All language subtitles for 006 Identity Federation_en

af Afrikaans
sq Albanian
am Amharic
ar Arabic
hy Armenian
az Azerbaijani
eu Basque
be Belarusian
bn Bengali
bs Bosnian
bg Bulgarian
ca Catalan
ceb Cebuano
ny Chichewa
zh-CN Chinese (Simplified)
zh-TW Chinese (Traditional)
co Corsican
hr Croatian
cs Czech
da Danish
nl Dutch
en English
eo Esperanto
et Estonian
tl Filipino
fi Finnish
fr French
fy Frisian
gl Galician
ka Georgian
de German
el Greek
gu Gujarati
ht Haitian Creole
ha Hausa
haw Hawaiian
iw Hebrew
hi Hindi
hmn Hmong
hu Hungarian
is Icelandic
ig Igbo
id Indonesian
ga Irish
it Italian
ja Japanese
jw Javanese
kn Kannada
kk Kazakh
km Khmer
ko Korean
ku Kurdish (Kurmanji)
ky Kyrgyz
lo Lao
la Latin
lv Latvian
lt Lithuanian
lb Luxembourgish
mk Macedonian
mg Malagasy
ms Malay
ml Malayalam
mt Maltese
mi Maori
mr Marathi
mn Mongolian
my Myanmar (Burmese)
ne Nepali
no Norwegian
ps Pashto
fa Persian
pl Polish
pt Portuguese
pa Punjabi
ro Romanian
ru Russian
sm Samoan
gd Scots Gaelic
sr Serbian
st Sesotho
sn Shona
sd Sindhi
si Sinhala
sk Slovak
sl Slovenian
so Somali
es Spanish Download
su Sundanese
sw Swahili
sv Swedish
tg Tajik
ta Tamil
te Telugu
th Thai
tr Turkish
uk Ukrainian
ur Urdu
uz Uzbek
vi Vietnamese
cy Welsh
xh Xhosa
yi Yiddish
yo Yoruba
zu Zulu
or Odia (Oriya)
rw Kinyarwanda
tk Turkmen
tt Tatar
ug Uyghur
Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,790 --> 00:00:06,340 This lecture is an extension of the identity and access management concepts that were discussed in the 2 00:00:06,340 --> 00:00:08,710 previous two lectures. In this lecture, 3 00:00:08,740 --> 00:00:12,060 we are going to discuss Identity Federation, an interesting concept. 4 00:00:12,940 --> 00:00:17,950 So when you go to a new website and you want to sign up, you are sometimes given two options. 5 00:00:17,950 --> 00:00:23,710 You can either create a new account or you can use your existing Gmail or Facebook account to login. 6 00:00:24,340 --> 00:00:26,980 Now that's powered by Identity Federation. 7 00:00:27,460 --> 00:00:33,820 Identity Federation provides the framework under which two different entities can establish trust relationships 8 00:00:34,330 --> 00:00:37,440 so that you don't have to create multiple redundant accounts. 9 00:00:37,810 --> 00:00:43,630 Before we delve into details of how Identity Federation works, let's first see how traditional token 10 00:00:43,630 --> 00:00:44,910 based authentication works. 11 00:00:45,340 --> 00:00:51,520 So let's say you are a user, you want to log into a server, so you send your credentials and if your 12 00:00:51,520 --> 00:00:58,240 login credentials are approved, the server creates an authentication success reply message and includes 13 00:00:58,240 --> 00:01:00,550 a token along with that message. 14 00:01:01,210 --> 00:01:05,980 So once the user has this token, he does not need to provide his credentials again and again. 15 00:01:06,190 --> 00:01:09,490 He'll simply include this token in subsequent requests, 16 00:01:09,910 --> 00:01:14,380 and based on this token, the server can authenticate whether it is the legitimate user or not. 17 00:01:15,670 --> 00:01:20,830 So this is how, by using a token, we avoid exchanging credentials again and again. 18 00:01:21,250 --> 00:01:25,660 An important concept, which we must understand is that tokens are short lived. 19 00:01:25,660 --> 00:01:30,970 We cannot have a token which stays there for weeks and months from a security point of view. 20 00:01:31,000 --> 00:01:35,140 This can create some serious problems. So, in order to avoid these problems, 21 00:01:35,410 --> 00:01:40,390 tokens are short lived and they are regenerated by the server within the same session. 22 00:01:40,900 --> 00:01:45,850 So every few minutes or every few hours, depending on the context, the server would simply generate 23 00:01:45,850 --> 00:01:50,840 a new token, send it to the client again and the client would subsequently use the token. 24 00:01:51,580 --> 00:01:55,210 Now, this is how traditional token based authentication works. 25 00:01:57,330 --> 00:02:03,000 So as you see in the figure, sometimes when you visit a Web application or a site, you can either 26 00:02:03,000 --> 00:02:09,030 provide their own customized account information or you can log in using your existing Facebook, Gmail 27 00:02:09,330 --> 00:02:10,199 or LinkedIn account. 28 00:02:10,229 --> 00:02:16,020 So this is all powered by Identity Federation, whose main idea is to use credentials from one account 29 00:02:16,020 --> 00:02:18,130 to log on to multiple systems. 30 00:02:18,810 --> 00:02:23,580 The key motivation is that, you know, if we have systems which trust each other, why should we create 31 00:02:23,580 --> 00:02:24,880 multiple redundant accounts? 32 00:02:25,500 --> 00:02:30,990 So this creates unnecessary burden on the user because they accumulate a lot of different credentials 33 00:02:30,990 --> 00:02:34,810 for different accounts and this creates a higher possibility of leakage. 34 00:02:35,700 --> 00:02:41,310 So if those systems, they trust each other, we can simply leverage one account to spin off on to other 35 00:02:41,310 --> 00:02:41,880 systems. 36 00:02:42,400 --> 00:02:47,040 This makes it easy for the user to simply remember the credentials for one single account. 37 00:02:48,330 --> 00:02:49,790 Gmail is a popular example. 38 00:02:49,800 --> 00:02:52,110 A lot of different Web applications around the world, 39 00:02:52,120 --> 00:02:57,270 they allow you to log into the systems if you have an existing Gmail account, 40 00:02:57,270 --> 00:02:59,480 because they have a trust relationship with Gmail. 41 00:03:01,590 --> 00:03:07,470 The key motivation is, again, that we want to avoid creating multiple accounts and in order to avoid 42 00:03:07,470 --> 00:03:10,140 managing multiple identity and access management systems. 43 00:03:12,050 --> 00:03:18,140 Let's see how the identity federation flow works, so let's say you have an existing Gmail account 44 00:03:18,860 --> 00:03:20,990 and you want to log into a new website. 45 00:03:21,000 --> 00:03:23,800 So that new website is the service provider. 46 00:03:23,810 --> 00:03:29,840 So you want to access a new service and you have an account on Gmail and since you will be using that 47 00:03:29,840 --> 00:03:30,200 account. 48 00:03:30,230 --> 00:03:37,760 So Gmail would be the identity provider in this example and the service provider and the identity provider 49 00:03:37,760 --> 00:03:38,110 Gmail. 50 00:03:38,120 --> 00:03:40,140 In this case, they have a trust relationship. 51 00:03:41,150 --> 00:03:43,970 So what happens is that a user sends a login request. 52 00:03:44,480 --> 00:03:49,970 But since the service provider is allowing you to use identity federation, so it is simply going to 53 00:03:49,970 --> 00:03:53,780 forward your authentication request to the identity provider, which is Gmail. 54 00:03:54,880 --> 00:04:02,890 Now, Gmail is going to redirect you to the login page of Gmail so that you can login. So once you login 55 00:04:02,890 --> 00:04:09,170 and your login credentials are approved by Gmail, Gmail is going to create a token, which is the SAML 56 00:04:09,220 --> 00:04:11,560 token (Security Assertion Markup Language). 57 00:04:11,750 --> 00:04:13,140 We're going to discuss that later. 58 00:04:13,570 --> 00:04:15,300 But the basic idea is still the same. 59 00:04:15,760 --> 00:04:22,210 Instead of token generation by the service provider, as we discussed in traditional token based authentication 60 00:04:22,210 --> 00:04:22,880 mechanisms, 61 00:04:23,290 --> 00:04:28,300 this time, your identity provider, Gmail, is creating this token and sending it to the service provider. 62 00:04:28,930 --> 00:04:33,790 So once this step is completed, the service provider now knows that you are a legitimate Gmail user 63 00:04:34,000 --> 00:04:36,960 and since it trusts Gmail, that's why you're in. 64 00:04:37,240 --> 00:04:40,540 So the login is considered successful on the service provider. 65 00:04:43,370 --> 00:04:48,920 So single Sign-on is a subset of identity federation, but the difference is that we're not talking about 66 00:04:48,920 --> 00:04:50,080 a single organization. 67 00:04:50,630 --> 00:04:56,120 So within your organization, if you have multiple applications or systems running, you can use one 68 00:04:56,120 --> 00:05:01,070 set of credentials or one login to access all those different applications or systems. 69 00:05:01,370 --> 00:05:06,530 An example could be you can log in once and then access your e-mail system, your enterprise management 70 00:05:06,530 --> 00:05:07,480 system and so on. 71 00:05:08,240 --> 00:05:12,860 The basic idea is still the same, to leverage one account to access multiple services. 72 00:05:14,640 --> 00:05:20,940 Now, this warrants a discussion on the difference between identity federation and single sign-on. To 73 00:05:20,940 --> 00:05:21,460 start with, 74 00:05:21,480 --> 00:05:23,090 both are similar concepts. 75 00:05:23,550 --> 00:05:27,630 In fact, Single Sign-on is a subset of identity federation. 76 00:05:28,260 --> 00:05:33,510 Now identity federation is more general in nature, and it is usually between organizations. 77 00:05:33,810 --> 00:05:37,770 In contrast, when we discuss Single Sign-on, we are talking about one organisation. 78 00:05:38,260 --> 00:05:43,530 So we're discussing access to multiple applications or systems within the same organization. 79 00:05:45,140 --> 00:05:51,200 Another point to note is that Single Single Sign-on focuses exclusively on just signing and whereas Identity 80 00:05:51,200 --> 00:05:52,880 Federation is more generic. 81 00:05:54,910 --> 00:06:01,420 Let's have a look at some of the protocols used in identity federation, so the first is SAML(Security 82 00:06:01,420 --> 00:06:02,980 Assertion Markup Language). 83 00:06:03,370 --> 00:06:06,040 It's a standard for single sign on implementation. 84 00:06:06,280 --> 00:06:11,940 And the basic service that it provides is authentication between two parties. Next is OAuth, which is 85 00:06:11,950 --> 00:06:14,410 a standard for authorisation between two parties. 86 00:06:14,860 --> 00:06:20,110 It authorizes service devices and space to run applications on behalf of others. 87 00:06:22,790 --> 00:06:28,050 Finally, we have OIDC, which is again a standard for single sign on implementations. 88 00:06:28,700 --> 00:06:32,140 The interesting point about it is that it is built on top of OAuth. 89 00:06:33,860 --> 00:06:39,080 Let's have a look at some of the commercial products used for single sign on. So the two giants in this 90 00:06:39,080 --> 00:06:41,510 category are Okta and AWS Cognito. 91 00:06:41,960 --> 00:06:46,250 Both provide similar services to both provide single sign on. 92 00:06:46,460 --> 00:06:48,890 Both support multifactor authentication. 93 00:06:49,580 --> 00:06:54,700 They also support implementation and enforcing of organizational policies on AM. 94 00:06:55,430 --> 00:06:58,700 The main difference is between how they structure their prices. 95 00:06:59,330 --> 00:07:05,930 So, for example, for Okta, we have the first 7000 users who are free and then the single sign on 96 00:07:05,930 --> 00:07:08,780 service costs two dollars per user per month. 97 00:07:09,410 --> 00:07:14,780 With Cognito, we get up to 50000 free users, so that's substantially more than Okta. 98 00:07:15,620 --> 00:07:21,410 And then the single sign on cost is two hundred seventy five dollars for every 50000 additional users 99 00:07:21,410 --> 00:07:22,010 per month. 100 00:07:23,240 --> 00:07:28,880 So both are well-known and stable solutions, and which one to prefer actually depends on the context 101 00:07:28,880 --> 00:07:31,220 of your organization and business products. 102 00:07:31,970 --> 00:07:33,200 That concludes our lecture. 103 00:07:33,380 --> 00:07:34,580 I'll see you in the next one. 11126

Can't find what you're looking for?
Get subtitles in any language from opensubtitles.com, and translate them here.