Paul Madsen, Senior Technical Architect, Ping Identity
Whether you manage the device (not a good idea), the applications on it or the business data those applications download and store—knowing who the employee is is fundamental. Let’s talk about how identity standards like SAML, SCIM, OAuth and OpenID Connect can work together to get your identities from where you keep them to where they're needed.
7. Premise
• Depending
on
context,
IT
will
impose
differen@ated
controls
– Use
camera
– Take
screenshot
– Wifi
– Email
account
to
use
• MDM,
MAM,
&
MIM
differ
in
the
granularity
of
the
context
they
account
for
8. Contexts
• Who
is
the
user?
– controls
based
on
employee
iden@ty
&
roles,
e.g.
IT
admin
vs
Sales
Director
• What
are
they
doing?
– controls
based
on
what
applica@on
the
employee
is
using,
eg
viewing
a
spreadsheet
• Why
are
they
doing
it?
– controls
based
on
whether
the
employee
is
ac@ng
in
a
business
or
personal
persona,
eg
viewing
financial
projec@ons
vs
hockey
team
stats
• Where
are
they
doing
it?
– controls
based
on
geoloca@on,
e.g.
in
office
vs
on
business
trip
– controls
based
on
device,
e.g.
on
iPad
vs
Blackberry
• When
are
they
doing
it?
– controls
based
on
@me
etc,
e.g.
office
hours
vs
weekend
or
last
@me
user
signed
in
9. MDM
• In
MDM,
the
context
is
the
device,
ie
policy
looks
like
–
"If
you
are
using
this
device,
then
you
cannot
use
public
wifi'
• Coarse
granularity
implies
that
the
enterprise
imposed
limita@ons
will
impact
non
business
use
of
device
11. MAM
• In
MAM,
the
context
is
the
applica@on
being
used,
ie
policy
looks
like
–
"If
you
are
using
the
enterprise
Box
applica@on,
you
cannot
store
data
on
the
device'
• Medium
granularity
implies
that
there
will
need
to
be
mul@ple
versions
of
some
applica@ons,
those
that
the
user
wants
for
both
personas
12. All apps
Those that
are MAM-
enabled
Those enabled to
work with your
preferred MAM
Those your
employees want to
use
Sweet spot
13. MIM
• In
MIM,
the
context
is
determined
by
the
informa@on
–
enterprise
data
carries
with
itself
the
policy,
ie
looks
like
–
"When
viewing/edi@ng
this
spreadsheet,
you
cannot
use
the
screenshot
func@on'
• A
single
applica@on
could
work
with
both
personal
&
enterprise
data
(if
MIM
enabled)
23. Extremely
over
simplified
mobile
security
model
1. Ensure
that
user/app
can
access
only
appropriate
apps/data
2. Protect
data
in
transit
3. Protect
data
on
device
4. When
necessary,
turn
off
access
24. Mechanisms?
1. Ensure
that
user/
app
can
access
only
appropriate
apps/data
2. Protect
data
in
transit
3. Protect
data
on
device
4. When
necessary,
turn
off
access
• Server-based access control as
per groups/roles
• Inter-app controls (eg Managed
Open In etc)
• Stop issuing tokens
• Revoke any extant tokens
• Wipe data (or keys)
• Hardware level encryption
• Application level encryption
• SSL or VPN etc
• Secure SDKs, custom URL
schemes
25. EMM
in
a
nutshell
Business
Applica@on
Business
Data
EMM
server
endpoints
Agent
Configuration
Credentials
Policy
Directives
Business
Data
26. Generic
lifecycle
0.
Provision
accounts
1. Install
app
(OPT?)
2. Ini@al
user
authen@ca@on
3. Bind
to
Server
4. Download
policy
&
addi@onal
creden@als
5. Use
creden@als
to
access
applica@ons
6. Ongoing
management
SCIM
SAML
OAuth
OIDC
30. SAML
• Security
Asser@on
Markup
Language
• XMl-‐based
framework
for
making
security
&
iden@ty
informa@on
portable
across
domains
• Architypical
applica@on
is
for
Web
SSO
• Default
SSO
protocol
for
B2B,
SaaS
• Google,
Salesforce,
WebEx,
etc
30
31. OAuth
• Open
framework
for
authoriza@on
&
authen@ca@on
for
REST
APIs
• Emerged
from
consumer
web,
transi@oning
into
cloud
&
enterprise
• Notable
for
its
mobile
op@miza@ons
(rela@ve
to
precedents)
• IETF
standardized
• Important
plagorm
for
other
standards,
UMA
etc
31
33. Enterprise EMM
provider
Browser EMM
Agent
1
2
3
4
1) EMM Agent loads EMM
provider authn page
2) EMM provider does
SAML SSO to enterprise
3) After SAML SSO, EMM
provider issues OAuth
access token to agent
4) EMM Agent uses access
token to pull policy etc
down
5) EMM provider returns
policies etc5
Leverage
EMM
provisioned
creds
34. OpenID
Connect
• Profiles/extends
OAuth
for
iden@ty
use
cases
• Under
standardiza@on
in
OIDF
• Defines
new
– Id_token
–
standardized
token
format
for
iden@ty,
enables
Web
SSO
– UserInfo
endpoint
–
standardized
API
for
airibute
sharing
34
36. Device
Na@ve
SSO?
Browser
Resource
Server
App
client
Resource
Server
App
client
EMM
Agent
EMM
Server
Authoriza@on
Server
2
Policy
&
Tokens
1
3
API
API
4
37. Wrapping
up
• Separa@on
(whatever
the
mechanism
&
the
UX)
between
work
&
personal
usages
promises
balance
of
security,
privacy,
enablement
etc
• Dual
persona
is
by
its
nature
an
iden@ty
concept
• Iden@ty
standards
have
a
role
to
play
in
enabling
dual
persona
• Lets
keep
conversa@on
going
37