ISC2 CISSP Practice Question

The correct answer is implementing a local identity proxy. A local identity proxy (sometimes called an identity broker or federation server) is installed within the corporate network and serves as an intermediary between the company's internal identity provider (directory services) and external service providers. This approach allows authentication traffic to be contained within the organization's network boundary because the proxy handles all external communications while maintaining internal connections to the identity store.

The token forwarding mechanism option is incorrect because security tokens are typically sent directly from identity provider to service provider, which would mean authentication traffic would cross network boundaries.

The cloud-based integration service would actually move authentication traffic outside the company's network boundary, which directly contradicts the requirement.

Implementing a credential caching system by itself doesn't necessarily keep authentication traffic within the network boundary - it may reduce the frequency of authentication events but doesn't control where that traffic flows when authentication does occur.