Single Sign-On with Federated Services Part 1

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 50 minutes
Difficulty
Beginner
CEU/CPE
8
Video Transcription
00:00
>> Just the way Kerberos helps us
00:00
>> administer a numeric that
00:00
>> makes life much easier for
00:00
users by having that single sign-on,
00:00
we can certainly see how the same concept,
00:00
if extended outside our domain and across the Internet,
00:00
how tremendous would it be to
00:00
only have one set of passwords
00:00
and credentials for all the resources
00:00
you access on the Internet.
00:00
With that being said, certainly we have to go
00:00
back and look at some of the problems with Kerberos.
00:00
If your one set of credentials is compromised,
00:00
then the attacker has access to everything.
00:00
If we can control this process, secure passwords,
00:00
and provide a single point of entry,
00:00
then that's going to make life much easier for
00:00
both administrators and users.
00:00
When we do talk about bringing this idea
00:00
of single sign-on outside our domain,
00:00
we've got to look at a couple of technologies.
00:00
One that's most common today is called SAML,
00:00
that stands for Security Association Markup Language.
00:00
I want you to think about a scenario where
00:00
a college student has signed up for
00:00
college and they're ready for the first day.
00:00
They come in and they're ready
00:00
to get their books from the library.
00:00
They immediately go in and
00:00
register and sign up at the school.
00:00
They pay their money and are in.
00:00
Next thing the student does
00:00
is go to the library and says,
00:00
I'm a college student, I need some books.
00:00
The library says, we don't know who you are.
00:00
The student can bring out a driver's license,
00:00
but that doesn't prove that he's part of the school.
00:00
What he needs is something that he can show the library,
00:00
that he's a valid, legitimate student.
00:00
The library says, you need to go to the student center,
00:00
get your school ID, and then come back to us.
00:00
The student leaves from the library,
00:00
goes to student-centered,
00:00
and shows his paperwork.
00:00
They find his name, he provides his identification,
00:00
and he has a badge.
00:00
That badge not only says this is
00:00
John Smith, but it also says,
00:00
this is John Smith, who is
00:00
a legitimate student here at ABC College.
00:00
Now that he has his badge,
00:00
he goes back to the library,
00:00
shows his badge, and the library gives him his books.
00:00
That badge may have additional information,
00:00
things like his major,
00:00
so the library pulls a set of books
00:00
for biology department for the student.
00:00
What information is on the badge
00:00
can really change and be very helpful.
00:00
What we have here is the idea that
00:00
once my student gets a student ID,
00:00
they can go to the library or
00:00
the cafeteria to purchase meals.
00:00
Many entities are going to accept the student badge.
00:00
Everything on the college campus is going to accept
00:00
that student badges proof that they're enrolled in
00:00
the school and can prove their identity.
00:00
Now let's say that Uber in town has decided
00:00
that they want to increase their business with students.
00:00
They work up something that
00:00
the university that students can share
00:00
their school ID and an Uber will spill a student account.
00:00
That requires a trust between Uber and the school.
00:00
Then all of a sudden, this one piece of
00:00
authentication, the student badge,
00:00
is now not just used within that domain,
00:00
but now for any organization that's
00:00
going to allow a trusting relationship.
00:00
The student can use that student
00:00
center badge for billing,
00:00
for identification,
00:00
maybe even participating in laundromat.
00:00
Potential for this is really tremendous.
00:00
This is what we're trying to achieve when
00:00
we bring in federated services
00:00
and use SAML or something called OpenID Connect.
00:00
What has to happen is
00:00
a trusting relationship has to
00:00
be built between the organizations
00:00
that offer services and the organization that
00:00
provides the identifying information
00:00
, that student badge.
00:00
That's called a federated trust.
00:00
We can have trust in an internal environment.
00:00
Then taking that and expanding it beyond,
00:00
that's going to require this federated trust.
00:00
That's exactly what SAML does
00:00
and is a part of the role that SAML serves.
00:00
A network administrator is
00:00
going to go and set up a trust with
00:00
an organization or going to provide an identity provider.
00:00
Then they're going to be
00:00
service providers that provide services.
00:00
Ultimately, when this works with SAML,
00:00
a user goes to access specific web application.
00:00
Let's say you are trying to
00:00
access their account in Office
00:00
365 or maybe a corporate account on Salesforce or Webex.
00:00
I'm going to go
00:00
authenticate and say I'm kellyhanderhan@abc.com,
00:00
then the application is going to redirect my web browser.
00:00
Because they're on abc.com,
00:00
you need to authenticate with your own organization.
00:00
Basically, I'm redirected to my identity provider.
00:00
That can be an internal service that we
00:00
set up within our organization.
00:00
It can be provided to us from
00:00
an identity service provider
00:00
if you're familiar with Ping.
00:00
When I authenticate myself to the identity provider,
00:00
in exchange they issue me a SAML token.
00:00
I'm redirected back to
00:00
the original application I was trying to access.
00:00
Now my web across comes in,
00:00
but it has a token.
00:00
The trust has already been established
00:00
by my administrator.
00:00
The application says, I'll take your token.
00:00
Now, you're allowed to
00:00
access whatever you need to access.
00:00
That token is stored as part of
00:00
the discussion cookie with the browser,
00:00
so that I don't have to keep doing that again
00:00
and again for every single service request.
00:00
Basically, SAML is going to use a series of
00:00
redirects and require a token from an identity provider.
00:00
That token from the identity provider is going to go
00:00
across a federated trust
00:00
and be sent to a service provider.
00:00
SAML is slowly being replaced with something
00:00
called OpenID Connect, another service provider.
00:00
With SAML being bloated,
00:00
we're looking to replace it with
00:00
something called OpenID Connect.
Up Next