Free Google Apigee-API-Engineer Actual Exam Questions - Question 7 Discussion

Makes sense, SAML tokens have expiration (A) and are signed for verification (C).

A/C? Limited token lifetime is definitely covered since SAML assertions have expiration timestamps. Self-verifiable content also fits because SAML tokens are signed XML documents you can validate without contacting the issuer again. D is out since XML isn’t compact, and E doesn’t work because SAML doesn’t have a built-in refresh mechanism. B is more about how keys are managed outside the token itself, so that’s not really part of SAML’s core features. So yeah, A and C feel like the best match here.

Not B, since key rotation is handled by the service, not the SAML token itself. Also, not D because SAML uses XML, which isn’t really compact compared to other formats like JWT. So A and C still stand out.

B imo, managed key rotation is more about the issuer’s infrastructure rather than the SAML token itself. SAML tokens do have limited lifetime (A) and usually include signatures, so self-verifiable content (C) fits better. Also, SAML uses XML, so it’s not really compact (D), and refresh without new challenge (E) isn’t really a built-in SAML feature either. So I’d say A and C cover the requirements best.

I agree that A is a solid pick because SAML tokens clearly have expiration times, so they cover limited lifetime. For the second one, I’m thinking about D since SAML tokens tend to be XML-based and aren’t exactly compact. So maybe that rules out D. B sounds more like an issuer responsibility, not a SAML feature. That leaves C for self-verifiable content since SAML assertions are signed and can be validated independently. So wouldn’t it be A and C? What do you think about E? Refreshing without a new challenge seems harder with SAML’s structure.

It’s definitely A for limited token lifetime since SAML tokens include expiration info. For the second one, I’d say B is less about SAML itself and more about how the issuer handles keys. C makes sense because SAML assertions are signed, so the token content can be verified independently. D and E don’t fit well since SAML tokens are pretty bulky and don’t support refresh without a new challenge. So I’d go with A and C based on token expiration and signature verification.

Maybe A and C? SAML tokens usually have an expiration time, so that covers limited lifetime. Also, they’re signed, which makes the content verifiable without needing to check back with the issuer. But I’m not sure if SAML tokens are compact or support refresh without a new challenge. Does anyone know if “managed key rotation” relates directly to SAML or if it’s mostly about how the server handles keys?