CISSP Domain 5: SSO, SAML, OAuth, OIDC & Kerberos

On the CISSP, the identity protocols come down to one move: decide whether the scenario needs authentication or authorization, then match the protocol to that need. This Domain 5 deep-dive separates single sign-on from federation, then walks the four heavyweight protocols and exactly when each one is the right answer. With Professor Erica, Fatima, Fenrir, and Grace, we cover the identity foundations behind 13% of the current exam, and the question-reading habits that turn ‘BEST’ and ‘MOST’ scenarios into quick, defensible picks.

In this video:

• Single sign-on vs federation, and why one stolen SSO login is a master key
• SAML 2.0: the Identity Provider asserts, the Service Provider trusts the signed assertion
• The #1 trap: OAuth is authorization (access tokens), NOT authentication
• OpenID Connect: the authentication layer on top of OAuth, and the ID token (a JWT)
• Kerberos: the KDC, the TGT-then-service-ticket flow, and why passwords never cross the wire
• The clock-skew trap: why Kerberos logins fail when time sync drifts, and the manager fix

The next video in the series moves into authorization models, the rules that decide what an authenticated user is actually allowed to do. Anchored to the (ISC)2 CISSP Detailed Content Outline effective April 15, 2024.

▶ Watch next: CISSP Domain 5: DAC, MAC, RBAC, ABAC Explained https://www.youtube.com/watch?v=5q9Lgcumrsk

📺 Full playlist: CISSP (2026) v2 https://www.youtube.com/playlist?list=PLlIAFxS2964_K3g6WysWnLpifoxilduGi