1
00:00:06,780 --> 00:00:09,770
- [Presenter] Suppose you have
two separate applications.

2
00:00:09,770 --> 00:00:12,840
Application one and application two,

3
00:00:12,840 --> 00:00:16,150
both applications require
user authentication,

4
00:00:16,150 --> 00:00:18,940
as demonstrated in the following example.

5
00:00:18,940 --> 00:00:23,450
In the figure, the user
Derek first tries to connect

6
00:00:23,450 --> 00:00:25,370
to an application one.

7
00:00:25,370 --> 00:00:29,280
Second, application one prompts
Derek for authentication.

8
00:00:29,280 --> 00:00:33,030
Third, Derek authenticates
to application one.

9
00:00:33,030 --> 00:00:37,340
Fourth, Derek wants to
connect to application two.

10
00:00:37,340 --> 00:00:39,280
Fifth, Derek is then prompted

11
00:00:39,280 --> 00:00:41,950
to authenticate to application two,

12
00:00:41,950 --> 00:00:46,010
and six, Derek is authenticated
to application two.

13
00:00:46,010 --> 00:00:49,350
As you can see, this is
not very user friendly.

14
00:00:49,350 --> 00:00:51,860
In most environments,
you are accessing dozens

15
00:00:51,860 --> 00:00:54,770
of applications throughout
an enterprise network

16
00:00:54,770 --> 00:00:58,120
or even applications hosted in the cloud.

17
00:00:58,120 --> 00:01:02,720
This is why single sign-on
or SSO was created.

18
00:01:02,720 --> 00:01:04,570
This figure shows an example

19
00:01:04,570 --> 00:01:08,010
of a typical SSO implementation.

20
00:01:08,010 --> 00:01:09,000
Even though the steps

21
00:01:09,000 --> 00:01:11,210
in this figure are more elaborate

22
00:01:11,210 --> 00:01:14,600
than those in the previous figure,

23
00:01:14,600 --> 00:01:16,330
the user experience is better.

24
00:01:16,330 --> 00:01:19,610
This is because the user Derek only needs

25
00:01:19,610 --> 00:01:23,400
to authenticate once to application one,

26
00:01:23,400 --> 00:01:27,330
and then he can browse or
access any other application

27
00:01:27,330 --> 00:01:30,680
that is a participant in
the SSO implementation.

28
00:01:30,680 --> 00:01:33,560
And that Derek is authorized to access.

29
00:01:33,560 --> 00:01:36,100
The concept of a centralized identity

30
00:01:36,100 --> 00:01:38,590
or linked identity is also referred to

31
00:01:38,590 --> 00:01:40,810
as federated identity.

32
00:01:40,810 --> 00:01:43,890
Federated identity systems
handle authentication,

33
00:01:43,890 --> 00:01:47,040
authorization, user attributes, exchange,

34
00:01:47,040 --> 00:01:49,930
and manage user management.

35
00:01:49,930 --> 00:01:53,960
The attributes exchange concept
orchestrates data shared

36
00:01:53,960 --> 00:01:56,880
across different user management systems.

37
00:01:56,880 --> 00:02:00,880
The following attributes,
like real name may be present

38
00:02:00,880 --> 00:02:03,910
in multiple systems or applications.

39
00:02:03,910 --> 00:02:05,630
Federated identity systems

40
00:02:05,630 --> 00:02:08,513
counteract data duplication problems

41
00:02:08,513 --> 00:02:11,270
by linking the related attributes

42
00:02:11,270 --> 00:02:14,150
within all the elements
that are participants

43
00:02:14,150 --> 00:02:16,310
of the SSO environment.

44
00:02:16,310 --> 00:02:19,280
SAML is used in SSO implementations.

45
00:02:19,280 --> 00:02:22,730
However, there are other
identity technologies used

46
00:02:22,730 --> 00:02:24,530
in SSO implementations,

47
00:02:24,530 --> 00:02:28,240
such as Open ID Connect,
Microsoft Account,

48
00:02:28,240 --> 00:02:32,490
formerly known as Passport,
Facebook Connect and others.

49
00:02:32,490 --> 00:02:36,380
SAML is an open standard for
exchanging authentication

50
00:02:36,380 --> 00:02:40,160
and authorization data
between identity providers.

51
00:02:40,160 --> 00:02:43,530
The following are several
elements that are part

52
00:02:43,530 --> 00:02:47,890
of an SSO and federated
identity implementation.

53
00:02:47,890 --> 00:02:51,660
Delegation, SSO
implementations use delegation

54
00:02:51,660 --> 00:02:56,510
to call external APIs to
authenticate and authorize users.

55
00:02:56,510 --> 00:03:00,190
Delegation is used to contain apps

56
00:03:00,190 --> 00:03:04,250
and services from having
to store passwords

57
00:03:04,250 --> 00:03:06,630
and user information on site.

58
00:03:06,630 --> 00:03:11,220
Domain, a domain in an SSO
environment is the network

59
00:03:11,220 --> 00:03:14,040
where all resources and users are linked

60
00:03:14,040 --> 00:03:15,970
to a centralized database.

61
00:03:15,970 --> 00:03:17,777
This is where all authentication

62
00:03:17,777 --> 00:03:19,640
and authorization occurs.

63
00:03:19,640 --> 00:03:21,090
Factor, you already learned

64
00:03:21,090 --> 00:03:23,400
about multifactor authentication.

65
00:03:23,400 --> 00:03:26,680
A factor in authentication is a vector

66
00:03:26,680 --> 00:03:29,340
through which identity can be confirmed.

67
00:03:29,340 --> 00:03:32,650
Federated identity
management is a collection

68
00:03:32,650 --> 00:03:36,730
of shared protocols that
allows user identities

69
00:03:36,730 --> 00:03:39,030
to be managed across organizations.

70
00:03:39,030 --> 00:03:42,650
Federation provider is
an identity provider

71
00:03:42,650 --> 00:03:45,640
that offers single sign-on consistency

72
00:03:45,640 --> 00:03:49,240
in authorization practices user management

73
00:03:49,240 --> 00:03:51,670
and attributes exchange practices

74
00:03:51,670 --> 00:03:55,820
between identity providers
and relying parties.

75
00:03:55,820 --> 00:03:58,020
A forest is a collection

76
00:03:58,020 --> 00:04:01,230
of domains managed by
a centralized system.

77
00:04:01,230 --> 00:04:05,820
Identity provider or IDP
is an application website

78
00:04:05,820 --> 00:04:09,320
or service responsible for
coordinating identities

79
00:04:09,320 --> 00:04:11,600
between users and clients.

80
00:04:11,600 --> 00:04:16,600
IDPs can provide a user
with identifying information

81
00:04:17,950 --> 00:04:20,690
and provide that information to services,

82
00:04:20,690 --> 00:04:23,600
when the user requests access.

83
00:04:23,600 --> 00:04:25,830
Kerberos is a ticket based protocol

84
00:04:25,830 --> 00:04:30,220
for authentication, built
on symmetric key encryption.

85
00:04:30,220 --> 00:04:33,600
Multitenancy is a term in
computing architecture,

86
00:04:33,600 --> 00:04:36,410
referring to the serving of many users

87
00:04:36,410 --> 00:04:40,040
or tenants from a single
instance of an application.

88
00:04:40,040 --> 00:04:43,170
Software as a service or SAS offerings

89
00:04:43,170 --> 00:04:46,520
are examples of multitenancy.

90
00:04:46,520 --> 00:04:50,980
They exist as a single instance,
but have dedicated shares,

91
00:04:50,980 --> 00:04:54,020
serve to many companies and teams.

92
00:04:54,020 --> 00:04:57,950
OAuth is an open standard
for authorization,

93
00:04:57,950 --> 00:05:02,950
used by many APIs and modern applications.

94
00:05:03,570 --> 00:05:07,820
OpenID or OpenID Connect
is another open standard

95
00:05:07,820 --> 00:05:09,260
for authentication.

96
00:05:09,260 --> 00:05:12,340
OpenID Connect allows third party services

97
00:05:12,340 --> 00:05:16,020
to authenticate users
without clients needing

98
00:05:16,020 --> 00:05:19,780
to collect, store and
subsequently become liable

99
00:05:19,780 --> 00:05:23,150
for a user's login information.

100
00:05:23,150 --> 00:05:27,480
Passwordless is a type of
authentication based on tokens.

101
00:05:27,480 --> 00:05:30,530
Passwordless authentication challenges

102
00:05:30,530 --> 00:05:33,950
are typically received
and sent through SMS,

103
00:05:33,950 --> 00:05:37,360
email or biometric sensors.

104
00:05:37,360 --> 00:05:41,190
Social identity provider
or Social IDP is a type

105
00:05:41,190 --> 00:05:44,810
of identity providers
originating in social services

106
00:05:44,810 --> 00:05:48,310
like Google, Facebook, and Twitter.

107
00:05:48,310 --> 00:05:51,440
With web identity, they
are identifying data

108
00:05:51,440 --> 00:05:54,610
typically obtained from an HTTP request.

109
00:05:54,610 --> 00:05:56,040
Often these are retrieved

110
00:05:56,040 --> 00:05:59,430
from an authenticated email address.

111
00:05:59,430 --> 00:06:02,490
Windows Identity is how active directory

112
00:06:02,490 --> 00:06:06,300
in Microsoft Windows environments
organizes user information

113
00:06:07,380 --> 00:06:12,150
and WS-Federation is a
common infrastructure

114
00:06:12,150 --> 00:06:16,080
federated standard for
identity used by web service

115
00:06:16,080 --> 00:06:19,060
and browsers on Windows
Identity Foundation.

116
00:06:19,060 --> 00:06:22,130
Windows Identity Foundation
is a framework created

117
00:06:22,130 --> 00:06:26,003
by Microsoft for building
identity aware applications.