Your SlideShare is downloading. ×
CIS14: Mobilize Your Workforce with Secure Identity Services
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

CIS14: Mobilize Your Workforce with Secure Identity Services


Published on

David McNeely, Centrify …

David McNeely, Centrify
Sumana Annam, Centrify

In-depth discussion that clearly outlines the common challenges faced by enterprises as they attempt to mobilize their existing applications, with explanation of the many
technical considerations that organizations must address, how they can ensure user authentication and productivity by locking mobile users to a single corporate identity across all applications, and code changes that organizations need to consider.

Published in: Technology

1 Like
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. ©  2004-­‐2012.    Centrify  Corporation.    All  Rights  Reserved.     Secure  Identity  Services   for  Cloud  and  Mobile  apps  
  • 2. 2  ©  2004-­‐2012.    Centrify  Corporation.    All  Rights  Reserved.   | Identify. Unify. Centrify. Authentication  Nirvana  (Mobilized  Enterprise)   •  One  identity  and  credential  for   Enterprise  Users   •  Protection  of  identity  by  Active   Directory  inside  Firewall   •  User  gets  SSO  to  all  enterprise   applications  (Native  and  Web)   •  App  Developer  only  needs  to  ask  the   platform  for  authentication  and   security  token  for  backend     •  IT  controls  app  authentication  and   authorization    
  • 3. 3  ©  2004-­‐2012.    Centrify  Corporation.    All  Rights  Reserved.   | Identify. Unify. Centrify. Bring  Your  Own  Device  drives  BYOApps   •  Organizations  are  increasingly  allowing  employees  to  bring  their  own  devices    
  • 4. 4  ©  2004-­‐2012.    Centrify  Corporation.    All  Rights  Reserved.   | Identify. Unify. Centrify. Bring  Your  Own  Challenge  #1   Mobility  is  here  to  stay   • BYOD  means  cloud  apps   and  data  is  being   accessed  and  stored     on  devices  that  are  easily   lost  or  stolen   app app app
  • 5. 5  ©  2004-­‐2012.    Centrify  Corporation.    All  Rights  Reserved.   | Identify. Unify. Centrify. Bring  Your  Own  Challenge  #2   Multiple  Passwords  =  Frustrated  Users   •  Helpdesk  ticket  volume  is  increasing,   and  IT  satisfaction  is  decreasing,  as     password  frustration  builds     •  Example:  Passwords  are  used   everywhere  cached  and  replayed  on   these  devices     •  Periodic  password  change  at  desktop   typically  lock  the  user’s  account   •  Device  upgrade/migration  requires   reentry  of  all  passwords   ID   ID   ID  ID   ID   ID  
  • 6. 6  ©  2004-­‐2012.    Centrify  Corporation.    All  Rights  Reserved.   | Identify. Unify. Centrify. Business  Data  is  at  High  Risk   •  Multiplying  business  apps  lead  to  password  sharing  and  reuse,  exposing  corporate   data  to  attacks   •  Example:  Users  have  bad  password  practices  on  mobile  due  to  data  entry  difficulty   •  Users  choose  simple  passwords  using  their  email  address  as  identity   •  They  use  it  everywhere  (Google,  corp  email,  Linkedin,  Evernote,  Adobe,  etc…)   •  A  password  breach  on  any  one  Service  grants  access  to  other  services   •  Password  are  used  in  public  places  increasing  risk  of  eavesdropping   •  Example:  high  resolution  cameras  on  the  mobile  devices  of  the  guy  behind  you   can  easily  capture   Bring  Your  Own  Challenge  #3  
  • 7. 7  ©  2004-­‐2012.    Centrify  Corporation.    All  Rights  Reserved.   | Identify. Unify. Centrify. Solutions  
  • 8. 8  ©  2004-­‐2012.    Centrify  Corporation.    All  Rights  Reserved.   | Identify. Unify. Centrify. Provide  SSO  by  Leveraging  Federated  Identity   •  Don’t  create  separate  Identity  in  your  service,  accept  Federated  Identity   •  Design  mobile  interfaces  to  seamlessly  integrate  with  the  Enterprise  services   Containerize  the  environment  to  separate  work  from  personal   •  Protect  work  applications  and  data  from  data  leakage   •  Provide  the  laptop  experience  on  mobile,  unlock  and  access  all  business  apps   Extend  Identity  Services  to  Mobile  Platforms  
  • 9. 9  ©  2004-­‐2012.    Centrify  Corporation.    All  Rights  Reserved.   | Identify. Unify. Centrify. Solution:  Enterprise  Integration  
  • 10. 10  ©  2004-­‐2012.    Centrify  Corporation.    All  Rights  Reserved.   | Identify. Unify. Centrify. Enterprise  Identity  for  Mobile  Users   Where  users  have  one  login  ID  and  password       And  IT  has  one  Identity  Infrastructure  to  manage   Laptops Smartphones and Tablets End Users ID   Active Directory
  • 11. 11  ©  2004-­‐2012.    Centrify  Corporation.    All  Rights  Reserved.   | Identify. Unify. Centrify. •  Federated  Identity  ensures  that  users  only   need  to  use  their  AD  userid/password   •  Only  one  password  to  remember   •  Password  is  protected  by  the  Enterprise  in   AD   •  AD-­‐based  federation  provides  several   advantages  for  IT   •  Leverages  existing  account  and  password   policies  –  simplifying  management   •  Ensures  that  IT  controls  access     eliminating  risk  of  orphaned  accounts     Strengthen  Security  with  Federated  Identity   Federation Trust Cloud Proxy Server IDP as a Service Firewall ID   ID  
  • 12. 12  ©  2004-­‐2012.    Centrify  Corporation.    All  Rights  Reserved.   | Identify. Unify. Centrify. Solution:  Containerization  for   Enterprise  Mobile  Apps  
  • 13. 13  ©  2004-­‐2012.    Centrify  Corporation.    All  Rights  Reserved.   | Identify. Unify. Centrify. Mobile  Platforms  are  Increasingly  Secure   •  Mobile  device  manufacturers  are  improving  security  since  they  tightly   control  the  mobile  platform  OS  and  Device   •  Device  Integrity  is  constantly  improving  –  iOS  7  &  8,  Samsung  KNOX   •  Per  App  VPN  is  now  included   •  On  device  data  encryption  built-­‐in  to  protect  data  at  rest   •  Containerization  is  provided  to  protect  Corporate  Accounts,  Applications   and  Data   •  iOS  7  &  8  provides  “Managed  Open  In”  as  a  virtual  container  for  Managed   Accounts  and  Managed  Apps  (installed  by  MDM)   •  Samsung  KNOX  provides  an  isolated  environment  to  separate  work  from   play   •  MDM  apis  are  improving  for  Enterprise  use  cases   •  Enterprise  SSO  is  provided  to  simplify  user  access  to  Enterprise  Services  as   well  as  Enterprise  applications   •  Centrify  SSO  on  Samsung  KNOX  as  well  as  Kerberos   •  Kerberos  on  iOS  7,  cert-­‐based  Kerberos  on  iOS  8  
  • 14. 14  ©  2004-­‐2012.    Centrify  Corporation.    All  Rights  Reserved.   | Identify. Unify. Centrify. •  Dual  persona  enables  usage  of  the  same  app  with  different  personalities   •  Personal  Mail  on  the  device,  Business  Mail  in  the  container   •  Personal  Box  account  on  the  device,  Business  Box  account  in  the  container   Samsung  KNOX:  Dual-­‐Persona  via  Container   Office 365: Box: Mail: Gmail: Dropbox:
  • 15. 15  ©  2004-­‐2012.    Centrify  Corporation.    All  Rights  Reserved.   | Identify. Unify. Centrify. iOS  7:  Offers  Virtual  Containerization   •  Offers  containerization  via  Managed   Accounts  and  Managed  Apps   (Configured  and  installed  by  MDM)   •  Managed  Account  profiles  can  be   pushed  as  a  policy  to  device   •  Managed  Apps  can  be  silently   installed     •  Managed  “Open  In”  can  be  defined   •  “Single  Sign  On”  configuration  can  be   configured  via  MDM  
  • 16. 16  ©  2004-­‐2012.    Centrify  Corporation.    All  Rights  Reserved.   | Identify. Unify. Centrify. •  Built-­‐in  data  protection  with  disk  encryption,  trusted  boot,  secure  credential  storage,   app  isolation  and  containerization   •  Fingerprint  sensors  on  iPhone  5S  and  Galaxy  S5  configurable  for     device  and  container  unlock   •  Fingerprint  unlocks  access  to  strong  credentials  such  as  PKI  certs   Mobile  Platforms  are  Driving  Higher  Security  
  • 17. 17  ©  2004-­‐2012.    Centrify  Corporation.    All  Rights  Reserved.   | Identify. Unify. Centrify. Mobile  Enterprise  SSO     Best  Practices  and  Examples  
  • 18. 18  ©  2004-­‐2012.    Centrify  Corporation.    All  Rights  Reserved.   | Identify. Unify. Centrify. •  Keep  it  simple.  Today’s  approach  of  Federated  authentication  is  too  cumbersome   1)  App  launches   2)  Displays  a  login  screen  and  additional  link  for  ”Are  you  a  Single  Sign-­‐On  user?"   3)  User  clicks  on  it  and  is  presented  form  for  entering  email  address   4)  App  then  connects  to  backend,  redirects  to  Enterprise  IDP  and  opens  browser  to  present   the  IDP  login  screen   5)  IDP  displays  the  login  screen  asking  for  userid  and  password   6)  IDP  authenticates  and  generate  token,  provides  the  token  back   7)  App  will  receive  the  token  and  closes  the  browser  window,  then  provide  access  to  the   service.     Current  Federation  Authentication  Experience  
  • 19. 19  ©  2004-­‐2012.    Centrify  Corporation.    All  Rights  Reserved.   | Identify. Unify. Centrify. Federated  Auth  for  Mobile  is  too  hard  
  • 20. 20  ©  2004-­‐2012.    Centrify  Corporation.    All  Rights  Reserved.   | Identify. Unify. Centrify. •  Multi-­‐application  SSO  installed   into  Container  (by  IDP/MDM)   •  One  SSO  Registration  for  the   Container   •  Whitelisted  apps  can  use  the   Enterprise  SSO  Service   •  The  container  provides  Enterprise   SSO  as  a  Service   •  Identifies  the  authenticated  user  to   the  apps   •  Provides  AD  attributes  of  the  user   such  as  group  memberships   •  Grants  security  tokens  upon   request  for  authorized  web  app/ service   Use  Enterprise  SSO  Service  within  Container   Cloud Proxy Server IDP as a Service Firewall Samsung SE Android Step 2 One time user authentication & Container registration Step 1 Web Application Registration Step 4 Token based Authentication ID KNOX Container Mobile App 2 Mobile Auth SDK Enterprise SSO Mobile App 1 Mobile Auth SDKPersonal App Step 3 Token Generation Web Application
  • 21. 21  ©  2004-­‐2012.    Centrify  Corporation.    All  Rights  Reserved.   | Identify. Unify. Centrify. •  Demo     •  Walk  through  of  Code  to  use  Enterprise  Authentication  Services  built  into  the   Samsung  KNOX   Android  login  Changes  
  • 22. 22  ©  2004-­‐2012.    Centrify  Corporation.    All  Rights  Reserved.   | Identify. Unify. Centrify. •  iOS   •  For  Non-­‐SAML  apps,  in  the  login  call,  all  that’s  needed  is:   -­‐  (IBAction)getUserInformation:(id  )sender          [EnterpriseAuthentication  getUserInformation:^(CentrifySDKResult  *result)  {                  [self  getUserInformationHandler:result];          }];   }   •  For  SAML  apps,  the  following  API  can  be  used  with  Centrify  App  installed  on  device:   -­‐  (IBAction)getAccessToken:(id)  sender        self.accessToken  =  nil;          [EnterpriseAuthentication  getSecurityTokenForTarget:@“<Target>"  alwaysUseFreshToken:NO   completionHandler:^(CentrifySDKResult  *result)  {                  [self  getSecurityTokenHandler:result];          }];   }   iOS  login  Changes  
  • 23. 23  ©  2004-­‐2012.    Centrify  Corporation.    All  Rights  Reserved.   | Identify. Unify. Centrify. •  Pre-­‐requisites:  KDC  should  be  reachable,  Backend  Services  should  have  support  for  Kerberos   •  SSO  Profile:   <?xml  version="1.0"  encoding="UTF-­‐8"?>   <!DOCTYPE  plist  PUBLIC  "-­‐//Apple//DTD  PLIST  1.0//EN"  "­‐1.0.dtd">   <plist  version="1.0">      <dict>          <key>PayloadContent</key>          <array>              <dict>              ……            <key>Kerberos</key>          <dict>          <key>Realm</key>        <string>CENTRIFY.COM</string>        <key>URLPrefixMatches</key>        <array>      <string></string>         iOS  &  Android  Kerberos  SSO  
  • 24. 24  ©  2004-­‐2012.    Centrify  Corporation.    All  Rights  Reserved.   | Identify. Unify. Centrify. SSO Developer APIs SSO IdP Interface App1 App2 App3 IdP Provider API Provider IdP Config plists Provided by Mobile OS Provider Provided by IdP aka Centrify Ideal  Solution  
  • 25. 25  ©  2004-­‐2012.    Centrify  Corporation.    All  Rights  Reserved.   | Identify. Unify. Centrify. App  Developer   •  Standard  API  (SSO  Developer  API  in  Diagram   from  Slide  5)   •  Get  User  Information  who  is  logged  into  the   device   •  Get  Security  Token  for  the  intended  Service   •  Get  Additional  Attributes  for  User  from  IdP   •  Token  transport  to  the  Service  is  handled  by  the   application   2 5 Note: Listed on the RHS are the APIs provided today in Centrify SDK for iOS. Listed it here for ref.
  • 26. 26  ©  2004-­‐2012.    Centrify  Corporation.    All  Rights  Reserved.   | Identify. Unify. Centrify. •  IdP  vendor  provides  plugin  to  SSO  layer   •  Defined  API  is  the  IdP  specific  implementation  of  the  developer  SSO  API   •  Implementation  is  up  to  IdP  vendor   IdP  Provider  API   2 6
  • 27. 27  ©  2004-­‐2012.    Centrify  Corporation.    All  Rights  Reserved.   | Identify. Unify. Centrify. •  Identity  Provider  config  supplied  by  SSO  profiles  (OTA  or  USB)   •  Can  be  pushed  to  device  via  MDM  or  other  mechanisms   •  Most  admin  visibility  is  via  IdP  backend   •  Not  specified  by  SSO,  up  to  IdP  implementer  (either  provider  module  or  service)   Enterprise  Admin     2 7
  • 28. 28  ©  2004-­‐2012.    Centrify  Corporation.    All  Rights  Reserved.   | Identify. Unify. Centrify. •  SSO  Developer  API  implementation   •  Interface  layer  that  calls  the  configured  IdP  provider     •  How  IdP  provider  plug-­‐ins  get  into  system?  OS  provides    dynamic  way  of  loading  IdP  plug-­‐in   (  configured  in  SSO  profile)   •  Providers  need  a  way  to  share  state  across  apps  that  call  them  and  provider  UI   •  SSO  implies  that  user  identity  and  other  low  level  stuff  is  shared   •  Big  barrier  to  nice  iOS  implementation  today   •  Providers  need  access  to  app  signatures   •  So  that  they  can  safely  whitelist  apps   Mobile  OS  Platform   2 8
  • 29. 29  ©  2004-­‐2012.    Centrify  Corporation.    All  Rights  Reserved.   | Identify. Unify. Centrify. •  We  are  working  on  this  standard!   •  If  interested  in  contributing,  reach  out  to:  or       Interested?    
  • 30. 30  ©  2004-­‐2012.    Centrify  Corporation.    All  Rights  Reserved.   | Identify. Unify. Centrify. •  Offer  Federated  Authentication  Support  in  your  application   •  Do  it  the  right  way  with  User  Experience  in  mind   •  Work  with  us  on  the  Standard  to  drive  Mobile  OS  vendors  to  provide  token  agnostic   and  IDP  agnostic  solutions   Key  takeaways  
  • 31. ©  2004-­‐2012.    Centrify  Corporation.    All  Rights  Reserved.     Thank  You   David  McNeely     Sumana  Annam