SAML Overview

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey everybody john wagon here with deb central and we are coming to you with another light board lesson video today and today we're going to talk about saml what it is why it's important why you should care so sam'l stands for the security assertion markup language and it's kind of the basis for sam'l is is that you have a user or group of users that need access to all different kinds of applications and and how do you manage the access control for all that you know you're going to have a username and password for all these different things and and it gets out of control so before we talk about Samer real quick let me go over the quick way of how this used to be done you know pre sam'l so you would have say a client that needs to access you know different applications you know app app one app to app three whatever and so used to back in the day this this this you know application or this service that your client we need to access would have its own say database of username and password and then the same would be true you know for app two and then app 3 and so this guy's going to have a user name here user name here use new here different password well guess what happens when that kind of stuff starts to go on you've got 15 different places you need to check or 15 different applications you need to access to do your job you're going to I don't know you're going to grab a sticky and write down all these different usernames and passwords underneath you're going to stick it underneath your keyboard or maybe you're sticking on top of your keyboard whatever but nonetheless this gets like really difficult in terms of managing you know all these different databases back here it also gets tough on your client to say hey you've got to have a different password and username and all that for every single thing we've all been there alright so introduced sam'l - this whole equation so Samuel comes in to play where we say let's instead of instead of having each application manage its own username password database that kind of thing then let's bring all that into into one place have the clients access that one place and you know authenticate himself and at one place and then that thing can go out to all these different places and say hey I've checked this guy he's good to go let him have access all right so in Samwell you have three different main components you have the user who is your client who is your employee or whatever and then you have what's called the identity provider and then you have the service provider and so the service provider is basically all these different applications that you need to access so I'm going to draw a quick sam'l diagram where now you have a client who needs to access all these different applications and let's say I'll just use some examples let's say you've got office 365 let's say you have WebEx let's say you have concur let's say you have Salesforce and you know I could go on and on and on you got all these different things so again instead of having a username and password for every single one of these you you now bring it so the service provider would be you know the the the application that hosts these things and so that's the service provider so that's where you want to ultimately get the identity provider is going to sit right here in the middle IDP and so what happens with sam'l is the client let's say you're going to go out to office 365 for example the client is going to say hey office 365 I want to access your services right now office 365 is going to check and say hey are you authenticated to me for me to let you have access and if you are then you're good to go if you're not he's going to say no I'm gonna send you down here to the identity provider and the identity provider is going to authenticate you let's say for example against maybe active drum pad ad for active Dru Factory you know your local Active Directory identity provider would let's say authenticate you against your Active Directory credentials and and this by the way could be username and password it could be two-factor authentication it could be any number of different authentication means or mechanisms but nonetheless the authentication happens here and then your identity provider once the identity provider has has authenticated you as a good user to this application then your identity provider creates what's called an assertion assertion if I can write that correctly and this assertion has its xml-based and it's got you can put all kinds of different information in here but it may have like your user name it may have you know what office do you work in or you in marketing you're in sales or whatever so then that gives you different access to the different applications but nonetheless it creates this assertion and the identity provider passes the sam'l assertion back to the service provider saying hey this user is good to go and then and and then that way everything's kind of stored right here at the identity provider level and then now let's say after after you've done you've written up your little office 365 document now you want to go out to WebEx you want to have some you know some video call with all your co-workers or maybe you need to go to concur and book that flight for your next business trip or whatever so now when you go there then the identity provider already has your your sam'l assertion and it can pass that on to the different to the different services on this back-end so you don't have to re-authenticate to each one of them so it makes the client a lot happier because now you've only authenticated to one place and you don't have to keep doing that over and over and over it makes these guys happy because they only have one person to talk to in this identity provider and they don't have to host their own you know username and password databases anymore they let the identity provider take care of that so samples are really cool it's kind of a it's kind of a way to to really centralize and consolidate a lot of this headache and and it and so it really streamlines a lot of this you know access control stuff and so anyway so that's kind of Sam in a you know in a nutshell right there the way that it all works with the big IP is you've got a client that comes in and I'll draw a big IP right here and the big IP you can load on a module APM an APM is the thing that's going to take care of all this for you from a big IP perspective and then on the backside you've got all your different services you know so service you know service one service one service two three all that stuff and so so anyways you can come into the big IP the APM can act as the identity provider so the IDP and for those for those services or those applications that you host internally it can also act as the service provider for those as well and so when a client comes in to access these things and you could say hey the big IP is the service provider back here and then if the service is like hey I need some authentication the big IP simply passes from its service provider you know configuration back over to the identity provider configuration still on the same box though which is kind of cool it creates a lot of efficiencies there as well it oughtn't Achatz you via the IDP portion of the big IP and then it lets you have access let's say you have some kind of let's say you have some cloud-based services out here you know that are that that you don't own you know and so that has its own service provider element with those services or with those applications your big IP can still be the identity provider for your clients but you would then connect you know out to the cloud via the big IP as as the service provider element to that the service provider would then say hey I need to talk to the identity provider before I give this client access service provider would come back to your big IP as the identity provider and then it would give you access so the big IP can can do a lot of things via this the access policy manager the APM and so it can act is the IDP and the SP but again the reason that Samuel is really cool is you don't have to have all these usernames and passwords and and all this so from a security perspective it really consolidates you tell your users hey one username one password maybe two-factor authentication whatever you want to use to authenticate it can handle all that stuff as long as your applications your services our sam'l enabled then you know then you can do all this stuff and again you can set all of this stuff up on the big IP of via the access policy manager via the APM so anyway so get out there configure a PM with sam'l it's super easy to do we'll we'll attach some different resources to this video to show you how to go through all the different check boxes and all the configuration steps but this is a this is a really powerful thing to do it'll save you on security steps they'll save me on management headache with having to reset a bunch of passwords and tell your clients to memorize fifteen different passwords and so anyway so sam'l is a really powerful thing hope you've learned a couple of things about the basics of sam'l of what you can do with the APM so get out there test it out implement it in your own environment I think you'll all be happy that you did so thanks for tuning in today to this lightboard lesson and we will see you guys out there in the community

Info

Channel: F5 DevCentral

Views: 324,245

Rating: undefined out of 5

Keywords: f5, devcentral, Security Assertion Markup Language (Protocol Provider)

Id: i8wFExDSZv0

Channel Id: undefined

Length: 10min 22sec (622 seconds)

Published: Wed Dec 09 2015