Mobile Single Sign-On:
Extending SSO Out To
The Client
July 11, 2013
K. Scott Morrison
Senior Vice President and Distingui...
Copyright © 2013 CA. All rights reserved.
Our Problem: Secure Mobile Access to Apps and Data
How Do We Make APIs Available...
Copyright © 2013 CA. All rights reserved.
We Want Classic SSO In An Active Profile For REST
Could leverage WS-Fed here
 S...
Copyright © 2013 CA. All rights reserved.
But We Also Want Local App SSO
Single Sign On App Group
(these apps will share s...
Copyright © 2013 CA. All rights reserved.
App layer
Persistence layer
Mobile OS Isolation is an issue
Silos
Layer 7 Technologies Overview
Motivations: Many of our customers have architectures like
this
Gateway Cluster at Edge of N...
Layer 7 Technologies Overview
Native Single Sign-On SDK For Mobile Developers
Enterprise
Network
iPhone
Android
iPad
App-s...
Layer 7 Technologies Overview
Client Deployment Strategy
 Don’t make me work hard
– But give me a strong and extensible s...
Layer 7 Technologies Overview
Self Service: User should be able to log out if device is lost
or stolen
Copyright © 2012 CA...
Copyright © 2013 CA. All rights reserved.
Three Important Entities
A A B C
Device
App
User
Layer 7 Technologies Overview
Protocol Strategy
A B C
username/password
ID Token
Access
Token/Refresh
Token
Per app
Author...
Layer 7 Technologies Overview
Overall Architecture
Copyright © 2012 CA. All rights reserved.
Copyright © 2013 CA. All rights reserved.
Register device, streamlined, first usage
Copyright © 2013 CA. All rights reserved.
Register device, streamlined, first usage (cont.)
Copyright © 2013 CA. All rights reserved.
Request an access_token using JWT (SSO)
Layer 7 Technologies Overview
Mobile SSO APIs – server side
Server side API ID Operation URL path
request_token Request ac...
Copyright © 2013 CA. All rights reserved.
Administration of Tokens
Demo
Questions?
K. Scott Morrison
smorrison@layer7.com
(604) 681-9377
Upcoming SlideShare
Loading in …5
×

Mobile Single-Sign On: Extending SSO Out to the Client - Layer 7's CTO Scott Morrison, Cloud Identity Summit

1,704
-1

Published on

Think SSO is just about reducing logins across servers? Think again. In the mobile world, the new twist is sharing sessions across mobile apps on a device. Learn how technologies like OAuth and OpenID Connect can be leveraged by native apps to achieve MSSO.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,704
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
52
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • APIs come with their own problems. You never have just one API. So quickly the issue is scaling access and management.
  • APIs come with their own problems. You never have just one API. So quickly the issue is scaling access and management.
  • Mobile Single-Sign On: Extending SSO Out to the Client - Layer 7's CTO Scott Morrison, Cloud Identity Summit

    1. 1. Mobile Single Sign-On: Extending SSO Out To The Client July 11, 2013 K. Scott Morrison Senior Vice President and Distinguished Engineer
    2. 2. Copyright © 2013 CA. All rights reserved. Our Problem: Secure Mobile Access to Apps and Data How Do We Make APIs Available?  Firewall mazes  Diversity of clients and back end systems  Clients and servers change at different rates Enterprise Network API/Service Client API/Service Servers Firewall 2 Firewall 1 Internet Directory Of Interest Today  Authentication, Authorization & SSO  Secure Transmission
    3. 3. Copyright © 2013 CA. All rights reserved. We Want Classic SSO In An Active Profile For REST Could leverage WS-Fed here  SAML’s second act? API/Service Servers Apps making RESTful API calls Internet Directory
    4. 4. Copyright © 2013 CA. All rights reserved. But We Also Want Local App SSO Single Sign On App Group (these apps will share sign- on sessions) A B C API/Service Servers So now it’s getting interesting… “Like a VPN… but with an experience that doesn’t suck”
    5. 5. Copyright © 2013 CA. All rights reserved. App layer Persistence layer Mobile OS Isolation is an issue Silos
    6. 6. Layer 7 Technologies Overview Motivations: Many of our customers have architectures like this Gateway Cluster at Edge of Network  DMZ deployment  Hardware appliance, virtual appliance or software Enterprise Network API/Service Servers … Firewall 2 Firewall 1 Partners Mobile Devices Cloud SSG Cluster API/Service Client Directory
    7. 7. Layer 7 Technologies Overview Native Single Sign-On SDK For Mobile Developers Enterprise Network iPhone Android iPad App-sharable Secure Key Store One time PIN SMS, APNS, call API Servers Strong Security for Mobile Apps  Cross-platform and built for a consumer or BYOD world  100% Standards-based using OAuth+OpenID Connect  X-app SSO with multi-factor auth & secure channel  X.509 Certificate provisioning for strong auth and transaction signing
    8. 8. Layer 7 Technologies Overview Client Deployment Strategy  Don’t make me work hard – But give me a strong and extensible security model  Transfer of security responsibility – Let developers do what they do best  Simple SDK – Align with common development time environments  iOS, Android, Javascript, etc  Mirror REST frameworks  Future – Aspects, wrapping, etc. Copyright © 2013 CA. All rights reserved.
    9. 9. Layer 7 Technologies Overview Self Service: User should be able to log out if device is lost or stolen Copyright © 2012 CA. All rights reserved.
    10. 10. Copyright © 2013 CA. All rights reserved. Three Important Entities A A B C Device App User
    11. 11. Layer 7 Technologies Overview Protocol Strategy A B C username/password ID Token Access Token/Refresh Token Per app Authorization Server OAuth + OpenID Connect  Profiled for mobile  Clear distinction between device, user and app
    12. 12. Layer 7 Technologies Overview Overall Architecture Copyright © 2012 CA. All rights reserved.
    13. 13. Copyright © 2013 CA. All rights reserved. Register device, streamlined, first usage
    14. 14. Copyright © 2013 CA. All rights reserved. Register device, streamlined, first usage (cont.)
    15. 15. Copyright © 2013 CA. All rights reserved. Request an access_token using JWT (SSO)
    16. 16. Layer 7 Technologies Overview Mobile SSO APIs – server side Server side API ID Operation URL path request_token Request access_token / id_token (JWT) /l7cadr/auth/oauth/v2/token request_token_sso Request access_token using id_token (JWT) which is the SSO scenario /l7cadr/auth/oauth/v2/token request_token_basic Request access_token/ id_token (JWT) /l7cadr/auth/oauth/v2/token request_token_sso_basic Request access_token using id_token (JWT) which is the SSO scenario /l7cadr/auth/oauth/v2/token revoke_token Revoke an access_token or refresh_token /l7cadr/auth/oauth/v2/token/revoke register_device Registers a device for a user /l7cadr/connect/device/register resource_owner_logout The resource_owner logs out of the device by invalidating his current id_token (JWT) /l7cadr/connect/session/logout resource_owner_session _status The client requests the session status by passing in the id_token /l7cadr/connect/session/status remove_device_x509 Removes a registered device using ssl mutual authentication /l7cadr/connect/device/remove userinfo The endpoints returns claims about the current user. The result depends on the SCOPE that was requested with the access_token /l7cadr/openid/connect/v1/userinfo list_devices Lists registered devices /l7cadr/connect/device/list
    17. 17. Copyright © 2013 CA. All rights reserved. Administration of Tokens
    18. 18. Demo
    19. 19. Questions? K. Scott Morrison smorrison@layer7.com (604) 681-9377
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×