6.3. Federated Identity and SSO

💡 First Principle: Authentication and authorization establish who can access what. Accountability creates the audit record proving what they actually did. Without accountability, there is no way to investigate incidents, prove compliance, or detect insider threats. Accountability requires: individual identity (no shared accounts), complete logging of security-relevant actions, and tamper-evident log storage.

Session management bridges authentication and authorization into an ongoing access experience. A session represents a continuous authenticated context — and managing that context (duration, reauthentication triggers, termination) is the control that prevents session-based attacks like hijacking, fixation, and unauthorized reuse.

Why this matters: The exam tests the boundaries of these concepts: audit logs must be protected from the very insiders who generated them. Sessions must be bound to the authenticated identity in a way that prevents transfer. Accountability gaps (shared accounts, insufficient logging, alterable logs) are audit findings and breach enablers.

⚠️ Common Misconception: "SSO means users are permanently authenticated." SSO means users authenticate once to the identity provider and receive session tokens for downstream applications. Those tokens have lifetimes. When the IdP session expires (or the user logs out), all application sessions should terminate. In practice, applications may cache tokens and remain accessible longer than intended. IdP-initiated logout (sending logout signals to all applications when the IdP session ends) is required for true SSO session lifecycle management.