Mobile Single Sign-On:
Extending SSO Out To
The Client
July 11, 2013
K. Scott Morrison
Senior Vice President and Distingui...
Copyright © 2013 CA. All rights reserved.
Our Problem: Secure Mobile Access to Apps and Data
How Do We Make APIs Available...
Copyright © 2013 CA. All rights reserved.
We Want Classic SSO In An Active Profile For REST
Could leverage WS-Fed here
 S...
Copyright © 2013 CA. All rights reserved.
But We Also Want Local App SSO
Single Sign On App Group
(these apps will share s...
Copyright © 2013 CA. All rights reserved.
App layer
Persistence layer
Mobile OS Isolation is an issue
Silos
Layer 7 Technologies Overview
Motivations: Many of our customers have architectures like
this
Gateway Cluster at Edge of N...
Layer 7 Technologies Overview
Native Single Sign-On SDK For Mobile Developers
Enterprise
Network
iPhone
Android
iPad
App-s...
Layer 7 Technologies Overview
Client Deployment Strategy
 Don’t make me work hard
– But give me a strong and extensible s...
Layer 7 Technologies Overview
Self Service: User should be able to log out if device is lost
or stolen
Copyright © 2012 CA...
Copyright © 2013 CA. All rights reserved.
Three Important Entities
A A B C
Device
App
User
Layer 7 Technologies Overview
Protocol Strategy
A B C
username/password
ID Token
Access
Token/Refresh
Token
Per app
Author...
Layer 7 Technologies Overview
Overall Architecture
Copyright © 2012 CA. All rights reserved.
Copyright © 2013 CA. All rights reserved.
Register device, streamlined, first usage
Copyright © 2013 CA. All rights reserved.
Register device, streamlined, first usage (cont.)
Copyright © 2013 CA. All rights reserved.
Request an access_token using JWT (SSO)
Layer 7 Technologies Overview
Mobile SSO APIs – server side
Server side API ID Operation URL path
request_token Request ac...
Copyright © 2013 CA. All rights reserved.
Administration of Tokens
Demo
Questions?
K. Scott Morrison
smorrison@layer7.com
(604) 681-9377
Upcoming SlideShare
Loading in...5
×

Mobile Single-Sign On: Extending SSO Out to the Client - Layer 7's CTO Scott Morrison, Cloud Identity Summit

1,453

Published on

Think SSO is just about reducing logins across servers? Think again. In the mobile world, the new twist is sharing sessions across mobile apps on a device. Learn how technologies like OAuth and OpenID Connect can be leveraged by native apps to achieve MSSO.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,453
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
48
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • APIs come with their own problems. You never have just one API. So quickly the issue is scaling access and management.
  • APIs come with their own problems. You never have just one API. So quickly the issue is scaling access and management.
  • Mobile Single-Sign On: Extending SSO Out to the Client - Layer 7's CTO Scott Morrison, Cloud Identity Summit

    1. 1. Mobile Single Sign-On: Extending SSO Out To The Client July 11, 2013 K. Scott Morrison Senior Vice President and Distinguished Engineer
    2. 2. Copyright © 2013 CA. All rights reserved. Our Problem: Secure Mobile Access to Apps and Data How Do We Make APIs Available?  Firewall mazes  Diversity of clients and back end systems  Clients and servers change at different rates Enterprise Network API/Service Client API/Service Servers Firewall 2 Firewall 1 Internet Directory Of Interest Today  Authentication, Authorization & SSO  Secure Transmission
    3. 3. Copyright © 2013 CA. All rights reserved. We Want Classic SSO In An Active Profile For REST Could leverage WS-Fed here  SAML’s second act? API/Service Servers Apps making RESTful API calls Internet Directory
    4. 4. Copyright © 2013 CA. All rights reserved. But We Also Want Local App SSO Single Sign On App Group (these apps will share sign- on sessions) A B C API/Service Servers So now it’s getting interesting… “Like a VPN… but with an experience that doesn’t suck”
    5. 5. Copyright © 2013 CA. All rights reserved. App layer Persistence layer Mobile OS Isolation is an issue Silos
    6. 6. Layer 7 Technologies Overview Motivations: Many of our customers have architectures like this Gateway Cluster at Edge of Network  DMZ deployment  Hardware appliance, virtual appliance or software Enterprise Network API/Service Servers … Firewall 2 Firewall 1 Partners Mobile Devices Cloud SSG Cluster API/Service Client Directory
    7. 7. Layer 7 Technologies Overview Native Single Sign-On SDK For Mobile Developers Enterprise Network iPhone Android iPad App-sharable Secure Key Store One time PIN SMS, APNS, call API Servers Strong Security for Mobile Apps  Cross-platform and built for a consumer or BYOD world  100% Standards-based using OAuth+OpenID Connect  X-app SSO with multi-factor auth & secure channel  X.509 Certificate provisioning for strong auth and transaction signing
    8. 8. Layer 7 Technologies Overview Client Deployment Strategy  Don’t make me work hard – But give me a strong and extensible security model  Transfer of security responsibility – Let developers do what they do best  Simple SDK – Align with common development time environments  iOS, Android, Javascript, etc  Mirror REST frameworks  Future – Aspects, wrapping, etc. Copyright © 2013 CA. All rights reserved.
    9. 9. Layer 7 Technologies Overview Self Service: User should be able to log out if device is lost or stolen Copyright © 2012 CA. All rights reserved.
    10. 10. Copyright © 2013 CA. All rights reserved. Three Important Entities A A B C Device App User
    11. 11. Layer 7 Technologies Overview Protocol Strategy A B C username/password ID Token Access Token/Refresh Token Per app Authorization Server OAuth + OpenID Connect  Profiled for mobile  Clear distinction between device, user and app
    12. 12. Layer 7 Technologies Overview Overall Architecture Copyright © 2012 CA. All rights reserved.
    13. 13. Copyright © 2013 CA. All rights reserved. Register device, streamlined, first usage
    14. 14. Copyright © 2013 CA. All rights reserved. Register device, streamlined, first usage (cont.)
    15. 15. Copyright © 2013 CA. All rights reserved. Request an access_token using JWT (SSO)
    16. 16. Layer 7 Technologies Overview Mobile SSO APIs – server side Server side API ID Operation URL path request_token Request access_token / id_token (JWT) /l7cadr/auth/oauth/v2/token request_token_sso Request access_token using id_token (JWT) which is the SSO scenario /l7cadr/auth/oauth/v2/token request_token_basic Request access_token/ id_token (JWT) /l7cadr/auth/oauth/v2/token request_token_sso_basic Request access_token using id_token (JWT) which is the SSO scenario /l7cadr/auth/oauth/v2/token revoke_token Revoke an access_token or refresh_token /l7cadr/auth/oauth/v2/token/revoke register_device Registers a device for a user /l7cadr/connect/device/register resource_owner_logout The resource_owner logs out of the device by invalidating his current id_token (JWT) /l7cadr/connect/session/logout resource_owner_session _status The client requests the session status by passing in the id_token /l7cadr/connect/session/status remove_device_x509 Removes a registered device using ssl mutual authentication /l7cadr/connect/device/remove userinfo The endpoints returns claims about the current user. The result depends on the SCOPE that was requested with the access_token /l7cadr/openid/connect/v1/userinfo list_devices Lists registered devices /l7cadr/connect/device/list
    17. 17. Copyright © 2013 CA. All rights reserved. Administration of Tokens
    18. 18. Demo
    19. 19. Questions? K. Scott Morrison smorrison@layer7.com (604) 681-9377
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×