cis14: mobile sso using napps: openid connect profile for native apps-jain

© 2014 VMware Inc. All rights reserved.

Mobile SSO using NAPPS

Ashish Jain

@itickr

CIS 2014

Why is this important ?

0

300

600

900

2009 2010 2011 2012

Smartphones and tablets PC shipments

of information workers use three or more devices for w o r k t o i n c r e a s e p r o d u c t i v i t y

EXPLOSIVE GROWTH in shipments of smartphones and tablets

Sources: IDC, BGR, Forrester

FLAT pc shipments

New Device Platforms New Apps New User Expectations New Device Platforms

BYOD & JIT

The Changing Device Mix

148 141

202 240 128

352

722

1516

0

1000

2000

2012 2017

Smartphone

Tablet

Portable PC

Desktop PC

Source: IDC's Worldwide Smart Connected Device Tracker Forecast Data, February 28, 2013

Connected Device Market by Product Category, Shipments, 2012-2017 in Millions

The Changing Device Mix

Source: IDC's Worldwide Smart Connected Device Tracker Forecast Data, September 11, 2013

By 2017, 87% of connected devices will be smart phones and tablets

App 1

App 2 App 3

App 1

App 2 App 3

App 4

App 1 App 2 App 3

AD

App 1 App 3

AD

Policy Server

App 2

App 1

AD

Policy Server

App 2

App 3 App 1

AD

Policy Server

App 2

App 3

App 1

AD

SAML IdP

App 2

App 3 App 1

AD

App 2

App 3

Policy Server

SAML RP

Policy Server

SAML

App 1

AD

SAML IdP

App 2

App 3

App 1

AD

App 2

App 3

Policy Server

SAML RP

Policy Server

SAML

App 1

AD

SAML IdP

App 2

App 1

AD

App 2

App 3

Policy Server

SAML RP

Policy Server

SAML

App 3 SAML RP

App 1

AD

SAML IdP

App 2

App 1

AD

App 2

App 3

Policy Server

SAML RP

Policy Server

SAML

iOS App

App 3 SAML RP

App 1

AD

SAML IdP

App 2

App 1

AD

App 2

App 3

Policy Server

SAML RP

Policy Server

SAML

OAuth AS

iOS App

App 3 SAML RP

App 1

AD

SAML IdP

App 2

App 1

AD

App 2

App 3

Policy Server

SAML RP

Policy Server

SAML

iOS App iOS App

OAuth AS App 3 SAML RP

App 1

AD

SAML IdP

App 2

App 1

AD

App 2

App 3

Policy Server

SAML RP

Policy Server

SAML

iOS App iOS App

OAuth AS

OAuth AS App 3 SAML RP

App 1

AD

SAML IdP

App 2

App 1

AD

App 2

App 3

Policy Server

SAML RP

Policy Server

SAML

iOS App iOS App

OAuth AS

OpenID Connect

OpenID Connect OAuth AS App 3 SAML RP

App 1

AD

SAML IdP

App 2

App 1

AD

App 2

App 3

Policy Server

SAML RP

Policy Server

SAML

iOS App iOS App

OAuth AS

OpenID Connect

OpenID Connect OAuth AS App 3 SAML RP

TA

Web SSO Flow

1

2

3

4

SAML

IdP RP

AD

Mobile App Auth Flow

1

2

4

3

SAML

IdP RP / RS

AD

Mobile App

AS

5

6

7 OAuth

Mobile App

Mobile App(s) Auth Flow

1

2

4

3

SAML

IdP RP / RS

AD

Mobile App

AS

5

6

7OAuth

IdP Discovery

IdP Login

Access to App

IdP Discovery

IdP Login

App Access

Mobile App

Mobile App(s) Auth Flow

1

2

4

3

SAML

IdP RP / RS

AD

Mobile App

AS

5

6

7 OAuth

Issues §  Authentication per Mobile App. §  No invalidation of access token §  No clean up of offline/cached data on device

Mobile App SSO – SP Init

Mobile App SSO – IdP Init

Mobile App SSO

Where are we today ?

•  Layer 7

•  Centrify

•  Samsung Knox

•  Google Auth

App 1 App 3

AD

Policy Server

App 2

Deployment Models

•  Enterprise in-house native apps

•  Native App for a SaaS provider

•  Multiple native apps for a single SaaS provider

NAPPS

•  OIDF working group

•  Profile of OpenIDConnect

•  Participants include (VMware, AirWatch, Ping

Identity, Mobile Iron, Okta, OneLogin…)

NAPPS Terminology

•  Token Agent: Native app that obtains access tokens on behalf of

other native apps

•  AppInfo Endpoint: Endpoint to obtain metadata about apps

•  Primary Token: OAuth token obtained by TA for its own use

•  Secondary Token: OAuth token obtained by TA on behalf of other

native app

Mobile App SSO

1

2 3

SAML IdP RP / RS

AD

Mobile App

AS

5

9 OAuth

Token Agent

3

PT

6

ST

4

5 7

8

Mobile App SSO

Thank You!

cis14: mobile sso using napps: openid connect profile for native apps-jain

Technology