Single Sign-On

CompTIA Security+ Certification (SY0-501) Chapter 3 - Identity and Access Management
10 minutes
Share the link to this page
Copied
  Completed
You need to have access to the item to view this lesson.
One-time Fee
$99.99
List Price:  $139.99
You save:  $40
€91.73
List Price:  €128.43
You save:  €36.69
£78.50
List Price:  £109.90
You save:  £31.40
CA$135.42
List Price:  CA$189.60
You save:  CA$54.17
A$152.22
List Price:  A$213.12
You save:  A$60.89
S$133.77
List Price:  S$187.28
You save:  S$53.51
HK$781.89
List Price:  HK$1,094.68
You save:  HK$312.79
CHF 88.30
List Price:  CHF 123.63
You save:  CHF 35.32
NOK kr1,058
List Price:  NOK kr1,481.24
You save:  NOK kr423.24
DKK kr684.10
List Price:  DKK kr957.77
You save:  DKK kr273.66
NZ$164.15
List Price:  NZ$229.81
You save:  NZ$65.66
د.إ367.20
List Price:  د.إ514.09
You save:  د.إ146.89
৳10,978.23
List Price:  ৳15,369.96
You save:  ৳4,391.73
₹8,290.53
List Price:  ₹11,607.08
You save:  ₹3,316.54
RM471.80
List Price:  RM660.54
You save:  RM188.74
₦156,534.34
List Price:  ₦219,154.34
You save:  ₦62,620
₨27,950.66
List Price:  ₨39,132.05
You save:  ₨11,181.38
฿3,595.26
List Price:  ฿5,033.51
You save:  ฿1,438.25
₺3,229.78
List Price:  ₺4,521.83
You save:  ₺1,292.04
B$499.40
List Price:  B$699.18
You save:  B$199.78
R1,883.20
List Price:  R2,636.56
You save:  R753.35
Лв179.42
List Price:  Лв251.19
You save:  Лв71.77
₩133,286.20
List Price:  ₩186,606.01
You save:  ₩53,319.81
₪365.03
List Price:  ₪511.06
You save:  ₪146.02
₱5,561.09
List Price:  ₱7,785.75
You save:  ₱2,224.66
¥14,911.76
List Price:  ¥20,877.07
You save:  ¥5,965.30
MX$1,670.32
List Price:  MX$2,338.52
You save:  MX$668.19
QR364.82
List Price:  QR510.77
You save:  QR145.94
P1,359.04
List Price:  P1,902.71
You save:  P543.67
KSh13,398.66
List Price:  KSh18,758.66
You save:  KSh5,360
E£4,718.65
List Price:  E£6,606.31
You save:  E£1,887.65
ብር5,656.15
List Price:  ብር7,918.84
You save:  ብር2,262.68
Kz83,512.74
List Price:  Kz116,921.18
You save:  Kz33,408.44
CLP$93,810.03
List Price:  CLP$131,337.80
You save:  CLP$37,527.76
CN¥710.61
List Price:  CN¥994.89
You save:  CN¥284.27
RD$5,917.87
List Price:  RD$8,285.25
You save:  RD$2,367.38
DA13,435.55
List Price:  DA18,810.31
You save:  DA5,374.76
FJ$226.69
List Price:  FJ$317.37
You save:  FJ$90.68
Q780.94
List Price:  Q1,093.35
You save:  Q312.40
GY$20,949.18
List Price:  GY$29,329.69
You save:  GY$8,380.51
ISK kr13,659.63
List Price:  ISK kr19,124.03
You save:  ISK kr5,464.40
DH1,002.67
List Price:  DH1,403.78
You save:  DH401.11
L1,768.33
List Price:  L2,475.73
You save:  L707.40
ден5,652.42
List Price:  ден7,913.61
You save:  ден2,261.19
MOP$805.88
List Price:  MOP$1,128.27
You save:  MOP$322.38
N$1,866.55
List Price:  N$2,613.25
You save:  N$746.69
C$3,681.10
List Price:  C$5,153.70
You save:  C$1,472.59
रु13,266.49
List Price:  रु18,573.62
You save:  रु5,307.13
S/368.83
List Price:  S/516.39
You save:  S/147.55
K382.06
List Price:  K534.91
You save:  K152.84
SAR375
List Price:  SAR525.02
You save:  SAR150.01
ZK2,508.19
List Price:  ZK3,511.57
You save:  ZK1,003.37
L456.04
List Price:  L638.48
You save:  L182.43
Kč2,310.02
List Price:  Kč3,234.13
You save:  Kč924.10
Ft36,211.46
List Price:  Ft50,697.50
You save:  Ft14,486.03
SEK kr1,038.11
List Price:  SEK kr1,453.39
You save:  SEK kr415.28
ARS$85,066.49
List Price:  ARS$119,096.49
You save:  ARS$34,030
Bs691.23
List Price:  Bs967.75
You save:  Bs276.52
COP$389,029.38
List Price:  COP$544,656.70
You save:  COP$155,627.31
₡50,979.09
List Price:  ₡71,372.77
You save:  ₡20,393.67
L2,470.17
List Price:  L3,458.33
You save:  L988.16
₲730,160.41
List Price:  ₲1,022,253.79
You save:  ₲292,093.37
$U3,841.23
List Price:  $U5,377.88
You save:  $U1,536.64
zł395.31
List Price:  zł553.46
You save:  zł158.14
Already have an account? Log In

Transcript

We live in a world where we, as individuals want to access lots and lots of computers. I mean, just think about this in your normal browsing life, you go to all kinds of different websites, those are actual computers. And you have to access that. Now, web might be a little bit of a tricky one, because web is a public kind of tool. But we can trivially add usernames and passwords to any website that we want it to people don't do it very often, but you can. Let's take a better example.

Let's talk about a local area network. So here at total seminars, we've got lots and lots of computers and people are sharing stuff, and we got servers and printers and all kinds of things that I as an individual want to be able to access. In a typical windows workgroup. What we do is we have Well, here's an example we've got three or four computers, we got a printer and whatever it might be. Now each one of these hosts have their own username and password list and it works great. The challenges is that if I To access one computer, I have to have a username and password on that computer that I can log in with.

If I want to access another computer, it may have a different username and password. So the windows workgroups which have been around now for over 30 years, work very, very well. And we can go ahead and log into these individual computers. But once in a while, you want to start logging into a lot of computers at once you want to go to this computer and that computer and after a while you start going I can't remember all these passwords. So what you can do one thing you can cheat. So if we take a look at this example, one more time, what I could do is I can put the same username and password on every single one of these computers on my local area network.

And that way, I don't have to log in every time because once I log into my computer, it will in essence carry that authentication information to each one of these other computers. And it'll always think that I have a user called Timmy with a password of 1234. That is not a good idea and is a very dangerous security issue and it is a big problem. So what can we do instead? Well, what we can do is single sign on. The idea behind single sign on is that I log in once to something, and then everything else I need to get to I'm automatically logged into.

Now Single Sign On is a great idea. But it works differently depending on how you're talking about it. So let's start with the most classic and that is single sign on on a local area network. To do that, we're going to have to use Windows Active Directory. Now windows Active Directory has been around forever. And it is the gold standard when it comes to single sign on tools.

For local area networks. It actually works more than local area networks, but we'll keep it simple for the moment. So with Active Directory, what I have to first do is go purchase a copy of Windows Server, and I install that into my network. And in theory, it looks something like this. So here's my Windows Server with all these other computers. Now once I establish a domain as we call it in the windows world, we then have all of these other pieces Computers join this domain.

Now, we do this by having a administrator actually go to each computer and go through a process of having them join the domain. So somebody in a high trust position has to actually go through and connect each one of these individual computers to the domain, one at a time. Now once that's done, we in essence have created a trust situation. Because I as an administrator have went to each computer and said join this domain, we have what are known as federated systems, when you hear the word federated think trust. So there is an implicit trust that has been developed there simply because Microsoft has a proprietary authentication mechanism based on Kerberos. But the bottom line is, is that we now have trust.

Now, if you're going to be doing Single Sign On in a local area network, odds are good you're going to be using Active Directory. Even if you have Apple systems, even If you have Linux systems, those can use Windows file sharing, or if it's Linux, we can use Samba. And all of these can be configured to join a local domain, which is actually cool. I can't tell you how many big systems you have out there where the researcher is really got 1500 Linux boxes, and they still have a Windows Active Directory on there, simply because it's easier from a maintenance standpoint to be able to do single sign on. So when you're talking about lands, you really are talking about Active Directory as the single sign on tool. Now there is a another type of single sign on and this is completely different.

And it's based on something called si ml. Let me give you a scenario. Let's say I'm running while I live in Texas. So we're running an oil pipeline. And on this oil pipeline, we've got lots of pumps and thermometers and cameras and all kinds of stuff, hundreds of little devices and we've developed web apps for these devices so that I can turn pumps on turn pumps off whatever it might be. Now, just because these are web apps don't go thinking they're public.

They're well protected. usernames, passwords, all kinds of stuff. It's not easy. Hopefully, it's basically impossible for the public to get to. But I is the operator of all these pumps and everything, I need to be able to get to these. But not only do I need to get to them, I need to get to them securely, and I need to get to them anytime I want.

So if I've got a couple of hundred different web app devices, I would like to sign on one time and be done with it. And that's where si ml really comes into play. sgml is designed really for web apps more than anything else. And it allows us as a single person at a single place to log into a whole bunch of different devices. So let me show you a little bit how sgml works. So here's my oil pipeline, and we'll just put some devices here along the pipeline.

All of these devices accessible through my VPN to be able to get to them to do whatever I want to do. Now, the trick here is, is I don't want to keep logging into this pump and that pump and that camera. And that's how SSL works. sgml starts off with having what we call an identity provider. So that's going to be a system somewhere that's connected out here that everybody can talk to. And what I will do is I will sign on to the identity provider.

And then all of these individual web apps are going to be called service providers. So I can jump between any one of these, because the identity provider provides me with a token that allows me to log into any one of these different devices. Now showing you sgml at work is a little bit tricky, because the only time you're going to see sgml really working for a living is when you have people who have web apps that they want to really, really control and they're going to go ahead and write a lot of code and you know what, they don't tend to like people like me going in and actually working on this. But what I've got instead is I've got this wonderful little company called SSO circle. SSO circle sells Single Sign On tool sets. And so they have a nice little demo.

So let me show you how this guy works. So first of all, thank you SSO circle for letting me play on your site. So what I'm going to do is I've actually created an account already. And what I'm going to do is just log in. And here's my login. Now there's a lot of extra information here.

Keep in mind, what they're doing is they're trying to sell packages for people who actually write si ml language. But what I want to show you that's actually kind of cool here is that I've gone ahead and logged in to the identity provider that's provided by SSO circle. Now, what they do that's really, really nice is they provide Let me go. They provide all of these service providers. Now these service providers are just samples. They're examples of how login with SSO circle allows you to log into other disparate websites.

So I'm going to pick one here, here's salesforce.com, Salesforce comm is a really, really popular, it's like for use by salespeople and stuff, customer relationship management tools. So what we're going to do here is if I got this working right, is now that I've logged into SSO circle, it's just gonna pop me over to one little place within Salesforce, like a little discussion page. So let's see how this guy works. Now, what you're seeing here, is because SSO circle wants to sell us these product, what it's doing is it's having you do a little I'm not a robot. Normally with Sal, we would skip this, but we'll go ahead and just click right on here. And if I've done it right, tada, I am now automagically.

On a little discussion page within Salesforce, notice that I didn't have to type in a username or a password. In fact, if I paid a little money, I wouldn't even have to do that I'm not a robot thing. And that's the power of SMS. In fact, take a look over Here, up in the upper right hand corner, you see where it says log out. With sa nl, I can actually I'm already automatically logged in. That's the beautiful part about single sign on.

But I could also log out of just this web app, or I could log out of all web apps in one big shot. Now, when we're talking about Single Sign On, especially for the exam, you need to think about what type of security needs you're going to need. For example, if we're talking about a local area network, where you just want to be able to share folders and files, you're going to have to be using Windows Active Directory. Yes, there are other options, but windows ad is dominant. But the moment you start talking about scalar systems or anything that's widespread or all over the place, be sure to think shtml, and you'll get it right on the exam.

Sign Up

Share

Share with friends, get 20% off
Invite your friends to LearnDesk learning marketplace. For each purchase they make, you get 20% off (upto $10) on your next purchase.