0
© 2014 VMware Inc. All rights reserved.
Mobile SSO using NAPPS
Ashish Jain
@itickr
CIS 2014
Why is this important ?
0
300
600
900
2009 2010 2011 2012
Smartphones and tablets PC shipments
of information workers use
...
The Changing Device Mix
148 141
202 240
128
352
722
1516
0
1000
2000
2012 2017
Smartphone
Tablet
Portable PC
Desktop PC
So...
The Changing Device Mix
Source: IDC's Worldwide Smart Connected Device Tracker Forecast Data, September 11, 2013
By 2017, ...
App 1
App 1
App 2 App 3
App 1
App 2 App 3
App 4
App 1 App 2 App 3
AD
App 1 App 3
AD
Policy
Server
App 2
App 1
AD
Policy
Server
App 2
App 3 App 1
AD
Policy
Server
App 2
App 3
App 1
AD
Policy
Server
App 2
App 3 App 1
AD
Policy
Server
App 2
App 3
App 1
AD
SAML
IdP
App 2
App 3 App 1
AD
App 2
App 3
Policy
Server
SAML
RP
Policy
Server
SAML
App 1
AD
SAML
IdP
App 2
App 3 App 1
AD
App 2
App 3
Policy
Server
SAML
RP
Policy
Server
SAML
App 1
AD
SAML
IdP
App 2
App 3
App 1
AD
App 2
App 3
Policy
Server
SAML
RP
Policy
Server
SAML
App 1
AD
SAML
IdP
App 2
App 1
AD
App 2
App 3
Policy
Server
SAML
RP
Policy
Server
SAML
App 3SAML RP
App 1
AD
SAML
IdP
App 2
App 1
AD
App 2
App 3
Policy
Server
SAML
RP
Policy
Server
SAML
iOS App
App 3SAML RP
App 1
AD
SAML
IdP
App 2
App 1
AD
App 2
App 3
Policy
Server
SAML
RP
Policy
Server
SAML
iOS App
App 3SAML RP
App 1
AD
SAML
IdP
App 2
App 1
AD
App 2
App 3
Policy
Server
SAML
RP
Policy
Server
SAML
OAuth AS
iOS App
App 3SAML RP
App 1
AD
SAML
IdP
App 2
App 1
AD
App 2
App 3
Policy
Server
SAML
RP
Policy
Server
SAML
iOS AppiOS App
OAuth ASApp 3SAML RP
App 1
AD
SAML
IdP
App 2
App 1
AD
App 2
App 3
Policy
Server
SAML
RP
Policy
Server
SAML
iOS AppiOS App
OAuth ASApp 3SAML RP
App 1
AD
SAML
IdP
App 2
App 1
AD
App 2
App 3
Policy
Server
SAML
RP
Policy
Server
SAML
iOS AppiOS App
OAuth
AS
OAuth ASApp ...
App 1
AD
SAML
IdP
App 2
App 1
AD
App 2
App 3
Policy
Server
SAML
RP
Policy
Server
SAML
iOS AppiOS App
OAuth
AS
OpenID
Conne...
App 1
AD
SAML
IdP
App 2
App 1
AD
App 2
App 3
Policy
Server
SAML
RP
Policy
Server
SAML
iOS AppiOS App
OAuth
AS
OpenID
Conne...
Web SSO Flow
1
2
3
4
SAML
IdP RP
AD
Mobile App Auth Flow
1
2
4
3
SAML
IdP RP / RS
AD
Mobile
App
AS
5
6
7
OAuth
Mobile
App
Mobile App(s) Auth Flow
1
2
4
3
SAML
IdP RP / RS
AD
Mobile
App
AS
5
6
7
OAuth
Mobile App Auth Flow
IdP Discovery
IdP Discovery
IdP Login
Access to App
Mobile App Auth Flow
IdP Discovery
IdP Discovery
IdP Login
App Access
App Access
Mobile
App
Mobile App(s) Auth Flow
1
2
4
3
SAML
IdP RP / RS
AD
Mobile
App
AS
5
6
7
OAuth
Issues
§  Authentication per Mob...
Mobile App SSO – SP Init
Mobile App SSO – IdP Init
Mobile App SSO
Mobile App SSO
Where are we today ?
•  Layer 7
•  Centrify
•  Samsung Knox
•  Google Auth
App 1 App 3
AD
Policy
Server
App 2
Deployment Models
•  Enterprise in-house native apps
•  Native App for a SaaS provider
•  Multiple native apps for a singl...
NAPPS
•  OIDF working group
•  Profile of OpenIDConnect
•  Participants include (VMware, AirWatch, Ping
Identity, Mobile I...
NAPPS Terminology
•  Token Agent: Native app that obtains access tokens on behalf of
other native apps
•  AppInfo Endpoint...
Mobile App SSO
1
23
SAML
IdP RP / RS
AD
Mobile
App
AS
5
9
OAuth
Token
Agent
3
PT
6
ST
4
5 7
8
Mobile App SSO
Thank
You!
Upcoming SlideShare
Loading in...5
×

CIS14: Mobile SSO using NAPPS: OpenID Connect Profile for Native Apps-jain

783

Published on

Ashish Jain, VMware

A look at the use cases for Mobile SSO, what are the gaps and what are the various industry initiatives available today, along with a review of the NAPPS standard—an OpenID Connect Profile to address various Mobile SSO flows.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
783
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
30
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "CIS14: Mobile SSO using NAPPS: OpenID Connect Profile for Native Apps-jain"

  1. 1. © 2014 VMware Inc. All rights reserved. Mobile SSO using NAPPS Ashish Jain @itickr CIS 2014
  2. 2. Why is this important ? 0 300 600 900 2009 2010 2011 2012 Smartphones and tablets PC shipments of information workers use three or more devices for w o r k t o i n c r e a s e p r o d u c t i v i t y EXPLOSIVE GROWTH in shipments of smartphones and tablets Sources: IDC, BGR, Forrester FLAT pc shipments New Device Platforms New Apps New User ExpectationsNew Device Platforms BYOD & JIT
  3. 3. The Changing Device Mix 148 141 202 240 128 352 722 1516 0 1000 2000 2012 2017 Smartphone Tablet Portable PC Desktop PC Source: IDC's Worldwide Smart Connected Device Tracker Forecast Data, February 28, 2013 Connected Device Market by Product Category, Shipments, 2012-2017 in Millions
  4. 4. The Changing Device Mix Source: IDC's Worldwide Smart Connected Device Tracker Forecast Data, September 11, 2013 By 2017, 87% of connected devices will be smart phones and tablets
  5. 5. App 1
  6. 6. App 1 App 2 App 3
  7. 7. App 1 App 2 App 3 App 4
  8. 8. App 1 App 2 App 3 AD
  9. 9. App 1 App 3 AD Policy Server App 2
  10. 10. App 1 AD Policy Server App 2 App 3 App 1 AD Policy Server App 2 App 3
  11. 11. App 1 AD Policy Server App 2 App 3 App 1 AD Policy Server App 2 App 3
  12. 12. App 1 AD SAML IdP App 2 App 3 App 1 AD App 2 App 3 Policy Server SAML RP Policy Server SAML
  13. 13. App 1 AD SAML IdP App 2 App 3 App 1 AD App 2 App 3 Policy Server SAML RP Policy Server SAML
  14. 14. App 1 AD SAML IdP App 2 App 3 App 1 AD App 2 App 3 Policy Server SAML RP Policy Server SAML
  15. 15. App 1 AD SAML IdP App 2 App 1 AD App 2 App 3 Policy Server SAML RP Policy Server SAML App 3SAML RP
  16. 16. App 1 AD SAML IdP App 2 App 1 AD App 2 App 3 Policy Server SAML RP Policy Server SAML iOS App App 3SAML RP
  17. 17. App 1 AD SAML IdP App 2 App 1 AD App 2 App 3 Policy Server SAML RP Policy Server SAML iOS App App 3SAML RP
  18. 18. App 1 AD SAML IdP App 2 App 1 AD App 2 App 3 Policy Server SAML RP Policy Server SAML OAuth AS iOS App App 3SAML RP
  19. 19. App 1 AD SAML IdP App 2 App 1 AD App 2 App 3 Policy Server SAML RP Policy Server SAML iOS AppiOS App OAuth ASApp 3SAML RP
  20. 20. App 1 AD SAML IdP App 2 App 1 AD App 2 App 3 Policy Server SAML RP Policy Server SAML iOS AppiOS App OAuth ASApp 3SAML RP
  21. 21. App 1 AD SAML IdP App 2 App 1 AD App 2 App 3 Policy Server SAML RP Policy Server SAML iOS AppiOS App OAuth AS OAuth ASApp 3SAML RP
  22. 22. App 1 AD SAML IdP App 2 App 1 AD App 2 App 3 Policy Server SAML RP Policy Server SAML iOS AppiOS App OAuth AS OpenID Connect OpenID Connect OAuth ASApp 3SAML RP
  23. 23. App 1 AD SAML IdP App 2 App 1 AD App 2 App 3 Policy Server SAML RP Policy Server SAML iOS AppiOS App OAuth AS OpenID Connect OpenID Connect OAuth ASApp 3SAML RP TA
  24. 24. Web SSO Flow 1 2 3 4 SAML IdP RP AD
  25. 25. Mobile App Auth Flow 1 2 4 3 SAML IdP RP / RS AD Mobile App AS 5 6 7 OAuth
  26. 26. Mobile App Mobile App(s) Auth Flow 1 2 4 3 SAML IdP RP / RS AD Mobile App AS 5 6 7 OAuth
  27. 27. Mobile App Auth Flow
  28. 28. IdP Discovery
  29. 29. IdP Discovery
  30. 30. IdP Login
  31. 31. Access to App
  32. 32. Mobile App Auth Flow
  33. 33. IdP Discovery
  34. 34. IdP Discovery
  35. 35. IdP Login
  36. 36. App Access
  37. 37. App Access
  38. 38. Mobile App Mobile App(s) Auth Flow 1 2 4 3 SAML IdP RP / RS AD Mobile App AS 5 6 7 OAuth Issues §  Authentication per Mobile App. §  No invalidation of access token §  No clean up of offline/cached data on device
  39. 39. Mobile App SSO – SP Init
  40. 40. Mobile App SSO – IdP Init
  41. 41. Mobile App SSO
  42. 42. Mobile App SSO
  43. 43. Where are we today ? •  Layer 7 •  Centrify •  Samsung Knox •  Google Auth
  44. 44. App 1 App 3 AD Policy Server App 2
  45. 45. Deployment Models •  Enterprise in-house native apps •  Native App for a SaaS provider •  Multiple native apps for a single SaaS provider
  46. 46. NAPPS •  OIDF working group •  Profile of OpenIDConnect •  Participants include (VMware, AirWatch, Ping Identity, Mobile Iron, Okta, OneLogin…)
  47. 47. NAPPS Terminology •  Token Agent: Native app that obtains access tokens on behalf of other native apps •  AppInfo Endpoint: Endpoint to obtain metadata about apps •  Primary Token: OAuth token obtained by TA for its own use •  Secondary Token: OAuth token obtained by TA on behalf of other native app
  48. 48. Mobile App SSO 1 23 SAML IdP RP / RS AD Mobile App AS 5 9 OAuth Token Agent 3 PT 6 ST 4 5 7 8
  49. 49. Mobile App SSO
  50. 50. Thank You!
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×