Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated:
1
00:00:00,790 --> 00:00:06,340
This lecture is an extension of the identity and access management concepts that were discussed in the
2
00:00:06,340 --> 00:00:08,710
previous two lectures. In this lecture,
3
00:00:08,740 --> 00:00:12,060
we are going to discuss Identity Federation, an interesting concept.
4
00:00:12,940 --> 00:00:17,950
So when you go to a new website and you want to sign up, you are sometimes given two options.
5
00:00:17,950 --> 00:00:23,710
You can either create a new account or you can use your existing Gmail or Facebook account to login.
6
00:00:24,340 --> 00:00:26,980
Now that's powered by Identity Federation.
7
00:00:27,460 --> 00:00:33,820
Identity Federation provides the framework under which two different entities can establish trust relationships
8
00:00:34,330 --> 00:00:37,440
so that you don't have to create multiple redundant accounts.
9
00:00:37,810 --> 00:00:43,630
Before we delve into details of how Identity Federation works, let's first see how traditional token
10
00:00:43,630 --> 00:00:44,910
based authentication works.
11
00:00:45,340 --> 00:00:51,520
So let's say you are a user, you want to log into a server, so you send your credentials and if your
12
00:00:51,520 --> 00:00:58,240
login credentials are approved, the server creates an authentication success reply message and includes
13
00:00:58,240 --> 00:01:00,550
a token along with that message.
14
00:01:01,210 --> 00:01:05,980
So once the user has this token, he does not need to provide his credentials again and again.
15
00:01:06,190 --> 00:01:09,490
He'll simply include this token in subsequent requests,
16
00:01:09,910 --> 00:01:14,380
and based on this token, the server can authenticate whether it is the legitimate user or not.
17
00:01:15,670 --> 00:01:20,830
So this is how, by using a token, we avoid exchanging credentials again and again.
18
00:01:21,250 --> 00:01:25,660
An important concept, which we must understand is that tokens are short lived.
19
00:01:25,660 --> 00:01:30,970
We cannot have a token which stays there for weeks and months from a security point of view.
20
00:01:31,000 --> 00:01:35,140
This can create some serious problems. So, in order to avoid these problems,
21
00:01:35,410 --> 00:01:40,390
tokens are short lived and they are regenerated by the server within the same session.
22
00:01:40,900 --> 00:01:45,850
So every few minutes or every few hours, depending on the context, the server would simply generate
23
00:01:45,850 --> 00:01:50,840
a new token, send it to the client again and the client would subsequently use the token.
24
00:01:51,580 --> 00:01:55,210
Now, this is how traditional token based authentication works.
25
00:01:57,330 --> 00:02:03,000
So as you see in the figure, sometimes when you visit a Web application or a site, you can either
26
00:02:03,000 --> 00:02:09,030
provide their own customized account information or you can log in using your existing Facebook, Gmail
27
00:02:09,330 --> 00:02:10,199
or LinkedIn account.
28
00:02:10,229 --> 00:02:16,020
So this is all powered by Identity Federation, whose main idea is to use credentials from one account
29
00:02:16,020 --> 00:02:18,130
to log on to multiple systems.
30
00:02:18,810 --> 00:02:23,580
The key motivation is that, you know, if we have systems which trust each other, why should we create
31
00:02:23,580 --> 00:02:24,880
multiple redundant accounts?
32
00:02:25,500 --> 00:02:30,990
So this creates unnecessary burden on the user because they accumulate a lot of different credentials
33
00:02:30,990 --> 00:02:34,810
for different accounts and this creates a higher possibility of leakage.
34
00:02:35,700 --> 00:02:41,310
So if those systems, they trust each other, we can simply leverage one account to spin off on to other
35
00:02:41,310 --> 00:02:41,880
systems.
36
00:02:42,400 --> 00:02:47,040
This makes it easy for the user to simply remember the credentials for one single account.
37
00:02:48,330 --> 00:02:49,790
Gmail is a popular example.
38
00:02:49,800 --> 00:02:52,110
A lot of different Web applications around the world,
39
00:02:52,120 --> 00:02:57,270
they allow you to log into the systems if you have an existing Gmail account,
40
00:02:57,270 --> 00:02:59,480
because they have a trust relationship with Gmail.
41
00:03:01,590 --> 00:03:07,470
The key motivation is, again, that we want to avoid creating multiple accounts and in order to avoid
42
00:03:07,470 --> 00:03:10,140
managing multiple identity and access management systems.
43
00:03:12,050 --> 00:03:18,140
Let's see how the identity federation flow works, so let's say you have an existing Gmail account
44
00:03:18,860 --> 00:03:20,990
and you want to log into a new website.
45
00:03:21,000 --> 00:03:23,800
So that new website is the service provider.
46
00:03:23,810 --> 00:03:29,840
So you want to access a new service and you have an account on Gmail and since you will be using that
47
00:03:29,840 --> 00:03:30,200
account.
48
00:03:30,230 --> 00:03:37,760
So Gmail would be the identity provider in this example and the service provider and the identity provider
49
00:03:37,760 --> 00:03:38,110
Gmail.
50
00:03:38,120 --> 00:03:40,140
In this case, they have a trust relationship.
51
00:03:41,150 --> 00:03:43,970
So what happens is that a user sends a login request.
52
00:03:44,480 --> 00:03:49,970
But since the service provider is allowing you to use identity federation, so it is simply going to
53
00:03:49,970 --> 00:03:53,780
forward your authentication request to the identity provider, which is Gmail.
54
00:03:54,880 --> 00:04:02,890
Now, Gmail is going to redirect you to the login page of Gmail so that you can login. So once you login
55
00:04:02,890 --> 00:04:09,170
and your login credentials are approved by Gmail, Gmail is going to create a token, which is the SAML
56
00:04:09,220 --> 00:04:11,560
token (Security Assertion Markup Language).
57
00:04:11,750 --> 00:04:13,140
We're going to discuss that later.
58
00:04:13,570 --> 00:04:15,300
But the basic idea is still the same.
59
00:04:15,760 --> 00:04:22,210
Instead of token generation by the service provider, as we discussed in traditional token based authentication
60
00:04:22,210 --> 00:04:22,880
mechanisms,
61
00:04:23,290 --> 00:04:28,300
this time, your identity provider, Gmail, is creating this token and sending it to the service provider.
62
00:04:28,930 --> 00:04:33,790
So once this step is completed, the service provider now knows that you are a legitimate Gmail user
63
00:04:34,000 --> 00:04:36,960
and since it trusts Gmail, that's why you're in.
64
00:04:37,240 --> 00:04:40,540
So the login is considered successful on the service provider.
65
00:04:43,370 --> 00:04:48,920
So single Sign-on is a subset of identity federation, but the difference is that we're not talking about
66
00:04:48,920 --> 00:04:50,080
a single organization.
67
00:04:50,630 --> 00:04:56,120
So within your organization, if you have multiple applications or systems running, you can use one
68
00:04:56,120 --> 00:05:01,070
set of credentials or one login to access all those different applications or systems.
69
00:05:01,370 --> 00:05:06,530
An example could be you can log in once and then access your e-mail system, your enterprise management
70
00:05:06,530 --> 00:05:07,480
system and so on.
71
00:05:08,240 --> 00:05:12,860
The basic idea is still the same, to leverage one account to access multiple services.
72
00:05:14,640 --> 00:05:20,940
Now, this warrants a discussion on the difference between identity federation and single sign-on. To
73
00:05:20,940 --> 00:05:21,460
start with,
74
00:05:21,480 --> 00:05:23,090
both are similar concepts.
75
00:05:23,550 --> 00:05:27,630
In fact, Single Sign-on is a subset of identity federation.
76
00:05:28,260 --> 00:05:33,510
Now identity federation is more general in nature, and it is usually between organizations.
77
00:05:33,810 --> 00:05:37,770
In contrast, when we discuss Single Sign-on, we are talking about one organisation.
78
00:05:38,260 --> 00:05:43,530
So we're discussing access to multiple applications or systems within the same organization.
79
00:05:45,140 --> 00:05:51,200
Another point to note is that Single Single Sign-on focuses exclusively on just signing and whereas Identity
80
00:05:51,200 --> 00:05:52,880
Federation is more generic.
81
00:05:54,910 --> 00:06:01,420
Let's have a look at some of the protocols used in identity federation, so the first is SAML(Security
82
00:06:01,420 --> 00:06:02,980
Assertion Markup Language).
83
00:06:03,370 --> 00:06:06,040
It's a standard for single sign on implementation.
84
00:06:06,280 --> 00:06:11,940
And the basic service that it provides is authentication between two parties. Next is OAuth, which is
85
00:06:11,950 --> 00:06:14,410
a standard for authorisation between two parties.
86
00:06:14,860 --> 00:06:20,110
It authorizes service devices and space to run applications on behalf of others.
87
00:06:22,790 --> 00:06:28,050
Finally, we have OIDC, which is again a standard for single sign on implementations.
88
00:06:28,700 --> 00:06:32,140
The interesting point about it is that it is built on top of OAuth.
89
00:06:33,860 --> 00:06:39,080
Let's have a look at some of the commercial products used for single sign on. So the two giants in this
90
00:06:39,080 --> 00:06:41,510
category are Okta and AWS Cognito.
91
00:06:41,960 --> 00:06:46,250
Both provide similar services to both provide single sign on.
92
00:06:46,460 --> 00:06:48,890
Both support multifactor authentication.
93
00:06:49,580 --> 00:06:54,700
They also support implementation and enforcing of organizational policies on AM.
94
00:06:55,430 --> 00:06:58,700
The main difference is between how they structure their prices.
95
00:06:59,330 --> 00:07:05,930
So, for example, for Okta, we have the first 7000 users who are free and then the single sign on
96
00:07:05,930 --> 00:07:08,780
service costs two dollars per user per month.
97
00:07:09,410 --> 00:07:14,780
With Cognito, we get up to 50000 free users, so that's substantially more than Okta.
98
00:07:15,620 --> 00:07:21,410
And then the single sign on cost is two hundred seventy five dollars for every 50000 additional users
99
00:07:21,410 --> 00:07:22,010
per month.
100
00:07:23,240 --> 00:07:28,880
So both are well-known and stable solutions, and which one to prefer actually depends on the context
101
00:07:28,880 --> 00:07:31,220
of your organization and business products.
102
00:07:31,970 --> 00:07:33,200
That concludes our lecture.
103
00:07:33,380 --> 00:07:34,580
I'll see you in the next one.
11126
Can't find what you're looking for?
Get subtitles in any language from opensubtitles.com, and translate them here.