CIS14: Mobile SSO using NAPPS: OpenID Connect Profile for Native Apps-jain

1,778 views

Published on

Ashish Jain, VMware

A look at the use cases for Mobile SSO, what are the gaps and what are the various industry initiatives available today, along with a review of the NAPPS standard—an OpenID Connect Profile to address various Mobile SSO flows.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,778
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
38
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

CIS14: Mobile SSO using NAPPS: OpenID Connect Profile for Native Apps-jain

  1. 1. © 2014 VMware Inc. All rights reserved. Mobile SSO using NAPPS Ashish Jain @itickr CIS 2014
  2. 2. Why is this important ? 0 300 600 900 2009 2010 2011 2012 Smartphones and tablets PC shipments of information workers use three or more devices for w o r k t o i n c r e a s e p r o d u c t i v i t y EXPLOSIVE GROWTH in shipments of smartphones and tablets Sources: IDC, BGR, Forrester FLAT pc shipments New Device Platforms New Apps New User ExpectationsNew Device Platforms BYOD & JIT
  3. 3. The Changing Device Mix 148 141 202 240 128 352 722 1516 0 1000 2000 2012 2017 Smartphone Tablet Portable PC Desktop PC Source: IDC's Worldwide Smart Connected Device Tracker Forecast Data, February 28, 2013 Connected Device Market by Product Category, Shipments, 2012-2017 in Millions
  4. 4. The Changing Device Mix Source: IDC's Worldwide Smart Connected Device Tracker Forecast Data, September 11, 2013 By 2017, 87% of connected devices will be smart phones and tablets
  5. 5. App 1
  6. 6. App 1 App 2 App 3
  7. 7. App 1 App 2 App 3 App 4
  8. 8. App 1 App 2 App 3 AD
  9. 9. App 1 App 3 AD Policy Server App 2
  10. 10. App 1 AD Policy Server App 2 App 3 App 1 AD Policy Server App 2 App 3
  11. 11. App 1 AD Policy Server App 2 App 3 App 1 AD Policy Server App 2 App 3
  12. 12. App 1 AD SAML IdP App 2 App 3 App 1 AD App 2 App 3 Policy Server SAML RP Policy Server SAML
  13. 13. App 1 AD SAML IdP App 2 App 3 App 1 AD App 2 App 3 Policy Server SAML RP Policy Server SAML
  14. 14. App 1 AD SAML IdP App 2 App 3 App 1 AD App 2 App 3 Policy Server SAML RP Policy Server SAML
  15. 15. App 1 AD SAML IdP App 2 App 1 AD App 2 App 3 Policy Server SAML RP Policy Server SAML App 3SAML RP
  16. 16. App 1 AD SAML IdP App 2 App 1 AD App 2 App 3 Policy Server SAML RP Policy Server SAML iOS App App 3SAML RP
  17. 17. App 1 AD SAML IdP App 2 App 1 AD App 2 App 3 Policy Server SAML RP Policy Server SAML iOS App App 3SAML RP
  18. 18. App 1 AD SAML IdP App 2 App 1 AD App 2 App 3 Policy Server SAML RP Policy Server SAML OAuth AS iOS App App 3SAML RP
  19. 19. App 1 AD SAML IdP App 2 App 1 AD App 2 App 3 Policy Server SAML RP Policy Server SAML iOS AppiOS App OAuth ASApp 3SAML RP
  20. 20. App 1 AD SAML IdP App 2 App 1 AD App 2 App 3 Policy Server SAML RP Policy Server SAML iOS AppiOS App OAuth ASApp 3SAML RP
  21. 21. App 1 AD SAML IdP App 2 App 1 AD App 2 App 3 Policy Server SAML RP Policy Server SAML iOS AppiOS App OAuth AS OAuth ASApp 3SAML RP
  22. 22. App 1 AD SAML IdP App 2 App 1 AD App 2 App 3 Policy Server SAML RP Policy Server SAML iOS AppiOS App OAuth AS OpenID Connect OpenID Connect OAuth ASApp 3SAML RP
  23. 23. App 1 AD SAML IdP App 2 App 1 AD App 2 App 3 Policy Server SAML RP Policy Server SAML iOS AppiOS App OAuth AS OpenID Connect OpenID Connect OAuth ASApp 3SAML RP TA
  24. 24. Web SSO Flow 1 2 3 4 SAML IdP RP AD
  25. 25. Mobile App Auth Flow 1 2 4 3 SAML IdP RP / RS AD Mobile App AS 5 6 7 OAuth
  26. 26. Mobile App Mobile App(s) Auth Flow 1 2 4 3 SAML IdP RP / RS AD Mobile App AS 5 6 7 OAuth
  27. 27. Mobile App Auth Flow
  28. 28. IdP Discovery
  29. 29. IdP Discovery
  30. 30. IdP Login
  31. 31. Access to App
  32. 32. Mobile App Auth Flow
  33. 33. IdP Discovery
  34. 34. IdP Discovery
  35. 35. IdP Login
  36. 36. App Access
  37. 37. App Access
  38. 38. Mobile App Mobile App(s) Auth Flow 1 2 4 3 SAML IdP RP / RS AD Mobile App AS 5 6 7 OAuth Issues §  Authentication per Mobile App. §  No invalidation of access token §  No clean up of offline/cached data on device
  39. 39. Mobile App SSO – SP Init
  40. 40. Mobile App SSO – IdP Init
  41. 41. Mobile App SSO
  42. 42. Mobile App SSO
  43. 43. Where are we today ? •  Layer 7 •  Centrify •  Samsung Knox •  Google Auth
  44. 44. App 1 App 3 AD Policy Server App 2
  45. 45. Deployment Models •  Enterprise in-house native apps •  Native App for a SaaS provider •  Multiple native apps for a single SaaS provider
  46. 46. NAPPS •  OIDF working group •  Profile of OpenIDConnect •  Participants include (VMware, AirWatch, Ping Identity, Mobile Iron, Okta, OneLogin…)
  47. 47. NAPPS Terminology •  Token Agent: Native app that obtains access tokens on behalf of other native apps •  AppInfo Endpoint: Endpoint to obtain metadata about apps •  Primary Token: OAuth token obtained by TA for its own use •  Secondary Token: OAuth token obtained by TA on behalf of other native app
  48. 48. Mobile App SSO 1 23 SAML IdP RP / RS AD Mobile App AS 5 9 OAuth Token Agent 3 PT 6 ST 4 5 7 8
  49. 49. Mobile App SSO
  50. 50. Thank You!

×