Mobile Single-Sign On: Extending SSO Out to the Client - Layer 7's CTO Scott Morrison, Cloud Identity Summit
 

Mobile Single-Sign On: Extending SSO Out to the Client - Layer 7's CTO Scott Morrison, Cloud Identity Summit

on

  • 1,500 views

Think SSO is just about reducing logins across servers? Think again. In the mobile world, the new twist is sharing sessions across mobile apps on a device. Learn how technologies like OAuth and OpenID ...

Think SSO is just about reducing logins across servers? Think again. In the mobile world, the new twist is sharing sessions across mobile apps on a device. Learn how technologies like OAuth and OpenID Connect can be leveraged by native apps to achieve MSSO.

Statistics

Views

Total Views
1,500
Views on SlideShare
1,492
Embed Views
8

Actions

Likes
1
Downloads
39
Comments
0

1 Embed 8

https://twitter.com 8

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • APIs come with their own problems. You never have just one API. So quickly the issue is scaling access and management.
  • APIs come with their own problems. You never have just one API. So quickly the issue is scaling access and management.

Mobile Single-Sign On: Extending SSO Out to the Client - Layer 7's CTO Scott Morrison, Cloud Identity Summit Mobile Single-Sign On: Extending SSO Out to the Client - Layer 7's CTO Scott Morrison, Cloud Identity Summit Presentation Transcript

  • Mobile Single Sign-On: Extending SSO Out To The Client July 11, 2013 K. Scott Morrison Senior Vice President and Distinguished Engineer
  • Copyright © 2013 CA. All rights reserved. Our Problem: Secure Mobile Access to Apps and Data How Do We Make APIs Available?  Firewall mazes  Diversity of clients and back end systems  Clients and servers change at different rates Enterprise Network API/Service Client API/Service Servers Firewall 2 Firewall 1 Internet Directory Of Interest Today  Authentication, Authorization & SSO  Secure Transmission
  • Copyright © 2013 CA. All rights reserved. We Want Classic SSO In An Active Profile For REST Could leverage WS-Fed here  SAML’s second act? API/Service Servers Apps making RESTful API calls Internet Directory
  • Copyright © 2013 CA. All rights reserved. But We Also Want Local App SSO Single Sign On App Group (these apps will share sign- on sessions) A B C API/Service Servers So now it’s getting interesting… “Like a VPN… but with an experience that doesn’t suck”
  • Copyright © 2013 CA. All rights reserved. App layer Persistence layer Mobile OS Isolation is an issue Silos
  • Layer 7 Technologies Overview Motivations: Many of our customers have architectures like this Gateway Cluster at Edge of Network  DMZ deployment  Hardware appliance, virtual appliance or software Enterprise Network API/Service Servers … Firewall 2 Firewall 1 Partners Mobile Devices Cloud SSG Cluster API/Service Client Directory
  • Layer 7 Technologies Overview Native Single Sign-On SDK For Mobile Developers Enterprise Network iPhone Android iPad App-sharable Secure Key Store One time PIN SMS, APNS, call API Servers Strong Security for Mobile Apps  Cross-platform and built for a consumer or BYOD world  100% Standards-based using OAuth+OpenID Connect  X-app SSO with multi-factor auth & secure channel  X.509 Certificate provisioning for strong auth and transaction signing
  • Layer 7 Technologies Overview Client Deployment Strategy  Don’t make me work hard – But give me a strong and extensible security model  Transfer of security responsibility – Let developers do what they do best  Simple SDK – Align with common development time environments  iOS, Android, Javascript, etc  Mirror REST frameworks  Future – Aspects, wrapping, etc. Copyright © 2013 CA. All rights reserved.
  • Layer 7 Technologies Overview Self Service: User should be able to log out if device is lost or stolen Copyright © 2012 CA. All rights reserved.
  • Copyright © 2013 CA. All rights reserved. Three Important Entities A A B C Device App User
  • Layer 7 Technologies Overview Protocol Strategy A B C username/password ID Token Access Token/Refresh Token Per app Authorization Server OAuth + OpenID Connect  Profiled for mobile  Clear distinction between device, user and app
  • Layer 7 Technologies Overview Overall Architecture Copyright © 2012 CA. All rights reserved.
  • Copyright © 2013 CA. All rights reserved. Register device, streamlined, first usage
  • Copyright © 2013 CA. All rights reserved. Register device, streamlined, first usage (cont.)
  • Copyright © 2013 CA. All rights reserved. Request an access_token using JWT (SSO)
  • Layer 7 Technologies Overview Mobile SSO APIs – server side Server side API ID Operation URL path request_token Request access_token / id_token (JWT) /l7cadr/auth/oauth/v2/token request_token_sso Request access_token using id_token (JWT) which is the SSO scenario /l7cadr/auth/oauth/v2/token request_token_basic Request access_token/ id_token (JWT) /l7cadr/auth/oauth/v2/token request_token_sso_basic Request access_token using id_token (JWT) which is the SSO scenario /l7cadr/auth/oauth/v2/token revoke_token Revoke an access_token or refresh_token /l7cadr/auth/oauth/v2/token/revoke register_device Registers a device for a user /l7cadr/connect/device/register resource_owner_logout The resource_owner logs out of the device by invalidating his current id_token (JWT) /l7cadr/connect/session/logout resource_owner_session _status The client requests the session status by passing in the id_token /l7cadr/connect/session/status remove_device_x509 Removes a registered device using ssl mutual authentication /l7cadr/connect/device/remove userinfo The endpoints returns claims about the current user. The result depends on the SCOPE that was requested with the access_token /l7cadr/openid/connect/v1/userinfo list_devices Lists registered devices /l7cadr/connect/device/list
  • Copyright © 2013 CA. All rights reserved. Administration of Tokens
  • Demo
  • Questions? K. Scott Morrison smorrison@layer7.com (604) 681-9377