WEBVTT

00:00.650 --> 00:07.340
We live in a world where we as individuals want to access lots and lots of computers I mean just think

00:07.340 --> 00:12.200
about this and in your normal browsing life you go to all kinds of different Web sites those are actual

00:12.200 --> 00:14.760
computers and you have to access them now.

00:14.840 --> 00:20.240
Web might be a little bit of a tricky one because web as a public kind of tool but we can trivially

00:20.300 --> 00:23.900
add usernames and passwords to any Web site that we want it to.

00:23.900 --> 00:26.130
People don't do it very often but you can.

00:26.540 --> 00:27.820
Let's take a better example.

00:27.830 --> 00:29.780
Let's talk about a local area network.

00:29.870 --> 00:34.730
So here total seminars We've got lots and lots of computers and people are sharing stuff and we got

00:35.060 --> 00:41.810
servers and printers and all kinds of things that I as an individual want to be able to access in a

00:41.900 --> 00:44.870
typical Windows workgroup.

00:45.170 --> 00:50.460
What we do is we have well here's an example we've got three or four computers and we got a printer

00:50.460 --> 00:51.830
in whatever it might be.

00:51.840 --> 00:58.560
Now each one of these hoes have their own username and password list and it works great.

00:58.580 --> 01:03.920
The challenges is that if I want to access one computer I have to have a username and password on that

01:03.920 --> 01:07.460
computer that I can log in with if I want to access another computer.

01:07.460 --> 01:10.250
It may have a different username and password.

01:10.370 --> 01:17.770
So the Windows workgroups which have been around now for over 30 years worked very very well.

01:17.790 --> 01:22.220
We can go ahead and log in to these individual computers but once in a while you want to start logging

01:22.220 --> 01:24.290
into a lot of computers at once.

01:24.290 --> 01:27.590
You want to go to this computer and that computer and after a while you start going I can't remember

01:27.590 --> 01:28.880
all these passwords.

01:28.980 --> 01:31.660
So what you can do one thing you can cheat.

01:31.670 --> 01:36.410
So if we take a look at this example one more time what I can do is I can put the same username and

01:36.410 --> 01:40.680
password on every single one of these computers on my local area network.

01:40.820 --> 01:45.950
And that way I don't have to log in every time because once I log into my computer that will in essence

01:45.980 --> 01:52.130
carry that authentication information to each one of these other computers and then I always think that

01:52.130 --> 01:56.690
I have a user called to me with a password of 1 2 3 4.

01:57.200 --> 01:58.700
That is not a good idea.

01:58.730 --> 02:02.380
It is a very dangerous security issue and it is a big problem.

02:02.570 --> 02:04.070
So what can we do instead.

02:04.070 --> 02:12.680
Well what we can do is single sign on the idea behind single sign on is that I log in once to something

02:12.950 --> 02:18.290
and then everything else I need to get to I'm automatically logged into now single sign on is a great

02:18.290 --> 02:21.260
idea but it works differently depending on how you're talking about.

02:21.260 --> 02:27.320
So let's start with the most classic and that is single sign on on a local area network to do that.

02:27.320 --> 02:31.610
We're going to have to use Windows active directory now Windows active directory has been around for

02:31.660 --> 02:37.880
ever and it is the gold standard when it comes to single sign on tools for local area networks it actually

02:37.880 --> 02:40.850
works more than local area networks but we'll keep it simple for the moment.

02:41.090 --> 02:47.480
So with Active Directory what I have to first do is go purchase a copy of Windows Server and I install

02:47.480 --> 02:48.770
that into my network.

02:48.780 --> 02:49.910
Fear looks something like this.

02:49.910 --> 02:53.870
So here's my Windows server with all these other computers now.

02:53.960 --> 03:00.620
Once I establish a domain as we call it in the Windows world we then have all of these other computers

03:00.800 --> 03:03.000
join this domain.

03:03.020 --> 03:10.400
Now we do this by having a administrator actually go to each computer and go through a process of having

03:10.400 --> 03:11.330
them join the domain.

03:11.330 --> 03:18.350
So somebody in a high trust position has to actually go through and connect each one of these individual

03:18.350 --> 03:20.720
computers to the domain one at a time.

03:20.720 --> 03:29.120
Now once that's done we in essence have created a trust situation because I as an administrator have

03:29.120 --> 03:35.070
went to each computer and said join this domain we have what are known as Federated systems.

03:35.090 --> 03:38.000
When you hear the word Federated think trust.

03:38.000 --> 03:43.490
So there is an implicit trust that has been developed there simply because Microsoft has a proprietary

03:43.490 --> 03:45.700
authentication mechanism based on Kerberos.

03:45.890 --> 03:50.220
But the bottom line is is that we now have trust.

03:50.480 --> 03:56.120
Now if you're going to be doing single sign on in a local area network odds are good you're going to

03:56.120 --> 04:02.840
be using active directory even if you have Apple systems even if you have Linux systems those can use

04:03.050 --> 04:04.760
Windows file sharing.

04:04.760 --> 04:10.490
Or if it's Linux we can use Samba and all of these can be configured to join a local domain which is

04:10.490 --> 04:11.090
actually cool.

04:11.090 --> 04:17.870
I can't tell you how many big systems you have out there where the research areas really got 5300 Linux

04:17.870 --> 04:24.620
boxes and they still have a Windows active directory on there simply because it's easier from a maintenance

04:24.620 --> 04:27.110
standpoint to be able to do single sign on.

04:27.110 --> 04:32.840
So when you're talking about Lans you really are talking about active directory as the single sign on

04:32.840 --> 04:34.430
tool.

04:34.460 --> 04:40.880
Now there is a nother type of single sign on and this is completely different and it's based on something

04:40.880 --> 04:46.580
called SANFL.

04:46.600 --> 04:48.070
Let me give you a scenario.

04:48.160 --> 04:53.170
Let's say I'm running while I live in Texas so we're running an oil pipeline and on this oil pipeline

04:53.200 --> 04:58.960
we've got lots of pumps and thermometers and cameras and all kinds of stuff hundreds of little devices.

04:59.140 --> 05:04.510
And we've developed web apps for these devices so that I can turn pumps on turn pumps off whenever it

05:04.510 --> 05:05.390
might be.

05:05.410 --> 05:10.820
Now just because these are weather apps don't go thinking they're public they're well-protected usernames

05:10.870 --> 05:12.550
passwords all kinds of stuff.

05:12.580 --> 05:14.060
It's not easy.

05:14.140 --> 05:16.880
Hopefully it's basically impossible for the public to get to.

05:16.990 --> 05:22.170
But I as the operator of all these pumps and everything I need to be able to get to these.

05:22.270 --> 05:27.820
But not only do I need to get to them I need to get to them securely and I need to get to them any time

05:27.820 --> 05:28.240
I want.

05:28.240 --> 05:34.450
So if I've got a couple of hundred different web app devices I would like to sign on one time and be

05:34.450 --> 05:35.220
done with it.

05:35.380 --> 05:38.740
And that's where SANFL really comes into play.

05:38.990 --> 05:46.390
SANFL is designed really for web apps more than anything else and it allows us as a single person at

05:46.390 --> 05:50.020
a single place to log into a whole bunch of different devices.

05:50.020 --> 05:53.400
So let me show you a little bit how AML works.

05:53.410 --> 05:58.630
So here's my oil pipeline and we'll just put some devices here along the pipeline.

05:58.660 --> 06:04.210
All of these devices are accessible through my VPN to be able to get to them to do whatever I want to

06:04.210 --> 06:05.110
do.

06:05.110 --> 06:10.990
Now the trick here is is I don't want to keep logging into this pump and that pump in that camera and

06:10.990 --> 06:18.250
that's how Sammael works as SML starts off with having what we call an identity provider so that's going

06:18.250 --> 06:23.000
to be a system somewhere that's connected out here that everybody can talk to.

06:23.170 --> 06:27.400
And what I will do is I will sign on to the identity provider.

06:27.550 --> 06:32.590
And then all of these individual web apps are going to be called service providers.

06:32.650 --> 06:40.270
So I can jump between any one of these because the identity provider provides me with a token that allows

06:40.270 --> 06:43.710
me to log into any one of these different devices.

06:44.490 --> 06:51.040
Now showing you SANFL at work is a little bit tricky because the only time you're going to see SANFL

06:51.090 --> 06:56.790
really working for a living is when you'd have people who have web apps that they want to really really

06:56.790 --> 06:59.790
control and they're going to go ahead and write a lot of code and you know what.

06:59.790 --> 07:03.750
They don't tend to like people like me going in and actually working on this.

07:03.840 --> 07:09.090
But what I've got instead is got this wonderful little company called SSL circle that set those circle

07:09.150 --> 07:14.100
cells single sign on tool sets and so they have a nice little demo.

07:14.100 --> 07:16.110
So let me show you how this guy works.

07:16.110 --> 07:19.790
So first of all thank you as a social circle for letting me play on your site.

07:19.830 --> 07:25.050
So what I'm going to do is I've actually created an account already and what I'm going to do is just

07:25.050 --> 07:27.980
log in and here's my log.

07:27.990 --> 07:29.790
Now there's a lot of extra information here.

07:29.790 --> 07:35.350
Keep in mind what they're doing is they're trying to sell packages for people who actually write s.a.m

07:35.460 --> 07:36.240
language.

07:36.240 --> 07:41.670
But what I want to show you that's actually kind of cool here is that I've gone ahead and logged in

07:41.880 --> 07:45.600
to the identity provider that's provided by SS circle.

07:45.700 --> 07:49.710
Now what they do that's really really nice is they provide them.

07:50.130 --> 07:52.570
They provide all of the service providers.

07:52.590 --> 07:58.290
Now these service providers are just samples they're examples of how logging in with this circle allows

07:58.290 --> 08:00.570
you to log into other disparate websites.

08:00.600 --> 08:06.600
So I'm going to pick one here here sales force dot.com sales force dot com is a really really popular

08:07.650 --> 08:09.840
site for use by salespeople and stuff.

08:10.020 --> 08:12.200
Customer Relationship Management tools.

08:12.240 --> 08:17.730
So what we're going to do here is if I've got this work and right now that I've logged into as S-O circle

08:17.910 --> 08:25.140
it's just going to pop me over to one little place with in sales force a little discussion page so let's

08:25.140 --> 08:28.770
see how this guy works.

08:28.780 --> 08:34.510
Now what you're seeing here is because it's so circle wants to sell us this product.

08:34.630 --> 08:36.390
What it's doing is it's having you do a little.

08:36.400 --> 08:37.560
I'm not a robot.

08:37.660 --> 08:40.420
Normally with s.a.m we would skip this but we'll go ahead.

08:40.420 --> 08:41.480
Just click right on here.

08:43.360 --> 08:50.380
And if I did it right Teta I am now auto magically on a little discussion page within sales force.

08:50.380 --> 08:52.990
Notice that I didn't have to type in a username or a password.

08:52.990 --> 08:55.410
In fact if I paid a little money I wouldn't even have to do that.

08:55.410 --> 08:56.780
I'm not a robot thing.

08:56.950 --> 08:59.070
And that's the power of s.a.m.

08:59.080 --> 09:00.730
In fact take a look over here.

09:00.850 --> 09:05.240
Up in the upper right hand corner you see Ritz's says log out with SANFL.

09:05.290 --> 09:07.960
I can actually I'm already automatically logged in.

09:07.960 --> 09:10.310
That's the beautiful part about single sign on.

09:10.420 --> 09:17.660
But I could also log out of just this web app or I could log out of all web apps in one big shot.

09:17.710 --> 09:23.560
Now when we're talking about single sign on specially for the exam you need to think about what type

09:23.560 --> 09:26.160
of security needs you're going to need.

09:26.170 --> 09:31.480
For example if we're talking about a local area network where you just want to be able to share folders

09:31.480 --> 09:35.150
and files you're going to have to be using Windows active directory.

09:35.170 --> 09:38.380
Yes there are other options but Windows Aidy is dominant.

09:38.530 --> 09:44.350
But the moment you start talking about skater's systems or anything that's widespread or all over the

09:44.350 --> 09:53.220
place be sure to think s.a.m else and you'll get it right on the exam.

10:00.630 --> 10:06.800
In.