• Like

Mobile Single-Sign On: Extending SSO Out to the Client - Layer 7's CTO Scott Morrison, Cloud Identity Summit

  • 1,078 views
Uploaded on

Think SSO is just about reducing logins across servers? Think again. In the mobile world, the new twist is sharing sessions across mobile apps on a device. Learn how technologies like OAuth and OpenID …

Think SSO is just about reducing logins across servers? Think again. In the mobile world, the new twist is sharing sessions across mobile apps on a device. Learn how technologies like OAuth and OpenID Connect can be leveraged by native apps to achieve MSSO.

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
1,078
On Slideshare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
41
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • APIs come with their own problems. You never have just one API. So quickly the issue is scaling access and management.
  • APIs come with their own problems. You never have just one API. So quickly the issue is scaling access and management.

Transcript

  • 1. Mobile Single Sign-On: Extending SSO Out To The Client July 11, 2013 K. Scott Morrison Senior Vice President and Distinguished Engineer
  • 2. Copyright © 2013 CA. All rights reserved. Our Problem: Secure Mobile Access to Apps and Data How Do We Make APIs Available?  Firewall mazes  Diversity of clients and back end systems  Clients and servers change at different rates Enterprise Network API/Service Client API/Service Servers Firewall 2 Firewall 1 Internet Directory Of Interest Today  Authentication, Authorization & SSO  Secure Transmission
  • 3. Copyright © 2013 CA. All rights reserved. We Want Classic SSO In An Active Profile For REST Could leverage WS-Fed here  SAML’s second act? API/Service Servers Apps making RESTful API calls Internet Directory
  • 4. Copyright © 2013 CA. All rights reserved. But We Also Want Local App SSO Single Sign On App Group (these apps will share sign- on sessions) A B C API/Service Servers So now it’s getting interesting… “Like a VPN… but with an experience that doesn’t suck”
  • 5. Copyright © 2013 CA. All rights reserved. App layer Persistence layer Mobile OS Isolation is an issue Silos
  • 6. Layer 7 Technologies Overview Motivations: Many of our customers have architectures like this Gateway Cluster at Edge of Network  DMZ deployment  Hardware appliance, virtual appliance or software Enterprise Network API/Service Servers … Firewall 2 Firewall 1 Partners Mobile Devices Cloud SSG Cluster API/Service Client Directory
  • 7. Layer 7 Technologies Overview Native Single Sign-On SDK For Mobile Developers Enterprise Network iPhone Android iPad App-sharable Secure Key Store One time PIN SMS, APNS, call API Servers Strong Security for Mobile Apps  Cross-platform and built for a consumer or BYOD world  100% Standards-based using OAuth+OpenID Connect  X-app SSO with multi-factor auth & secure channel  X.509 Certificate provisioning for strong auth and transaction signing
  • 8. Layer 7 Technologies Overview Client Deployment Strategy  Don’t make me work hard – But give me a strong and extensible security model  Transfer of security responsibility – Let developers do what they do best  Simple SDK – Align with common development time environments  iOS, Android, Javascript, etc  Mirror REST frameworks  Future – Aspects, wrapping, etc. Copyright © 2013 CA. All rights reserved.
  • 9. Layer 7 Technologies Overview Self Service: User should be able to log out if device is lost or stolen Copyright © 2012 CA. All rights reserved.
  • 10. Copyright © 2013 CA. All rights reserved. Three Important Entities A A B C Device App User
  • 11. Layer 7 Technologies Overview Protocol Strategy A B C username/password ID Token Access Token/Refresh Token Per app Authorization Server OAuth + OpenID Connect  Profiled for mobile  Clear distinction between device, user and app
  • 12. Layer 7 Technologies Overview Overall Architecture Copyright © 2012 CA. All rights reserved.
  • 13. Copyright © 2013 CA. All rights reserved. Register device, streamlined, first usage
  • 14. Copyright © 2013 CA. All rights reserved. Register device, streamlined, first usage (cont.)
  • 15. Copyright © 2013 CA. All rights reserved. Request an access_token using JWT (SSO)
  • 16. Layer 7 Technologies Overview Mobile SSO APIs – server side Server side API ID Operation URL path request_token Request access_token / id_token (JWT) /l7cadr/auth/oauth/v2/token request_token_sso Request access_token using id_token (JWT) which is the SSO scenario /l7cadr/auth/oauth/v2/token request_token_basic Request access_token/ id_token (JWT) /l7cadr/auth/oauth/v2/token request_token_sso_basic Request access_token using id_token (JWT) which is the SSO scenario /l7cadr/auth/oauth/v2/token revoke_token Revoke an access_token or refresh_token /l7cadr/auth/oauth/v2/token/revoke register_device Registers a device for a user /l7cadr/connect/device/register resource_owner_logout The resource_owner logs out of the device by invalidating his current id_token (JWT) /l7cadr/connect/session/logout resource_owner_session _status The client requests the session status by passing in the id_token /l7cadr/connect/session/status remove_device_x509 Removes a registered device using ssl mutual authentication /l7cadr/connect/device/remove userinfo The endpoints returns claims about the current user. The result depends on the SCOPE that was requested with the access_token /l7cadr/openid/connect/v1/userinfo list_devices Lists registered devices /l7cadr/connect/device/list
  • 17. Copyright © 2013 CA. All rights reserved. Administration of Tokens
  • 18. Demo
  • 19. Questions? K. Scott Morrison smorrison@layer7.com (604) 681-9377