. **A** — OAuth 2.0 is delegated authorization (scoped tokens). 3. **B** — OIDC adds an authentication (identity) layer on OAuth. 4. **C** — LDAP is the directory query/modify protocol. 5. **B** — an orphaned account has no valid owner/purpose. 6. **B** — privilege creep. 7. **B** — SCIM automates cross-system provisioning/deprovisioning. 8. **C** — the leaver transition. 9. **B** — SSO concentrates risk at the IdP; a compromised IdP/session reaches everything. 10. **B** — Entra ID (formerly Azure AD). 11. **B** — access certification / access review. 12. **B** — the sync re-enables from the authoritative on-prem source. 13. **B** — segregation/separation of duties. 14. **B** — no corresponding record in the system of record is the strongest orphan signal. 15. **F** — an access token says what the bearer may *do*, not reliably *who* the user is; inferring identity from it invites token-substitution/"confused deputy" attacks — use an OIDC ID token with a verified audience. 16. **F** — disabling (not deleting) preserves the account for forensic investigation and allows reversal of a mistaken disable. 17. **F** — SSO makes deprovisioning *easier*: disabling the one IdP identity cuts off every federated app at once. 18. **F** — a near-instant 100%-keep result is the signature of rubber-stamping, which produces an audit artifact but catches nothing. 19. **T** — the audience binds the assertion to one app and the short window makes a captured assertion expire almost immediately. 20. **T** — an expiration date is a fail-safe default that closes the account on a known date with no human action. 21. identity provider; service provider (relying party). 22. authentication; governance. 23. birthright. 24. OAuth 2.0 is *delegated authorization* — it issues a scoped, revocable access token so an app can act on the user's behalf (e.g., letting a scheduling app read your calendar without your password). OIDC is *authentication* layered on OAuth — it issues a signed ID token (JWT) proving who the user is (e.g., "sign in with your company account" so a web app knows the user's identity). One is about access, the other about identity. 25. An orphaned account is *valid* (it authenticates, defeating the front door), *unmonitored* (no one watches an account for someone who left, so misuse is invisible), and often *privileged/well-connected* (it accumulated access during the owner's tenure). Those properties make it a pre-positioned foothold: an attacker who finds one can use it for lateral movement and privilege escalation precisely because it is trusted, reaches far, and triggers no alarms. 26. (a) Two terminated employees still enabled = orphaned accounts (ex-employee); the contractor in no roster = orphaned account (contractor); the two Operations transfers = movers carrying privilege creep; the teller who can also initiate = a segregation-of-duties (toxic) combination. (b) Disable the orphaned accounts in the *authoritative source directory* (on-prem AD), so the disabled state propagates to Entra ID instead of being overwritten by the next sync. (c) Root cause: contractors had no authoritative system of record, so no leaver trigger ever fired; the single technical control that prevents recurrence is a mandatory account **expiration date** set at creation (a fail-safe default), ideally backed by a contractor roster that fires leaver triggers and SCIM-driven deprovisioning. **Topics to review by question:** missed 1–3, 24 → §18.3 (SAML/OAuth/OIDC); 4, 10, 12 → §18.2 (directories); 5, 14, 25 → §18.5 (orphans); 6, 8, 13, 20, 23 → §18.4 (JML); 7 → §18.4 (SCIM); 9, 17 → §18.3 (SSO); 11, 18 → §18.5 (certification); 26 → §18.4–18.6 (whole-chapter application).