WEBVTT 00:00.000 --> 00:02.130 >> In OpenID Connect, we have to call 00:02.130 --> 00:04.590 the service provider, a relying party. 00:04.590 --> 00:06.450 Instead of an ID provider, 00:06.450 --> 00:08.130 they are an OpenID provider. 00:08.130 --> 00:11.925 Really, those are the big differences, same basic idea. 00:11.925 --> 00:15.030 The way OpenID Connect works [inaudible] is it 00:15.030 --> 00:16.410 takes a little bit of the weight off 00:16.410 --> 00:17.820 >> the client browser. 00:17.820 --> 00:19.200 >> For instance, I'm going to 00:19.200 --> 00:21.120 try to connect to an organization, 00:21.120 --> 00:22.470 whatever that service is, 00:22.470 --> 00:23.745 I'm going to connect. 00:23.745 --> 00:26.115 Based on how I attempt to connect, 00:26.115 --> 00:28.980 kellyhand.hand@abc.com, that relying party 00:28.980 --> 00:31.170 knows who my identity provider is. 00:31.170 --> 00:34.209 Again, that's set up by the administrator. 00:34.209 --> 00:37.310 Instead of redirecting the client's browser, 00:37.310 --> 00:38.780 the relying party challenges 00:38.780 --> 00:40.520 the OpenID provider and says, 00:40.520 --> 00:43.055 is this person legit, can we trust them? 00:43.055 --> 00:45.080 The OpenID provider sends back to 00:45.080 --> 00:48.200 an OpenID token that provides that authentication. 00:48.200 --> 00:51.140 Then ultimately, the relying party is going to 00:51.140 --> 00:54.275 be able to provide the services to the end-user client. 00:54.275 --> 00:57.500 We still have that back and forth step-by-step process, 00:57.500 --> 00:58.760 but ultimately, it's about 00:58.760 --> 01:01.640 the trust relationship between the relying provider, 01:01.640 --> 01:04.220 or the relying party and the OpenID party, 01:04.220 --> 01:07.280 just like it was between the SAML service provider, 01:07.280 --> 01:09.970 and the SAML ID provider. 01:09.970 --> 01:12.300 It's all about this trusting relationship. 01:12.300 --> 01:15.200 The big benefit is the user logs onto 01:15.200 --> 01:17.120 their identity provider and they're not 01:17.120 --> 01:20.115 sending authentication information across the Internet. 01:20.115 --> 01:23.030 No username and passwords go across the network, 01:23.030 --> 01:25.040 just the SAML tokens that would not 01:25.040 --> 01:27.380 be valuable in any way to an attacker. 01:27.380 --> 01:30.620 Single-sign-on where their identity provider 01:30.620 --> 01:33.785 uses tokens to vouch for authenticity. 01:33.785 --> 01:37.340 This is the direction that we're going out on the web. 01:37.340 --> 01:39.455 One other element that's part of 01:39.455 --> 01:41.975 OpenID Connect is called OAuth. 01:41.975 --> 01:45.635 We're on OAuth Two. This is just simply a framework. 01:45.635 --> 01:48.950 It isn't a specific protocol or a type of API. 01:48.950 --> 01:51.610 It's a framework that we designed our applications on, 01:51.610 --> 01:53.030 so you can delegate rights or 01:53.030 --> 01:55.975 actions to specific applications. 01:55.975 --> 01:58.520 For instance, let's say that I 01:58.520 --> 02:00.590 want to go to Spotify and listen to music, 02:00.590 --> 02:02.150 and asks me, would you like to use 02:02.150 --> 02:03.845 your Facebook account to login? 02:03.845 --> 02:06.140 If I say yes, Facebook is actually 02:06.140 --> 02:07.564 >> my identity provider. 02:07.564 --> 02:09.780 >> Facebook is sending me a token on behalf 02:09.780 --> 02:12.070 of Spotify to validate my identity, 02:12.070 --> 02:13.775 and to authenticate me. 02:13.775 --> 02:16.790 Usually, I get a little message that pops up and says, 02:16.790 --> 02:19.130 would you like Spotify to update your Facebook page so 02:19.130 --> 02:21.470 your friends can know it music you're listening to? 02:21.470 --> 02:22.550 When I click "Yes", 02:22.550 --> 02:24.050 that's giving an application the right 02:24.050 --> 02:25.850 to modify another application, 02:25.850 --> 02:28.730 and the right to modify Facebook is only mine. 02:28.730 --> 02:31.100 I'm the owner of the Facebook page. 02:31.100 --> 02:33.770 I'm the only one who's allowed to update the page. 02:33.770 --> 02:35.150 I've just delegated that right for 02:35.150 --> 02:38.155 Spotify to do something on my behalf. 02:38.155 --> 02:40.340 Same idea, if I'm doing 02:40.340 --> 02:42.365 accounting and I log into QuickBooks, 02:42.365 --> 02:44.630 one of the features of QuickBooks is they can pull 02:44.630 --> 02:45.800 your credit card information 02:45.800 --> 02:47.480 from your credit card companies, 02:47.480 --> 02:49.400 they can pull your bank statements, 02:49.400 --> 02:51.880 they can pull all financial information. 02:51.880 --> 02:53.840 Of course, you have to give it permission 02:53.840 --> 02:55.925 to do so. That's OAuth. 02:55.925 --> 02:58.610 That's the ability to act on my behalf in order to 02:58.610 --> 03:01.900 increase usability and interoperability. 03:01.900 --> 03:04.545 It winds up being very valuable. 03:04.545 --> 03:05.840 This is a framework on 03:05.840 --> 03:07.865 which we're designing applications. 03:07.865 --> 03:09.590 The whole goal here for single 03:09.590 --> 03:11.540 sign-on and federated trust is to 03:11.540 --> 03:13.130 take some of these ideas that we 03:13.130 --> 03:15.140 just take for granted in a local domain. 03:15.140 --> 03:16.430 I just take for granted, 03:16.430 --> 03:17.795 I log on to the domain, 03:17.795 --> 03:19.310 and then it can print to my printer, 03:19.310 --> 03:21.665 access a database, or whatever I need. 03:21.665 --> 03:23.780 What we're doing with SAML and 03:23.780 --> 03:25.370 >> OpenID Connect is they're 03:25.370 --> 03:26.960 >> both serving the same purpose of 03:26.960 --> 03:29.255 logging onto identity provider. 03:29.255 --> 03:31.250 As long as our administrator sets up 03:31.250 --> 03:32.885 the proper federated trust, 03:32.885 --> 03:35.945 we can log in once to that identity provider, 03:35.945 --> 03:37.955 and then access all the resources that 03:37.955 --> 03:40.255 has trust, whether they're local, 03:40.255 --> 03:41.910 or in another organization, 03:41.910 --> 03:43.455 or anywhere across the world, 03:43.455 --> 03:46.270 as long as the trust has been set up. 03:46.480 --> 03:49.850 It is going to expedite administration 03:49.850 --> 03:51.020 >> and make it easier 03:51.020 --> 03:52.640 >> for admins to have tighter control of 03:52.640 --> 03:55.265 what users access what resources. 03:55.265 --> 03:58.265 It's also going to make life much easier on users, 03:58.265 --> 03:59.630 because they won't need to keep up 03:59.630 --> 04:01.980 with so many passwords.