Free Zscaler ZDTA Actual Exam Questions - Question 8 Discussion

Maybe D, since assertions are too big for redirects and need secure delivery.

It’s D. The assertion is usually sent via a form POST to keep it secure and avoid URL size limits, unlike option A which is mainly for sending the initial request.

D imo, because the actual assertion is often too big and sensitive to send via URL redirect (A). The form POST method (D) securely posts the assertion back from IdP to SP using the browser, which fits the typical SAML response flow. B and C don’t really fit since API calls or client connectors aren’t standard for delivering assertions in the browser-based SAML flow.

Option A is usually for sending the AuthnRequest, not the assertion itself.

Probably D. The assertion is generally sent back embedded in a form POST from the IdP to the SP through the user’s browser, which keeps it secure and reliable compared to redirects.

It’s D. The assertion is usually sent inside an HTML form POST to keep it secure and handle its size, rather than using redirects or API calls.

Yeah, the key is that the SAML assertion is sensitive and usually too big for a URL redirect. So it gets passed from the Identity Provider back to the Service Provider using a form POST through the user’s browser. That fits best with option D. The redirect (A) is used when the SP sends the initial AuthnRequest to the IdP, but not for sending the assertion itself.

Agreed, the assertion is typically too large for redirects and sensitive data should be sent securely. That’s why D is the way to go—form POST through the browser makes the most sense here.

Probably D here. The assertion is quite big and sensitive, so sending it via a form POST from the browser to the service provider makes more sense than an HTTP redirect. Redirects usually carry smaller payloads, like the initial request, not the full assertion. Also, API calls (B) or client connectors (C) don’t usually handle this part in standard SAML flows. So, I’d stick with the form POST as the common method for delivering the SAML assertion.

D. The assertion usually isn’t sent via HTTP redirect because it can be quite large and wouldn’t fit well in a URL. The usual practice is to send it back to the service provider through a form POST, where the assertion is base64 encoded and submitted as a hidden field. That way, it’s a secure and reliable transfer method within the browser. So it’s more about the response carrying the assertion rather than the initial request, which might use a redirect.

Option D makes more sense since the SAML assertion is usually sent as a base64 encoded XML in a hidden form field via POST, not just in the URL like a redirect would. Redirect is mainly for the initial request.

D vs A? I’m not sure if the assertion goes through a form POST or is just redirected in the URL. Anyone got clarity on how SAML typically sends this?