Speaker 1: If it is a valid token, it will grant access to that particular secure page at step 8. Hello friends, welcome to ITK Funday, your own channel where we make IT interesting for everyone and in this video, we will cover one of the most requested topics from you guys which is SSO or what we call as Single Sign-On. Guys, suppose you are attending a big fat Indian wedding of a multi-billionaire and there is a very tight security at the gates, you were asked to show your personal identification at the entrance and then once you entered into the wedding venue, then in the area where all the food items and the drinks were being served, at every counter, you were asked to show your identity and the wedding invitation card. Don't you think it is inconvenient for you to go through this process again and again? It is irritating as well as it will not let you have the actual fun of enjoying the food and the wedding. So what if right at the entrance, if the security personnel asks you to showcase your identity and the invitation right at the entrance and then gives you a token which you can tie in your wrist or a stamp of sorts which validates that yes, your identity has been proven and now you can go and enjoy your food and enjoy the wedding. So this is primarily called Single Sign-On wherein your identity is authenticated and authorized right at the entrance of an architecture and then you go about doing the job which you were intended to do. So now we will take a use case, a very simple use case of understanding how Single Sign-On works using SAML authentication. SAML stands for Security Markup Assertion Language which is an open standard to exchange identities between an identity provider and a service provider. So in a real life example case, your identity provider maybe could be the government of India which issued you that particular identity and your service provider was the wedding venue. So when these two are exchanged then you go about doing your job. So let's understand this architecture and understand how SSO exactly works. So friends now let's understand this workflow of end-to-end Single Sign-On authentication using Windows Active Directory. Before we go on to understand every step, first understand that there are three parties involved in it. The number one is the principal or the actual user who is initiating a request. The request is actually meant to go to a service provider which would be serving that particular specific request. But before serving that particular request, the service provider needs to know whether this is a legitimate user or not for which we will be going and contacting the IDP which is Identity Provider. So this whole workflow, you can see various arrows going in. So just understand that wherever you see the black arrow, this is the authentication workflow and wherever you see the red arrow, this is the token workflow when the token has been assigned. So we will start with step 1. At step 1, the user opens up a browser and types the URL of that particular service provider. So suppose we are trying to open a home page of a web application. So what will happen? This particular browser will then at step 2 redirect it to the source which is this particular service provider or you can say the web app server. Now at step 3, this particular web app server will redirect this particular request to the Active Directory server because this particular server wants to know whether this is a legitimate request coming from a legitimate user or not. So it will generate a SAML authentication request and it will pass it on to the Active Directory server. Now once this SAML authentication request is generated, it could go to a Windows Active Directory within the network or suppose we are using Azure Cloud, then it could go to Azure AD service. So it depends. So for now, I have taken Windows Active Directory as an example. So at step 4, this particular Active Directory will validate this particular request and all these requests will go in XML format. So SAML authentication will generate an XML request and this particular request will be analyzed with this particular Active Directory server to identify whether it is a legitimate user or not. Once at step 4, the user is authenticated, a SAML token will be generated for this particular request at step 5 which will be done through the identity provider. This SAML token will have different attributes and information about that particular user. And then this particular token information in XML file, XML response will go back to this particular browser from where the request was made. Once the request reaches this particular browser, this particular browser will redirect this particular token back to the service provider to say that hey, I got this particular token, now you can check it. It's kind of my identity card, go validate it, I am a genuine user. So this particular web server, once it receives this particular token, will validate this particular SAML response and if it is a valid response and if it is a valid token, it will grant access to that particular secure page at step 8. So once this particular token, again it is a SAML response, so we made a SAML request, we got a SAML response. So now once we got the SAML response and we got the legitimate token, this particular web app server would say hey, you are a genuine user, now go and enjoy your buffet in the wedding. So this particular user will be authenticated and then whichever page or service this particular user has requested for would be served back to this particular browser. And once this particular token is assigned, there will be a validity of this particular token for suppose an entire session of certain time window or maybe some other parameter and during that time window, once this is authenticated, this user need not to authenticate again and again and again till the time this token which has come is valid. So this is single sign-on, seamless access. Now there is a second step to it which is silent single sign-on. So it is sometimes also called as silent single sign-on. Now silent single sign-on means that you don't have to necessarily pass the password manually type it. So in this, at no place you are typing the manual passwords. So this is also called as SSSO, triple S O. So this is silent single sign-on as well. So I hope you like this video. If you did, please hit the like button, hit the subscribe button and the bell icon so you exactly know when I upload my next video. Comment section is always open for your comments, feedbacks, improvement areas for me to improve. So until next time guys, please keep learning, keep sharing all your knowledge and yes, keep hustling. Bye for now.