Single Sign-on / Federated Access MindMap (2 of 2) | CISSP Domain 5

hey I'm Rob Witcher from destination certification and I'm here to help you pass the cissp exam we're going to go through a review of the major topics related to single signon and Federated identity management in domain 5 to understand how they interrelate and to guide your studies this is the second of two videos for domain 5 I've included links to the other mindmap videos in the description below these mind maps are one part of our complete cisp Master Class single sign on and Federated identity management are both about allowing users to access multiple systems with

a single set of credentials users love this as they need to only remember one terrible password instead of multiple terrible passwords and they only need to authenticate once to magically get access to all their applications single sign on protocols and systems are designed to work within one organization a major protocol that enables single sign on is keros keros enables authentication via tickets over an insecure network keros is a very complicated protocol that is very flexible and as such has a lot of components the first component or rather person is the user or client this is

the individual that would like to gain access to Services through keros keros provides two Services the authentication Service and the ticket granting service both of which are contained within what is known as the key distribution center the KDC when a user attempts to access a service via ceros they first need to authenticate through the authentication Service the the authentication Service will check that the user exists and if so will send the user two tickets one of which is known as the ticket granting ticket the TGT the ticket granting ticket is then passed on to the

next component within the KDC the ticket granting service along with a couple of other messages from the client indicating what service the client wants to access the ticket granting service will check that the service exists and if the user is authorized to access the service and if so the TGs the ticket granting service will create a service ticket and send that back to the user the service ticket is now finally what the user sends to the application in order to get access to the application the user also caches the service ticket for any future access

to the application while the ticket is valid and has not yet expired the final piece worth mention here related to keros is that by default it only supports symmetric key cryptography this is a very significant limitation as quite a few symmetric Keys need to be created and securely distributed amongst the components by the way I've created a super detailed video explaining keros which I'll link to in the description but you don't need to watch for the cissp exam you just need to know this high level overview but if you want a deep dive it's there

for you there's a second protocol that enables single sign on capabilities that you should know just a tiny bit about it's known as Sesame as in Open Sesame Sesame supports not just symmetric cryptography but also asymmetric solving the major symmetric key cryptography problems scalability and key distribution now let's talk about Federated access from a user's perspective it looks exactly like single sign on the user enters one set of credentials and then they magically get access to a bunch of different applications the key difference is that in Federated access users can access systems not just internal

applications but also externally managed applications think access to a SAS application in the cloud Federated access relies on a trust relationship between three different entities the user the identity provider and the service provider essentially the service provider needs to trust the authentication that is being performed by the identity provider in order to authorize the user to access the service let's dig into these three entities the first is the user sometimes also referred to as the principal the identity provider is the entity that authenticates the user verifies the user's identity via authentication by knowledge ownership or

characteristic in many organization the identity provider will be something like active directory the service provider also sometimes referred to as the relying party is what the user wants to access the service provider is often not an application owned by the organization but rather an application owned and managed by a vendor again think us of a SAS application that so many of us accessed through work nowadays for submitting help us tickets booking travel entering expenses Etc there are a number of different protocols that enable Federated access the major one that you need to know about is

saml the security assertion markup language as we talked about Kerberos relies on sending tickets saml does the same thing but doesn't call them tickets they are rather called tokens these tokens Can contain assertion statements things like the user ID service ID the timestamp and lifetime of the token Etc assertion statements contained within a token are written in XML the extensible markup language s was designed to be used for many different use cases as such it is made up of a number of different components that make it flexible and adaptable profiles Define how SLE can be

used for different business use cases such as web single sign on or through ldap bindings map SLE onto different communication protocols for example HTTP allowing samel to communicate across different types of networks the protocol component within saml defines how entities send and respond to requests and finally the assertion component defines the authentication authorization and other such attributes there are three more protocols that you should recognize as being Federated access protocols WS Federation which provides both authentication and authorization capabilities open ID which provides authentication and oloth which provides authorization capabilities all right and that is an

overview of single sign on and Federated access within domain 5 covering the most critical Concepts that you need to know for the exam have you checked out our cisp guide book yet you should it's awesome in my completely unbiased opinion as one of the authors we explain all these single sign on and Federate identity imion protocols with super helpful diagrams you can see why our guide book is awesome here at desert.com slcp [Music] guide