Genius simplified. Wow. Thanks John! You are appreciated for breaking this down for me as an Independent MSP. And this was presented 5 years ago, still relevant for a while.
I was just recently assigned a project that uses SAML and I had to start from scratch none of the material I read made much sense until I saw your video, thank you!
The issue with most explanations of SAML/SSO is the instructor talking like you are system admin or already fully understand SAML. Great explanation for the lay person. Thank you
Video of the guy is mirrored and white board(writing is like photoshop layered) 2 proof/observations : it's plain black background and wearing plain shirt so if it would have been tshirt with anything printed on it we can figure out it's mirrored. Wrist watch of the trainer is in right hand mostly mens wear on left hand.
Very good explanation! A small tip: Wearing black shirt would make the letters to be visible even better. (although i would say they were still manageable on this light shirt).
Glad you liked the video...and thanks for the tip on the shirt colors. We typically shoot videos today with darker blue shirts for the exact reason you mentioned...it's a great point!
SAML is a pre arranged SSO standard (IDP SP) share configuration (User claims info) , X509 Cert for digital signing of authentication requests, Assertion URL , SSO URL, Reply back URLs etc. There are two supported work flows: 1. SP initiated workflow 2. IDP initiated workflow There's no magic happening at the front-end or behind the scenes 😉 SAML High-Level Workflow : SAML Request --> SAML Response --> Authentication
I think I don't get two things (6:24): 1. how is the saml assertion returned to the SP and what is the SP doing with? e.g. the assertion is added as an http header so it's available for subsequent requests 2. If C is switching to "WebEx". What happens? Is the existing assertion at the http headers, or is the IdP aware of the Http session and matches the session? In general, I think I get the idea of the assertion, but how is handled?
5:23 I do not think Identity Provider contacts the Service Provider as you suggested. It gives a token to the client, which the client can send to the Service Provider.
Hi Koray, thanks for the great comment! You are correct that the IdP and the SP never directly talk to one another. I could have made this a little more clear in the video. The client always acts as a "middle man" of sorts. So, while the SP and the IdP do communicate with each other, they never do so directly...it's always through the use of the client. Thanks again for the comment and the clarification!
Right, idp shares a *claim* with the client after authentication, and that same *claim* will be used by the client to get access to all the services which accept it. Having received a claim by authenticating only once on idp, client gets access to all the services which accept that claim.
This is, perhaps, a bit over simplified. In reality, the SP and IdP never communicate directly with eachother. Rather, the assertions are passed back and forth through the user's browser, via http redirects.
+Toby Garcia: thanks Toby...great point on the indirect communication. As you stated, this video provides a simple overview, and certainly SAML gets (or can get) much more involved than what is discussed here. Thanks again for the clarification and the great comment!
Agree with Toby. Even if you closely look at the URL's changing frequently and if you can check them, the Assertions do get passed to and fro from the browser. But, this is very nice video and very easy to learn SAML.
One question from me regarding SAML 2.0. We have received some SOAP web services developed for a company using SAML 2.0. The problem that I discovered was that web service calls with SAML worked if called from the browser, but if the same web service was called from a batch it would produce an error (SAML assertion exception). Browser had certificate installed but in batch sample we would not use browser. Does that mean that this problem was related to implementation of SAML , in this case or to the fact that SAML only can authenticate and pass assertion in browser scenario? Can SAML work in batch scenario? Also we had to remove SAML configuration and pass SPID (certificate) instead in order to get web service with batch working.
Every single video on this subject implies they communicate which is very misleading and dramatically affects your perception if you want to use this model or not.
Thanks for making such a great video. It was very very helpful. Could you please answer a couple of really basic questions? 1. Considering SAML was created more than a decode ago, is it still the best/recommended way for implementing SSO? 2. What are the other most recent, popular, secure alternatives of SAML for SSO?
Hi Learning Tech...great questions! SAML is still very widely used today and is still a good option for SSO. SAML 2.0 is the latest version available today. A good alternative to SAML for SSO is OAuth2.0. Here's a good article I found that compares/contrasts SAML and OAuth: www.mutuallyhuman.com/blog/2013/05/09/choosing-an-sso-strategy-saml-vs-oauth2/ I hope this helps!
great video, excellent stuff. the confusing thing is that SAML almost sounds like SSO or LDAP in this video. Help me understand the differences between what is being described here vs. sso or ldap. thanks and apologize in advance for any novice questions.
SAML is a standard used to provide Single Sign On. LDAP is a protocol used to store, query, etc.. users, groups, organizations, etc. Something like Active Directory is an implementation of LDAP. LDAP would be equivalent to the IdP in the SSO workflow.
Yep, I’d just add that Saml is an implementation of SSO. LDAP is a protocol behind the scenes in this case. What is great about saml is that it is distributed, so the sp and the application don’t need to get any passwords, they just need to trust the authority of the idp. The sp could be out on the internet but the idp is often local to the user so the password doesn’t go to the internet and is not stored on multiple systems, in addition to the SSO convenience for the user
Hi, just a suggestion. Would it be clearer to titled this as "Achieving Single Sign On using SAML" ? I understand the SAML is just a standard (like OIDC) but the final objective is achieving SSO for the users.
I don't think it's quite the same as SSO. I believe SAML is a tool/framework/mechanism for federation. Federation is similar to SSO, but definitely not the same. Example of SSO: Login to Google and now you're logged into all Google managed/owned/run applications like RUclips, Google Docs, Google Plus, Maps, Gmail, etc. An example of Federation is when you try to logon to Facebook or Twitter (not managed by Google) and you get the option to login with your Google Account. Essentially, Google verifies your identity. I'm learning also, so I might be wrong. But I know AWS primarily uses SAML to allow users to federate between web applications.
first of all thanks for video. nice done. quick question if I may - I think I've caught how authentication works but how SAML would pass authorization information with regards to LDAP for example. I mean - IdP knows what applications users should have access to but how it would know what level of access exactly? sorry, that's probably being asked before I couldn't find.
In HttpResponse SAML can send back the user's set of roles (just as an example), and based on this set of roles you can implement the user's security level on the Service Provider side.
I'm confused how the IDP knows what client is what? Because if the user has been authenticated by app 1 and then they want to go to app 2, what information is collected on the client that can identify it enough that the assertion is generated and sent securely to the app?
Great question. The Identity Provider authenticates the user against say, Active Directory, and then creates an assertion that has all the information about all the different apps that specific client is able to access. When the assertion is passed to the Service Provider, the Service Provider then knows (based on the contents of the SAML assertion) what apps to give that specific client access to.
First of all its a very good quick presentation. As i understood, each application will have its own authorization database. If that is the case for app1 user get authenticated using IdP and the corresponding assertion created. What reference will be available in the assertion to re-direct to the correct application. Is that any attribute we need to map? because in case of different application how it will be pointed to the correct application for authorization?
Guess you have missed Daniel's question - it was about what user info is passed by each SP to the IdP if I am not wrong ? Also... Q1. Are assertions reused ? Q2. Are assertions reused as a whole ? If so, then one SP gets to know about the permissions of the user on other applications. That's undesirable ! Q3. Is there a TTL or a mechanism by which the assertions are/get refreshed ? Tia
Avijeet Ray the idp does not exchange anything with the sp here, it provides the signed assertion to the client, the assertion includes details about the validity (or ttl as you put it). In this case there is only one sp for three applications, so it will need to be provided with all the information about what the user can access for all apps. There could be an SP for each application theoretically but often there is just one- that is the benefit of SSO. The assertion is used for as long as it’s valid, then the process happens again. It’s not reused, it’s just valid for a period, the SP will set a cookie for this period. Here is a diagram of the process: support.symantec.com/en_US/article.TECH241052.html
So are actual credentials ever being entered into the service provider? For example, when I first try to access a service provider and am not authenticated and no assertion exists, am I entering credentials into the service provider, then the service provider is directing the credential to the IDP? Or is the user redirected to the IDP to enter their credentials there? Does the service provider ever see your username\password?
great question! when you initially try to access the service provider, the service provider will check to see if a SAML assertion exists for you. If it does, then the Service Provider will have all the information needed to provide you access to the service. If no assertion exists, then the Service Provider will immediately send you back to the Identity Provider so you can authenticate with the Identity Provider and get your SAML assertion. So, the Identity Provider is the place where you will authenticate, and the Service Provider will never see your username/password. Hope this helps!
How SP (assuming sp is providing services to multiple IDPs) decides that it should contact particular IDP for the authentication. Let's I am trying to access application of this service provider using login id as sdave which will not have any clue about which IDP to contact in his login id.
first, that's not a dumb question at all...tons of people have that exact same question! thanks for asking. it's all found in the SAML assertion (the XML-based assertion)...when the Service Provider needs to provide access to a requested resource, it does so based on the assertion that the Identity Provider has created. So, the Service Provider allows access to whatever the Identity Provider assertion says. It's up to the Identity Provider to create the assertion that only allows the user to access to the correct resources. Here's a little more from Wikipedia: SAML assertions are usually transferred from identity providers to service providers. Assertions contain statements that service providers use to make access-control decisions. Three types of statements are provided by SAML: Authentication statements Attribute statements Authorization decision statements
Hi abhijith ks! Great question. Single Sign-On (SSO) is the idea of giving users one place to sign in and then granting them access to multiple applications. Single Sign-On can be accomplished using many types of solutions and technologies. SAML is a specific standard that defines how authentication and authorization data is exchanged between parties...specifically the Identity Provider (IdP) and Service Provider (SP). So, generally speaking, you can think of SSO as an overarching capability to give users a single place to authenticate in order to gain access to multiple applications; and you can think of SAML as a specific set of standards that helps achieve SSO. Hope this helps!
SAML is an open standard for Federation. SSO allows a single authentication credential to access different systems within a single organization where as a federation system provides single access to multiple applications across different enterprises.
SSO is something you can get even without SAML, is the IDP the one that provides SSO tokens. When using SAML, there are some requisites set bu the vendor, these are passed in the claims that are statements about users (attributes). Once they are satisfied, you can get a SSO token.
Hi F5 devcentral. I disagree with something. You cannot re-use the same SAML token (json token) for all the applications. User needs to be authenticaded for every app they want to access. I am not aware of any case where you will re use same token. Every token has specific information about the session. The token also is sent to an specific reply URL to be consumed and has an audience which is the SP that requested the token. In the other hand, once user is authenticated they can get an SSO token that will reduce the times users need to authenticate. For ADFS it is also integrated with Windows Authentication that will take the KRB ticket stored in the user computer after user sign-in. In those cases, users will not even have to enter credentials at all. Bless
Hi there...great question! OAM is the Oracle Access Manager and is Oracle's specific technology solution for web access management and user identity administration. SAML is a standard that defines how authentication and authorization data is exchanged between parties...specifically the Identity Provider (IdP) and Service Provider (SP). So, the OAM could use SAML for providing access management for users. Hope this helps!
Err no I don’t think so - the connection to the backend is separate and not connected to saml. Saml just authorises the access on the SP, how the SP then connects to the application server is another story
Err no I don’t think so - the connection to the backend is separate and not connected to saml. Saml just authorises the access on the SP, how the SP then connects to the application server is another story
Here's a good deployment guide for configuring the F5 BIG-IP as a SAML IdP for common SaaS applications: www.f5.com/pdf/deployment-guides/saml-idp-saas-dg.pdf
Hi, great question! Single Sign-On (SSO) is the idea of giving users one place to sign in and then granting them access to multiple applications. Single Sign-On can be accomplished using many types of solutions and technologies. SAML is a specific standard that defines how authentication and authorization data is exchanged between parties...specifically the Identity Provider (IdP) and Service Provider (SP). So, generally speaking, you can think of SSO as an overarching capability to give users a single place to authenticate in order to gain access to multiple applications; and you can think of SAML as a specific set of standards that helps achieve SSO. Hope this helps!
pretty good explanation but you stumble on the "Big IP" and "APM" part. i think this part needs to be explained further as you kind of just gloss over it and it really makes no sense for someone who has never heard of SAML before. the rest of the video and explanation is solid.
Great Video, to understand SAML, any one have simple and straight forward way to use SAML 2.0 in C#?? (Sample Code) I saw many but most of them are very complicated! Can anyone help me out with this?
While DevCentral doesn't necessarily provide a great deal of C# code samples, you could try stackoverflow or github for some good examples. Here's one from stackoverflow: stackoverflow.com/questions/15530184/working-with-saml-2-0-in-c-sharp-net-4-5 Hope this helps!
Hi Niokolay, thanks for the great comment! You are correct that the IdP and the SP never directly talk to one another. I could have made this a little more clear in the video. The client always acts as a "middle man" of sorts. So, while the SP and the IdP do communicate with each other, they never do so directly...it's always through the use of the client. Thanks again for the comment and the clarification!
Your statement is incorrect. The IdP and SP don't communicate directly; there's always a client acting as an intermediary between them. . Please remove this misleading video.
In this video - ruclips.net/video/buiFjT9tsFc/видео.html - John is right-handed. In this one he's a leftie. That should explain his uncanny backwards-writing aptitude :)
realli b ad explanation please practice your video before putting it up so much mumbling and confusion going on not even mentioning how the app gonna send you to idp while they have user pass section for themselve when you enter the for example 365 ...
Genius simplified. Wow. Thanks John! You are appreciated for breaking this down for me as an Independent MSP. And this was presented 5 years ago, still relevant for a while.
glad you enjoyed it!
I was just recently assigned a project that uses SAML and I had to start from scratch none of the material I read made much sense until I saw your video, thank you!
awesome...glad it helped!
Best explanation for SAML I've found on RUclips!
Best SAML explanation on the internet.
The Content you deliver has got clarity.Thank you
glad you enjoyed it!
Humanly understandable video, amazing, thank you !
Absolutely gorgeous presentation, both in style and content. Thanks!
Best explanation I've ever seen on SAML!
I have to agree ... the best explanation of SAML concept by far!
glad you enjoyed it!
You're good at writing backwards.
Or they flipped the video on post.
You can tell the video is flipped because his shirt's buttons are on the other side. Men shirts have their buttons on the right side.
Not fliped but mirrored
@@JLeonan Well this escalating into quantum symmetry. Lol
@@asciivision this is how we do the Lighboard: ruclips.net/video/U7E_L4wCPTc/видео.html
Great Explanation ! John superbly explains all the concepts.
glad you enjoyed it!
Best video on the subject so far!
glad you enjoyed it!
The issue with most explanations of SAML/SSO is the instructor talking like you are system admin or already fully understand SAML. Great explanation for the lay person. Thank you
glad you enjoyed it!
So impressed how well the presenter can write backwards 😲
thanks for the comment1 How we do the Lightboard: ruclips.net/video/U7E_L4wCPTc/видео.html
Great explanation! Thanks a lot. Post more videos!
Thanks!! You can catch the Lightboard Lessons playlist here: ruclips.net/video/LheW3IrjqW4/видео.html&ab_channel=F5DevCentral
Awesome...explained it in the simplest way...
Glad you enjoyed it!
Very good explanation... Thanks
glad you enjoyed it!
This helped me to understand the SSO flow. Thanks
I'm glad it helped!
I'm most impressed by the fact that he'd writing all of this backwards.
I think they definitely flipped it in post, or they just have an abnormally high number of left handed instructors...
Video of the guy is mirrored and white board(writing is like photoshop layered) 2 proof/observations : it's plain black background and wearing plain shirt so if it would have been tshirt with anything printed on it we can figure out it's mirrored. Wrist watch of the trainer is in right hand mostly mens wear on left hand.
His shirt is inverted too.. Shirt buttons too... The pocket is usually on the left.
imagine the video recorder is behind him (not in the front) and hes writing on a mirror, simple.
Watch to his hand, tells everything
Thanks for the wonderful introduction to saml
glad you enjoyed it!
Excellent explanation. Thank you
glad you enjoyed it!
F5 DevCentral it would be great if you could also make a video on difference between oauth and saml..
this guy can teach me anything! wow! i'm a fan! thank you!
glad you enjoyed it!
Really helpful, and wonderful presentation style
Glad you enjoyed it!
Crisp and to the point. Great work
glad you enjoyed the video!
nice overview.. thanks for breaking it down
glad you enjoyed it!
Very good explanation! A small tip: Wearing black shirt would make the letters to be visible even better. (although i would say they were still manageable on this light shirt).
Glad you liked the video...and thanks for the tip on the shirt colors. We typically shoot videos today with darker blue shirts for the exact reason you mentioned...it's a great point!
Thanks! Very clear and yes, very powerful. Thanks!
Glad you enjoyed the video!
SAML is a pre arranged SSO standard (IDP SP) share configuration (User claims info) , X509 Cert for digital signing of authentication requests, Assertion URL , SSO URL, Reply back URLs etc. There are two supported work flows:
1. SP initiated workflow
2. IDP initiated workflow
There's no magic happening at the front-end or behind the scenes 😉
SAML High-Level Workflow :
SAML Request --> SAML Response --> Authentication
So great!! Thanks, sir.
glad you enjoyed it!
5:02 glorious moment for F5
lmfao I thought the same FUCKIN WRITE THAT CORRECTLY
really cool explanation with good examples. thanks for your knowledge sharing.
glad you enjoyed it!
Thanks, I could really understood the basics :)
glad you enjoyed it!
I think I don't get two things (6:24):
1. how is the saml assertion returned to the SP and what is the SP doing with? e.g. the assertion is added as an http header so it's available for subsequent requests
2. If C is switching to "WebEx". What happens? Is the existing assertion at the http headers, or is the IdP aware of the Http session and matches the session?
In general, I think I get the idea of the assertion, but how is handled?
5:23 I do not think Identity Provider contacts the Service Provider as you suggested. It gives a token to the client, which the client can send to the Service Provider.
Hi Koray, thanks for the great comment! You are correct that the IdP and the SP never directly talk to one another. I could have made this a little more clear in the video. The client always acts as a "middle man" of sorts. So, while the SP and the IdP do communicate with each other, they never do so directly...it's always through the use of the client. Thanks again for the comment and the clarification!
Right, idp shares a *claim* with the client after authentication, and that same *claim* will be used by the client to get access to all the services which accept it. Having received a claim by authenticating only once on idp, client gets access to all the services which accept that claim.
Excellent video !!! This is exactly what I wanted.
Very good explanation. Thank you for your time and the detailed info pack. (Y)
glad you enjoyed it!
This is, perhaps, a bit over simplified. In reality, the SP and IdP never communicate directly with eachother. Rather, the assertions are passed back and forth through the user's browser, via http redirects.
+Toby Garcia: thanks Toby...great point on the indirect communication. As you stated, this video provides a simple overview, and certainly SAML gets (or can get) much more involved than what is discussed here. Thanks again for the clarification and the great comment!
+F5 DevCentral its basically like kerberos right ?
Agree with Toby. Even if you closely look at the URL's changing frequently and if you can check them, the Assertions do get passed to and fro from the browser. But, this is very nice video and very easy to learn SAML.
One question from me regarding SAML 2.0. We have received some SOAP web services developed for a company using SAML 2.0. The problem that I discovered was that web service calls with SAML worked if called from the browser, but if the same web service was called from a batch it would produce an error (SAML assertion exception). Browser had certificate installed but in batch sample we would not use browser. Does that mean that
this problem was related to implementation of SAML , in this case or to the fact that SAML only can authenticate and pass assertion in browser scenario? Can SAML work in batch scenario? Also we had to remove SAML configuration and pass SPID (certificate) instead in order to get web service with batch working.
Every single video on this subject implies they communicate which is very misleading and dramatically affects your perception if you want to use this model or not.
05:01 sounds your "If I can write....." sounds like "f@#$%ing write that...." lol
thats what i thought too. lol i felt that in my heart.
Excellent !!!!!
glad you enjoyed it!
Thank You TA. I've already started. Thank you so much.
It's very clear, thank you very much!
Glad you enjoyed it!
Thanks for making such a great video. It was very very helpful.
Could you please answer a couple of really basic questions?
1. Considering SAML was created more than a decode ago, is it still the best/recommended way for implementing SSO?
2. What are the other most recent, popular, secure alternatives of SAML for SSO?
Hi Learning Tech...great questions! SAML is still very widely used today and is still a good option for SSO. SAML 2.0 is the latest version available today. A good alternative to SAML for SSO is OAuth2.0. Here's a good article I found that compares/contrasts SAML and OAuth: www.mutuallyhuman.com/blog/2013/05/09/choosing-an-sso-strategy-saml-vs-oauth2/
I hope this helps!
Check out SimpleSAML
Thanks a lot, very well explained.
glad you enjoyed it!
great video, excellent stuff. the confusing thing is that SAML almost sounds like SSO or LDAP in this video. Help me understand the differences between what is being described here vs. sso or ldap. thanks and apologize in advance for any novice questions.
SAML is a standard used to provide Single Sign On. LDAP is a protocol used to store, query, etc.. users, groups, organizations, etc. Something like Active Directory is an implementation of LDAP. LDAP would be equivalent to the IdP in the SSO workflow.
Yep, I’d just add that Saml is an implementation of SSO. LDAP is a protocol behind the scenes in this case. What is great about saml is that it is distributed, so the sp and the application don’t need to get any passwords, they just need to trust the authority of the idp. The sp could be out on the internet but the idp is often local to the user so the password doesn’t go to the internet and is not stored on multiple systems, in addition to the SSO convenience for the user
Hi, just a suggestion. Would it be clearer to titled this as "Achieving Single Sign On using SAML" ? I understand the SAML is just a standard (like OIDC) but the final objective is achieving SSO for the users.
I don't think it's quite the same as SSO. I believe SAML is a tool/framework/mechanism for federation. Federation is similar to SSO, but definitely not the same.
Example of SSO: Login to Google and now you're logged into all Google managed/owned/run applications like RUclips, Google Docs, Google Plus, Maps, Gmail, etc.
An example of Federation is when you try to logon to Facebook or Twitter (not managed by Google) and you get the option to login with your Google Account. Essentially, Google verifies your identity.
I'm learning also, so I might be wrong. But I know AWS primarily uses SAML to allow users to federate between web applications.
I didnt understand the active directory part. Do you mean already the credential exist over there?
Well expounded... thank you.
glad you enjoyed it!
what are all authentication protools do we have?
first of all thanks for video. nice done.
quick question if I may - I think I've caught how authentication works but how SAML would pass authorization information with regards to LDAP for example.
I mean - IdP knows what applications users should have access to but how it would know what level of access exactly?
sorry, that's probably being asked before I couldn't find.
In HttpResponse SAML can send back the user's set of roles (just as an example), and based on this set of roles you can implement the user's security level on the Service Provider side.
what is big ip in this context ??
BIG-IP in this context is the server and can be the Service Provider (SP) and/or the Identity Provider (IdP).
Fucking right that correctly. :)
Nice vid. Thanks
I'm confused how the IDP knows what client is what? Because if the user has been authenticated by app 1 and then they want to go to app 2, what information is collected on the client that can identify it enough that the assertion is generated and sent securely to the app?
Great question. The Identity Provider authenticates the user against say, Active Directory, and then creates an assertion that has all the information about all the different apps that specific client is able to access. When the assertion is passed to the Service Provider, the Service Provider then knows (based on the contents of the SAML assertion) what apps to give that specific client access to.
First of all its a very good quick presentation.
As i understood, each application will have its own authorization database. If that is the case for app1 user get authenticated using IdP and the corresponding assertion created. What reference will be available in the assertion to re-direct to the correct application. Is that any attribute we need to map? because in case of different application how it will be pointed to the correct application for authorization?
It’s magic
Guess you have missed Daniel's question - it was about what user info is passed by each SP to the IdP if I am not wrong ?
Also...
Q1. Are assertions reused ?
Q2. Are assertions reused as a whole ? If so, then one SP gets to know about the permissions of the user on other applications. That's undesirable !
Q3. Is there a TTL or a mechanism by which the assertions are/get refreshed ?
Tia
Avijeet Ray the idp does not exchange anything with the sp here, it provides the signed assertion to the client, the assertion includes details about the validity (or ttl as you put it). In this case there is only one sp for three applications, so it will need to be provided with all the information about what the user can access for all apps. There could be an SP for each application theoretically but often there is just one- that is the benefit of SSO. The assertion is used for as long as it’s valid, then the process happens again. It’s not reused, it’s just valid for a period, the SP will set a cookie for this period.
Here is a diagram of the process: support.symantec.com/en_US/article.TECH241052.html
So are actual credentials ever being entered into the service provider?
For example, when I first try to access a service provider and am not authenticated and no assertion exists, am I entering credentials into the service provider, then the service provider is directing the credential to the IDP? Or is the user redirected to the IDP to enter their credentials there? Does the service provider ever see your username\password?
great question! when you initially try to access the service provider, the service provider will check to see if a SAML assertion exists for you. If it does, then the Service Provider will have all the information needed to provide you access to the service. If no assertion exists, then the Service Provider will immediately send you back to the Identity Provider so you can authenticate with the Identity Provider and get your SAML assertion. So, the Identity Provider is the place where you will authenticate, and the Service Provider will never see your username/password. Hope this helps!
It's exactly what I was hoping to hear, thanks!
How SP (assuming sp is providing services to multiple IDPs) decides that it should contact particular IDP for the authentication. Let's I am trying to access application of this service provider using login id as sdave which will not have any clue about which IDP to contact in his login id.
Excellent tutorial. Is there anything planned for a similar video on X.509?
thanks...glad you liked the video! i've received several requests about X.509, so i'll plan to do one on that as well. stay tuned!
F5 DevCentral sounds good! I always take the X.509 route if where at all possible.
Dragged out a single concept :
User - Identity provider - saml - Service provider
Dumbed down version
You should also post a video about bodybuilding
Nice
glad you enjoyed it!
Nice video
Thanks and we appreciate the comment!
Dumb question: if the user exists in the identity provider, how does the service provider delegate what access the user has to in the application?
first, that's not a dumb question at all...tons of people have that exact same question! thanks for asking. it's all found in the SAML assertion (the XML-based assertion)...when the Service Provider needs to provide access to a requested resource, it does so based on the assertion that the Identity Provider has created. So, the Service Provider allows access to whatever the Identity Provider assertion says. It's up to the Identity Provider to create the assertion that only allows the user to access to the correct resources. Here's a little more from Wikipedia:
SAML assertions are usually transferred from identity providers to service providers. Assertions contain statements that service providers use to make access-control decisions. Three types of statements are provided by SAML:
Authentication statements
Attribute statements
Authorization decision statements
Thanks for asking!
And as usual with F5 videos, none of the promised links in the description.
is SAML the same things SSO?
SAML is a means in which to implement SSO. OAuth is another option.
5:02 cracks me up
I heard it as "fu(king write that", whereas it's actually "if I can write that".
Great video
F5 DevCentral : Is saml some kind of an SSO ?
Hi abhijith ks! Great question. Single Sign-On (SSO) is the idea of giving users one place to sign in and then granting them access to multiple applications. Single Sign-On can be accomplished using many types of solutions and technologies. SAML is a specific standard that defines how authentication and authorization data is exchanged between parties...specifically the Identity Provider (IdP) and Service Provider (SP). So, generally speaking, you can think of SSO as an overarching capability to give users a single place to authenticate in order to gain access to multiple applications; and you can think of SAML as a specific set of standards that helps achieve SSO. Hope this helps!
SAML is an open standard for Federation. SSO allows a single authentication credential to access different systems within a single organization where as a federation system provides single access to multiple applications across different enterprises.
SSO is something you can get even without SAML, is the IDP the one that provides SSO tokens. When using SAML, there are some requisites set bu the vendor, these are passed in the claims that are statements about users (attributes). Once they are satisfied, you can get a SSO token.
Hi F5 devcentral. I disagree with something. You cannot re-use the same SAML token (json token) for all the applications. User needs to be authenticaded for every app they want to access. I am not aware of any case where you will re use same token. Every token has specific information about the session. The token also is sent to an specific reply URL to be consumed and has an audience which is the SP that requested the token. In the other hand, once user is authenticated they can get an SSO token that will reduce the times users need to authenticate. For ADFS it is also integrated with Windows Authentication that will take the KRB ticket stored in the user computer after user sign-in. In those cases, users will not even have to enter credentials at all. Bless
@@natarajanmuthuraman5019 saml is not unique to federation.
What's the difference between SAML and OAM
Hi there...great question! OAM is the Oracle Access Manager and is Oracle's specific technology solution for web access management and user identity administration. SAML is a standard that defines how authentication and authorization data is exchanged between parties...specifically the Identity Provider (IdP) and Service Provider (SP). So, the OAM could use SAML for providing access management for users. Hope this helps!
Should the applications (SP) be SAML enabled ?
yes
Err no I don’t think so - the connection to the backend is separate and not connected to saml. Saml just authorises the access on the SP, how the SP then connects to the application server is another story
Err no I don’t think so - the connection to the backend is separate and not connected to saml. Saml just authorises the access on the SP, how the SP then connects to the application server is another story
There are dozens of videos about WHAT is SAML, but very few info about HOW to integrate it :(
Here's a good deployment guide for configuring the F5 BIG-IP as a SAML IdP for common SaaS applications: www.f5.com/pdf/deployment-guides/saml-idp-saas-dg.pdf
Do you even lift?
Hi John - How did you create the Video? I teach and this is excellent
Hi Jaya, here's the article where we discuss the build for these videos: devcentral.f5.com/articles/lightboard-lessons-behind-the-scenes
Nice job!
Can you please specify the difference between SAML and SSO?
Hi, great question! Single Sign-On (SSO) is the idea of giving users one place to sign in and then granting them access to multiple applications. Single Sign-On can be accomplished using many types of solutions and technologies. SAML is a specific standard that defines how authentication and authorization data is exchanged between parties...specifically the Identity Provider (IdP) and Service Provider (SP). So, generally speaking, you can think of SSO as an overarching capability to give users a single place to authenticate in order to gain access to multiple applications; and you can think of SAML as a specific set of standards that helps achieve SSO. Hope this helps!
Nice explanation. Just to add. SSO is a concept or idea where as SAML and OAUTH (1 & 2) are implementation of those concepts.
pretty good explanation but you stumble on the "Big IP" and "APM" part. i think this part needs to be explained further as you kind of just gloss over it and it really makes no sense for someone who has never heard of SAML before. the rest of the video and explanation is solid.
Big IP is their product... check their website for more info.
Woah! How do you do that, right backword and mirror!!
I get it, you're just writing normal, its the video that's flipped later.
im distracted by the backwards writing.
Great Video, to understand SAML, any one have simple and straight forward way to use SAML 2.0 in C#?? (Sample Code) I saw many but most of them are very complicated! Can anyone help me out with this?
While DevCentral doesn't necessarily provide a great deal of C# code samples, you could try stackoverflow or github for some good examples. Here's one from stackoverflow: stackoverflow.com/questions/15530184/working-with-saml-2-0-in-c-sharp-net-4-5
Hope this helps!
Dude, no one uses C# anymore. Assembly is the way to go!
Is this guy from Alabama? (asking for a friend)
Originally from Arkansas, actually. Close to Alabama! :)
Nice intro
glad you enjoyed it!
Video is flipped
I have a SAML toe.
I think saml 2.0 is causing havoc on my yahoo emails.
The SP does not talk directly with the Idp, they redirect to each other, as they have established trust.
Hi Niokolay, thanks for the great comment! You are correct that the IdP and the SP never directly talk to one another. I could have made this a little more clear in the video. The client always acts as a "middle man" of sorts. So, while the SP and the IdP do communicate with each other, they never do so directly...it's always through the use of the client. Thanks again for the comment and the clarification!
Your statement is incorrect. The IdP and SP don't communicate directly; there's always a client acting as an intermediary between them. . Please remove this misleading video.
BIG-IP? APM?
Those are technologies from F5 Networks that can be used for SAML implementation.
In this video - ruclips.net/video/buiFjT9tsFc/видео.html - John is right-handed. In this one he's a leftie. That should explain his uncanny backwards-writing aptitude :)
this is how we do the Lighboard: ruclips.net/video/U7E_L4wCPTc/видео.html
realli b ad explanation please practice your video before putting it up so much mumbling and confusion going on not even mentioning how the app gonna send you to idp while they have user pass section for themselve when you enter the for example 365 ...
great video
glad you enjoyed it!