WEBVTT

00:00.000 --> 00:01.680
>> Just the way
Kerberos helps us

00:01.680 --> 00:03.450
>> administer a numeric that

00:03.450 --> 00:04.890
>> makes life much easier for

00:04.890 --> 00:07.125
users by having that
single sign-on,

00:07.125 --> 00:09.465
we can certainly see
how the same concept,

00:09.465 --> 00:12.240
if extended outside our domain
and across the Internet,

00:12.240 --> 00:13.890
how tremendous would it be to

00:13.890 --> 00:15.450
only have one set of passwords

00:15.450 --> 00:17.400
and credentials for
all the resources

00:17.400 --> 00:19.080
you access on the Internet.

00:19.080 --> 00:21.360
With that being said,
certainly we have to go

00:21.360 --> 00:23.820
back and look at some of
the problems with Kerberos.

00:23.820 --> 00:26.205
If your one set of
credentials is compromised,

00:26.205 --> 00:28.785
then the attacker has
access to everything.

00:28.785 --> 00:32.265
If we can control this
process, secure passwords,

00:32.265 --> 00:34.185
and provide a single
point of entry,

00:34.185 --> 00:36.200
then that's going to make
life much easier for

00:36.200 --> 00:38.635
both administrators and users.

00:38.635 --> 00:40.850
When we do talk about
bringing this idea

00:40.850 --> 00:42.850
of single sign-on
outside our domain,

00:42.850 --> 00:46.050
we've got to look at a
couple of technologies.

00:46.430 --> 00:50.165
One that's most common
today is called SAML,

00:50.165 --> 00:53.795
that stands for Security
Association Markup Language.

00:53.795 --> 00:55.850
I want you to think
about a scenario where

00:55.850 --> 00:57.110
a college student
has signed up for

00:57.110 --> 00:59.305
college and they're
ready for the first day.

00:59.305 --> 01:01.130
They come in and they're ready

01:01.130 --> 01:02.765
to get their books
from the library.

01:02.765 --> 01:03.950
They immediately go in and

01:03.950 --> 01:06.350
register and sign
up at the school.

01:06.350 --> 01:08.405
They pay their money and are in.

01:08.405 --> 01:10.175
Next thing the student does

01:10.175 --> 01:11.570
is go to the library and says,

01:11.570 --> 01:13.925
I'm a college student,
I need some books.

01:13.925 --> 01:16.190
The library says, we
don't know who you are.

01:16.190 --> 01:18.410
The student can bring
out a driver's license,

01:18.410 --> 01:20.680
but that doesn't prove that
he's part of the school.

01:20.680 --> 01:23.645
What he needs is something
that he can show the library,

01:23.645 --> 01:26.165
that he's a valid,
legitimate student.

01:26.165 --> 01:29.240
The library says, you need
to go to the student center,

01:29.240 --> 01:31.845
get your school ID, and
then come back to us.

01:31.845 --> 01:33.635
The student leaves
from the library,

01:33.635 --> 01:34.985
goes to student-centered,

01:34.985 --> 01:36.605
and shows his paperwork.

01:36.605 --> 01:39.920
They find his name, he
provides his identification,

01:39.920 --> 01:41.410
and he has a badge.

01:41.410 --> 01:43.260
That badge not only says this is

01:43.260 --> 01:45.030
John Smith, but it also says,

01:45.030 --> 01:46.430
this is John Smith, who is

01:46.430 --> 01:49.340
a legitimate student
here at ABC College.

01:49.340 --> 01:50.795
Now that he has his badge,

01:50.795 --> 01:52.145
he goes back to the library,

01:52.145 --> 01:55.285
shows his badge, and the
library gives him his books.

01:55.285 --> 01:57.890
That badge may have
additional information,

01:57.890 --> 01:59.135
things like his major,

01:59.135 --> 02:00.800
so the library pulls
a set of books

02:00.800 --> 02:03.380
for biology department
for the student.

02:03.380 --> 02:05.495
What information is on the badge

02:05.495 --> 02:08.460
can really change
and be very helpful.

02:08.470 --> 02:11.180
What we have here
is the idea that

02:11.180 --> 02:13.145
once my student
gets a student ID,

02:13.145 --> 02:14.690
they can go to the library or

02:14.690 --> 02:16.700
the cafeteria to purchase meals.

02:16.700 --> 02:19.760
Many entities are going to
accept the student badge.

02:19.760 --> 02:22.070
Everything on the college
campus is going to accept

02:22.070 --> 02:23.930
that student badges proof
that they're enrolled in

02:23.930 --> 02:26.720
the school and can
prove their identity.

02:26.720 --> 02:29.720
Now let's say that Uber
in town has decided

02:29.720 --> 02:32.105
that they want to increase
their business with students.

02:32.105 --> 02:33.200
They work up something that

02:33.200 --> 02:34.760
the university that
students can share

02:34.760 --> 02:38.045
their school ID and an Uber
will spill a student account.

02:38.045 --> 02:41.195
That requires a trust
between Uber and the school.

02:41.195 --> 02:43.610
Then all of a sudden,
this one piece of

02:43.610 --> 02:45.710
authentication,
the student badge,

02:45.710 --> 02:48.110
is now not just used
within that domain,

02:48.110 --> 02:50.090
but now for any
organization that's

02:50.090 --> 02:52.160
going to allow a
trusting relationship.

02:52.160 --> 02:53.630
The student can use that student

02:53.630 --> 02:54.830
center badge for billing,

02:54.830 --> 02:56.120
for identification,

02:56.120 --> 02:58.760
maybe even participating
in laundromat.

02:58.760 --> 03:01.915
Potential for this is
really tremendous.

03:01.915 --> 03:04.190
This is what we're
trying to achieve when

03:04.190 --> 03:05.825
we bring in federated services

03:05.825 --> 03:09.470
and use SAML or something
called OpenID Connect.

03:09.470 --> 03:10.850
What has to happen is

03:10.850 --> 03:12.380
a trusting relationship has to

03:12.380 --> 03:14.150
be built between
the organizations

03:14.150 --> 03:16.640
that offer services and
the organization that

03:16.640 --> 03:18.860
provides the
identifying information

03:18.860 --> 03:20.255
, that student badge.

03:20.255 --> 03:22.120
That's called a federated trust.

03:22.120 --> 03:24.770
We can have trust in an
internal environment.

03:24.770 --> 03:27.470
Then taking that and
expanding it beyond,

03:27.470 --> 03:30.080
that's going to require
this federated trust.

03:30.080 --> 03:32.345
That's exactly what SAML does

03:32.345 --> 03:35.555
and is a part of the
role that SAML serves.

03:35.555 --> 03:37.520
A network administrator is

03:37.520 --> 03:39.230
going to go and set
up a trust with

03:39.230 --> 03:43.145
an organization or going to
provide an identity provider.

03:43.145 --> 03:44.540
Then they're going to be

03:44.540 --> 03:46.885
service providers that
provide services.

03:46.885 --> 03:49.640
Ultimately, when this
works with SAML,

03:49.640 --> 03:53.045
a user goes to access
specific web application.

03:53.045 --> 03:54.380
Let's say you are trying to

03:54.380 --> 03:55.790
access their account in Office

03:55.790 --> 04:00.505
365 or maybe a corporate
account on Salesforce or Webex.

04:00.505 --> 04:02.090
I'm going to go

04:02.090 --> 04:04.970
authenticate and say I'm
kellyhanderhan@abc.com,

04:04.970 --> 04:09.080
then the application is going
to redirect my web browser.

04:09.080 --> 04:11.180
Because they're on abc.com,

04:11.180 --> 04:14.270
you need to authenticate
with your own organization.

04:14.270 --> 04:17.690
Basically, I'm redirected
to my identity provider.

04:17.690 --> 04:19.520
That can be an internal
service that we

04:19.520 --> 04:21.310
set up within our organization.

04:21.310 --> 04:22.820
It can be provided to us from

04:22.820 --> 04:24.685
an identity service provider

04:24.685 --> 04:26.595
if you're familiar with Ping.

04:26.595 --> 04:30.125
When I authenticate myself
to the identity provider,

04:30.125 --> 04:33.490
in exchange they issue
me a SAML token.

04:33.490 --> 04:35.000
I'm redirected back to

04:35.000 --> 04:37.610
the original application
I was trying to access.

04:37.610 --> 04:39.350
Now my web across comes in,

04:39.350 --> 04:40.775
but it has a token.

04:40.775 --> 04:42.530
The trust has already
been established

04:42.530 --> 04:43.760
by my administrator.

04:43.760 --> 04:46.625
The application says,
I'll take your token.

04:46.625 --> 04:48.290
Now, you're allowed to

04:48.290 --> 04:50.425
access whatever you
need to access.

04:50.425 --> 04:52.220
That token is stored as part of

04:52.220 --> 04:54.200
the discussion cookie
with the browser,

04:54.200 --> 04:56.300
so that I don't have to
keep doing that again

04:56.300 --> 04:58.945
and again for every
single service request.

04:58.945 --> 05:01.970
Basically, SAML is going
to use a series of

05:01.970 --> 05:05.360
redirects and require a token
from an identity provider.

05:05.360 --> 05:08.540
That token from the identity
provider is going to go

05:08.540 --> 05:10.085
across a federated trust

05:10.085 --> 05:12.280
and be sent to a
service provider.

05:12.280 --> 05:14.960
SAML is slowly being
replaced with something

05:14.960 --> 05:18.200
called OpenID Connect,
another service provider.

05:18.200 --> 05:20.200
With SAML being bloated,

05:20.200 --> 05:21.380
we're looking to replace it with

05:21.380 --> 05:24.060
something called OpenID Connect.