cis14: mobile sso using napps: openid connect profile for native apps-jain

© 2014 VMware Inc. All rights reserved.

Mobile SSO using NAPPS

Ashish Jain

@itickr

CIS 2014

Why is this important ?

0

300

600

900

2009 2010 2011 2012

Smartphones and tablets PC shipments

of information workers use three or more devices for w o r k t o i n c r e a s e p r o d u c t i v i t y

EXPLOSIVE GROWTH in shipments of smartphones and tablets

Sources: IDC, BGR, Forrester

FLAT pc shipments

New Device Platforms New Apps New User Expectations New Device Platforms

BYOD & JIT

The Changing Device Mix

148 141

202 240 128

352

722

1516

0

1000

2000

2012 2017

Smartphone

Tablet

Portable PC

Desktop PC

Source: IDC's Worldwide Smart Connected Device Tracker Forecast Data, February 28, 2013

Connected Device Market by Product Category, Shipments, 2012-2017 in Millions

The Changing Device Mix

Source: IDC's Worldwide Smart Connected Device Tracker Forecast Data, September 11, 2013

By 2017, 87% of connected devices will be smart phones and tablets

App 1

App 1

App 2 App 3

App 1

App 2 App 3

App 4

App 1 App 2 App 3

AD

App 1 App 3

AD

Policy Server

App 2

App 1

AD

Policy Server

App 2

App 3 App 1

AD

Policy Server

App 2

App 3

App 1

AD

Policy Server

App 2

App 3 App 1

AD

Policy Server

App 2

App 3

App 1

AD

SAML IdP

App 2

App 3 App 1

AD

App 2

App 3

Policy Server

SAML RP

Policy Server

SAML

App 1

AD

SAML IdP

App 2

App 3 App 1

AD

App 2

App 3

Policy Server

SAML RP

Policy Server

SAML

App 1

AD

SAML IdP

App 2

App 3

App 1

AD

App 2

App 3

Policy Server

SAML RP

Policy Server

SAML

App 1

AD

SAML IdP

App 2

App 1

AD

App 2

App 3

Policy Server

SAML RP

Policy Server

SAML

App 3 SAML RP

App 1

AD

SAML IdP

App 2

App 1

AD

App 2

App 3

Policy Server

SAML RP

Policy Server

SAML

iOS App

App 3 SAML RP

App 1

AD

SAML IdP

App 2

App 1

AD

App 2

App 3

Policy Server

SAML RP

Policy Server

SAML

iOS App

App 3 SAML RP

App 1

AD

SAML IdP

App 2

App 1

AD

App 2

App 3

Policy Server

SAML RP

Policy Server

SAML

OAuth AS

iOS App

App 3 SAML RP

App 1

AD

SAML IdP

App 2

App 1

AD

App 2

App 3

Policy Server

SAML RP

Policy Server

SAML

iOS App iOS App

OAuth AS App 3 SAML RP

App 1

AD

SAML IdP

App 2

App 1

AD

App 2

App 3

Policy Server

SAML RP

Policy Server

SAML

iOS App iOS App

OAuth AS App 3 SAML RP

App 1

AD

SAML IdP

App 2

App 1

AD

App 2

App 3

Policy Server

SAML RP

Policy Server

SAML

iOS App iOS App

OAuth AS

OAuth AS App 3 SAML RP

App 1

AD

SAML IdP

App 2

App 1

AD

App 2

App 3

Policy Server

SAML RP

Policy Server

SAML

iOS App iOS App

OAuth AS

OpenID Connect

OpenID Connect OAuth AS App 3 SAML RP

App 1

AD

SAML IdP

App 2

App 1

AD

App 2

App 3

Policy Server

SAML RP

Policy Server

SAML

iOS App iOS App

OAuth AS

OpenID Connect

OpenID Connect OAuth AS App 3 SAML RP

TA

Web SSO Flow

1

2

3

4

SAML

IdP RP

AD

Mobile App Auth Flow

1

2

4

3

SAML

IdP RP / RS

AD

Mobile App

AS

5

6

7 OAuth

Mobile App

Mobile App(s) Auth Flow

1

2

4

3

SAML

IdP RP / RS

AD

Mobile App

AS

5

6

7OAuth

Mobile App Auth Flow

IdP Discovery

IdP Discovery

IdP Login

Access to App

Mobile App Auth Flow

IdP Discovery

IdP Discovery

IdP Login

App Access

App Access

Mobile App

Mobile App(s) Auth Flow

1

2

4

3

SAML

IdP RP / RS

AD

Mobile App

AS

5

6

7 OAuth

Issues §  Authentication per Mobile App. §  No invalidation of access token §  No clean up of offline/cached data on device

Mobile App SSO – SP Init

Mobile App SSO – IdP Init

Mobile App SSO

Mobile App SSO

Where are we today ?

•  Layer 7

•  Centrify

•  Samsung Knox

•  Google Auth

App 1 App 3

AD

Policy Server

App 2

Deployment Models

•  Enterprise in-house native apps

•  Native App for a SaaS provider

•  Multiple native apps for a single SaaS provider

NAPPS

•  OIDF working group

•  Profile of OpenIDConnect

•  Participants include (VMware, AirWatch, Ping

Identity, Mobile Iron, Okta, OneLogin…)

NAPPS Terminology

•  Token Agent: Native app that obtains access tokens on behalf of

other native apps

•  AppInfo Endpoint: Endpoint to obtain metadata about apps

•  Primary Token: OAuth token obtained by TA for its own use

•  Secondary Token: OAuth token obtained by TA on behalf of other

native app

Mobile App SSO

1

2 3

SAML IdP RP / RS

AD

Mobile App

AS

5

9 OAuth

Token Agent

3

PT

6

ST

4

5 7

8

Mobile App SSO

Thank You!