SlideShare a Scribd company logo

Denver Startup Week '15: Mobile SSO

Download as PPTX, PDF
Brian Campbell
Brian Campbell

Mobile computing has grown at an unprecedented rate in recent years while innovations in identity and Single Sign-On (SSO) on mobile have lagged behind. We'll look at the state of mobile application SSO including applicable standards such as OAuth 2.0, OpenID Connect, etc., some best and worst practices in use today, and the availability of relatively new features in the major mobile operating systems that stand to improve the situation for developers and users alike. Bad jokes and gratuitous photographs will be liberally interspersed with actual content. About the presenter: As a Distinguished Engineer for Ping Identity, Brian Campbell aspires to one day know what a Distinguished Engineer actually does for a living. In the meantime, he's tried to make himself useful with little things like designing and building much of PingFederate, the product that put Ping Identity on the map. When not making himself useful, he contributes to various identity and security standards including a two-year stint as co-chair of the OASIS Security Services Technical Committee (SAML) and contributions to OAuth, JOSE and COSE in the IETF as well as OpenID Connect. He holds a B.A., magna cum laude, in Computer Science from Amherst College in Massachusetts. Despite spending four years in the state, he has to look up how to spell "Massachusetts" every time he writes it.

Internet
1 of 77
Mobile Single Sign-On Are we there yet? BRIAN CAMPBELL @__b_c
@__b_c Copyright © 2015 Brian Campbell. All rights reserved. 2 Formalities, Introductions, etc. • No way this will take 90 minutes • There should be food and beer • Slides will be available – at http://www.slideshare.net/briandavidcampbell – & via https://twitter.com/__b_c • 2 underscores + • b + • 1 underscore + • c
@__b_c Copyright © 2015 Brian Campbell. All rights reserved. 3 Formalities, Introductions, etc. • I’ve worked @ Ping Identity for over a decade • Ping is a Denver based ‘startup’ solving complex identity challenges Tel Aviv
@__b_c Copyright © 2015 Brian Campbell. All rights reserved. 4 I should mention that…
@__b_c Copyright © 2015 Brian Campbell. All rights reserved. 5
@__b_c Copyright © 2015 Brian Campbell. All rights reserved. 6 • Disclaimers – Views or opinions presented herein are solely my own and do not necessarily represent those of the my employer – Wholly unqualified to talk about mobile – Primarily do server side development – And not even very much of that anymore • So, um… WTF? – Ping sponsored Denver Startup Week – And I do use a mobile phone… My ‘Safe Harbor’ Slide
@__b_c Copyright © 2015 Brian Campbell. All rights reserved. 7 Though not very well
@__b_c Copyright © 2015 Brian Campbell. All rights reserved. 8 But Sometimes… An outsider’s perspective can help see where things just aren’t quite right
@__b_c Copyright © 2015 Brian Campbell. All rights reserved. 9 as demonstrated by a semi-contrived little story about me and my phone Premise: Single Sign-On just isn’t quite right on mobile
@__b_c Copyright © 2015 Brian Campbell. All rights reserved. 10 I’m very busy and important As you can see by my opulent travel budget.
@__b_c Copyright © 2015 Brian Campbell. All rights reserved. 11 So, while I am one of those luddites who still prefers a real computer for work, sometimes I have to use my phone…
@__b_c Copyright © 2015 Brian Campbell. All rights reserved. 12 Just trying to join a meeting while out on the road.
@__b_c Copyright © 2015 Brian Campbell. All rights reserved. 13
@__b_c Copyright © 2015 Brian Campbell. All rights reserved. 14
@__b_c Copyright © 2015 Brian Campbell. All rights reserved. 15
@__b_c Copyright © 2015 Brian Campbell. All rights reserved. 16
@__b_c Copyright © 2015 Brian Campbell. All rights reserved. 17
@__b_c Copyright © 2015 Brian Campbell. All rights reserved. 18
@__b_c Copyright © 2015 Brian Campbell. All rights reserved. 19
@__b_c Copyright © 2015 Brian Campbell. All rights reserved. 20
@__b_c Copyright © 2015 Brian Campbell. All rights reserved. 21
@__b_c Copyright © 2015 Brian Campbell. All rights reserved. 22
@__b_c Copyright © 2015 Brian Campbell. All rights reserved. 23
@__b_c Copyright © 2015 Brian Campbell. All rights reserved. 24
@__b_c Copyright © 2015 Brian Campbell. All rights reserved. 25
@__b_c Copyright © 2015 Brian Campbell. All rights reserved. 26
@__b_c Copyright © 2015 Brian Campbell. All rights reserved. 27
@__b_c Copyright © 2015 Brian Campbell. All rights reserved. 28 Please excuse any intermittent time travel. I had some technical difficulties with something called “focus” and had to reshoot a few images.
@__b_c Copyright © 2015 Brian Campbell. All rights reserved. 29
@__b_c Copyright © 2015 Brian Campbell. All rights reserved. 30
@__b_c Copyright © 2015 Brian Campbell. All rights reserved. 31 There’s my meeting!
@__b_c Copyright © 2015 Brian Campbell. All rights reserved. 32
@__b_c Copyright © 2015 Brian Campbell. All rights reserved. 33 (This happened on first use a long time ago)
@__b_c Copyright © 2015 Brian Campbell. All rights reserved. 34
@__b_c Copyright © 2015 Brian Campbell. All rights reserved. 35
@__b_c Copyright © 2015 Brian Campbell. All rights reserved. 36
@__b_c Copyright © 2015 Brian Campbell. All rights reserved. 37
@__b_c Copyright © 2015 Brian Campbell. All rights reserved. 38
@__b_c Copyright © 2015 Brian Campbell. All rights reserved. 39
@__b_c Copyright © 2015 Brian Campbell. All rights reserved. 40
@__b_c Copyright © 2015 Brian Campbell. All rights reserved. 41
@__b_c Copyright © 2015 Brian Campbell. All rights reserved. 42
@__b_c Copyright © 2015 Brian Campbell. All rights reserved. 43
@__b_c Copyright © 2015 Brian Campbell. All rights reserved. 44
@__b_c Copyright © 2015 Brian Campbell. All rights reserved. 45
@__b_c Copyright © 2015 Brian Campbell. All rights reserved. 46
@__b_c Copyright © 2015 Brian Campbell. All rights reserved. 47
@__b_c Copyright © 2015 Brian Campbell. All rights reserved. 48 So… What went wrong there?
@__b_c Copyright © 2015 Brian Campbell. All rights reserved. 49 What we want to happen 1. Be able to login to the SaaS native applications with existing Ping credentials and not some new login unique to each SaaS
@__b_c Copyright © 2015 Brian Campbell. All rights reserved. 50 What we want to happen 1. Be able to login to the SaaS native applications with existing Ping credentials and not some new login unique to each SaaS 2. Be able to access multiple SaaS native applications throughout the day after only a single authentication to Ping
@__b_c Copyright © 2015 Brian Campbell. All rights reserved. 51 What we want to happen 1. Be able to login to the SaaS native applications with existing Ping credentials and not some new login unique to each SaaS 2. Be able to access multiple SaaS native applications throughout the day after only a single authentication to Ping By combining SAML & OAuth protocols
@__b_c Copyright © 2015 Brian Campbell. All rights reserved. 52 What we want to happen 1. Be able to login to the SaaS native applications with existing Ping credentials and not some new login unique to each SaaS 2. Be able to access multiple SaaS native applications throughout the day after only a single authentication to Ping By combining SAML & OAuth protocols Concur effectively forgot that that I had already logged in
@__b_c Copyright © 2015 Brian Campbell. All rights reserved. 53 How did Concur forget? 1. When first logged in to Ping as part of accessing the Webex app, a cookie was set in the browser I was using. 2. That cookie acts as a record of the login. When next seen by the authentication system, it won’t prompt again for an explicit login (unless expired) 3. When Concur needed me authenticated by Ping, it used a different sort of browser, a webview 4. Cookies aren’t shared across these two different browser types 5. The cookie that was set earlier in the first browser wasn’t available, so I was prompted again to login
@__b_c Copyright © 2015 Brian Campbell. All rights reserved. 54 That’s what went wrong Concur used a ‘webview’
@__b_c Copyright © 2015 Brian Campbell. All rights reserved. 55 Why Concur? Why? • Until recently mobile app developers had only two choices for displaying web content (such as login pages) • The external system browser (e.g. Safari or Chrome) or a webview, in which the web content appears as part of the app’s own user interface • System browser – better security characteristics – cookie sharing (and so SSO across apps) • Webview – better UX
@__b_c Copyright © 2015 Brian Campbell. All rights reserved. 56 • Behind the Scenes – Web Single Sign-On – OAuth 2.0 (ish)
@__b_c Copyright © 2015 Brian Campbell. All rights reserved. 57 Web Single Sign-On in one Slide • Typically – SAML 2.0 – OpenID Connect • But also – SAML 1.1/1.0 – OpenID 2.0 – WS-Federation • And maybe – Facebook Connect/Login – Whatever Twitter does – Various other non-standard approaches Identity Provider (IDP) Service Provider (SP) Web Single Sign-On (SSO)
@__b_c Copyright © 2015 Brian Campbell. All rights reserved. 58 OAuth 2.0 in one slide • client: An application obtaining authorization and making protected resource requests. – Native app on mobile device • resource server (RS): A server capable of accepting and responding to protected resource requests (typically APIs). • authorization server (AS): A server capable of issuing tokens after successfully authenticating the resource owner and obtaining authorization. A few other OAuth terms • Access token (AT) – Presented by client when accessed protected resources at the RS • Refresh token (RT) - Allows clients to obtain a fresh access token without re-obtaining authorization • Scope – A permission (or set of permissions) defined by the AS/RS • Authorization endpoint – used by the client to obtain authorization from the resource owner via user-agent redirection • Token endpoint – used for direct client to AS communication • Authorization Code – One time code issued by an AS to be exchanged for an AT. Client Resource Server Authorization Server
@__b_c Copyright © 2015 Brian Campbell. All rights reserved. 59 Web SSO + OAuth = Mobile SSO Device Native App System Browser 1 https:// Home Service 1 2 3 Authorization Endpoint Token Endpoint 3 45 Enterprise or Social Identity Provider
@__b_c Copyright © 2015 Brian Campbell. All rights reserved. 60 (1) Request Authorization • When user first needs to access some protected resource (not logged in), the app launches the system browser with an authorization request • ‘IDP Discovery’ can be done in the native application Device Native App System Browser 1 https:// Home Service 1 Authorization Endpoint Token Endpoint Enterprise or Social Identity Provider https://as.example.com/as/authz.oauth2?client_id=org.example.myapp&response_type=code &scope=update_status&idp=pingidentity.com&code_challenge=7gEsCAcCLtCTbDl2fml2z A quick note about Apple…
@__b_c Copyright © 2015 Brian Campbell. All rights reserved. 61 (1a) PKCE https://as.example.com/as/authz.oauth2?client_id=org.example.myapp&response_type=code &scope=update_status&idp=pingidentity.com&code_challenge=7gEsCAcCLtCTbDl2fml2z • Proof Key for Code Exchange by OAuth Public Clients – PKCE, pronounced "pixy" – Binds the code exchange to the authorization request – Newly minted RFC 7636
@__b_c Copyright © 2015 Brian Campbell. All rights reserved. 62 (2) Authenticate and Approve • Redirect to IDP for SSO & Service Provider is the SP Device Native App System Browser https:// Home Service 2 Authorization Endpoint Token Endpoint Enterprise or Social Identity Provider • User approves the requested access – (don’t skip this)
@__b_c Copyright © 2015 Brian Campbell. All rights reserved. 63 (3) Handle Callback • Authorization server returns control to the app using HTTP redirection and includes an authorization code – URI with a custom scheme registered to the app • Reversed domain name as redirect_uri scheme – Resistant to accidental collisions – Proof of domain ownership provides better recourse against malicious collisions Device Native App System Browser https:// Home Service 3 Authorization Endpoint Token Endpoint 3 Enterprise or Social Identity Provider HTTP/1.1 302 Found Location: org.example.myapp://oauth.cb?code=n0esc3NRze7LTCu7iYzS6a5acc3f0ogp4
@__b_c Copyright © 2015 Brian Campbell. All rights reserved. 64 (4) Trade Code for Token(s) Device Native App System Browser https:// Home Service Authorization Endpoint Token Endpoint 4 Enterprise or Social Identity Provider POST /as/token.oauth2 HTTP/1.1 Host: as.example.com Content-Type: application/x-www-form-urlencoded;charset=UTF-8 client_id=org.example.myapp& grant_type=authorization_code& code=n0esc3NRze7LTCu7iYzS6a5acc3f0ogp4& code_verifier=7gEsCAcCLtCTbDl2fml2z token endpoint request
@__b_c Copyright © 2015 Brian Campbell. All rights reserved. 65 (4a) PKCE Again POST /as/token.oauth2 HTTP/1.1 Host: as.example.com Content-Type: application/x-www-form-urlencoded;charset=UTF-8 client_id=org.example.myapp& grant_type=authorization_code& code=n0esc3NRze7LTCu7iYzS6a5acc3f0ogp4& code_verifier=7gEsCAcCLtCTbDl2fml2z token endpoint request
@__b_c Copyright © 2015 Brian Campbell. All rights reserved. 66 (4b) Trade Code for Token(s) Device Native App System Browser https:// Home Service Authorization Endpoint Token Endpoint 4 Enterprise or Social Identity Provider POST /as/token.oauth2 HTTP/1.1 Host: as.example.com Content-Type: application/x-www-form-urlencoded;charset=UTF-8 client_id=org.example.myapp& grant_type=authorization_code& code=n0esc3NRze7LTCu7iYzS6a5acc3f0ogp4& code_verifier=7gEsCAcCLtCTbDl2fml2z HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store { "token_type":"Bearer", "expires_in":3600, "access_token":"PeRTSD9RltacecQriuFfsxV41”, "refresh_token":"uyAVrtaccLZ2qPzI8rQ5ltckCdGJsz8XE58esc” } token endpoint request token endpoint response
@__b_c Copyright © 2015 Brian Campbell. All rights reserved. 67 (5) Use Access Token Authenticate/authorize calls to the protected APIs by including AT in the HTTP Authorization header Device Native App System Browser https:// Home Service Authorization Endpoint Token Endpoint 5 Enterprise or Social Identity Provider POST /api/update-status HTTP/1.1 Host: rs.example.org Authorization: Bearer PeRTSD9RltacecQriuFfsxV41 Content-Type: application/json {"status" : "almost done with this presentation"}
@__b_c Copyright © 2015 Brian Campbell. All rights reserved. 68 Rinse and Repeat • If All Goes well, • And if not, HTTP 401 • Use the refresh token to get a new access token • And if that doesn’t work or you don’t have a refresh token, initiate the authorization request flow again HTTP/1.1 200 OK
@__b_c Copyright © 2015 Brian Campbell. All rights reserved. 69 Some Folks Like to … Device Native App System Browser 1 https:// Home Service 1 2 3 Authorization Endpoint Token Endpoint 3 45 Enterprise or Social Identity Provider
@__b_c Copyright © 2015 Brian Campbell. All rights reserved. 70 … Use a Web-View Device Native App 1 https:// Home Service 1 2 3 Authorization Endpoint Token Endpoint 3 45 Web-View Enterprise or Social Identity Provider but…
@__b_c Copyright © 2015 Brian Campbell. All rights reserved. 71 The Web-View Anti-Pattern • Usability Issues – No shared context (cookie) – Requires sign-in once per app even when web SSO is possible • Security Issues – Web-view typically isn’t sandboxed from invoking app so credentials and authentication cookies can be stolen – Requires/encourages users to enter credentials without the address bar and associated visual cues of site authenticity (HTTPS) • Missing Features – Some web-views unable to access to client certificates – Generally unable to use password managers, etc.
@__b_c Copyright © 2015 Brian Campbell. All rights reserved. 72 Hope Springs Mobile • Latest versions of iOS & Android add a third option for displaying web content – iOS 9 Safari View Controllers – Android Chrome 45 Chrome Custom Tabs • Both provide new browser window with security advantages and shared context of the system browser but UX comparable to webviews
@__b_c Copyright © 2015 Brian Campbell. All rights reserved. 73 Wait, what about OpenID Connect? • A simple[sic] single sign-on and identity layer on top of OAuth 2.0 • Adds an ID Token (JWT) for user authentication to the client • And a bunch of other stuff
@__b_c Copyright © 2015 Brian Campbell. All rights reserved. 74 What about OpenID Connect? • Great for the web SSO part • Can be layered on the OAuth part Device Native App System Browser 1 https:// Home Service 1 2 3 Authorization Endpoint Token Endpoint 3 45 Enterprise or Social Identity Provider
@__b_c Copyright © 2015 Brian Campbell. All rights reserved. 75 Near Term Recommendations • Use OAuth 2.0 + PKCE – & maybe OpenID Connect • Use Web SSO • Prompt for user consent (every time) • Use new View Controllers & Custom Tabs – Fallback to using the System Browser • Use a reversed Internet domain name in the custom scheme for the callback URI
@__b_c Copyright © 2015 Brian Campbell. All rights reserved. 76 Useful Links (1997 Style) • Mobile SSO Developers Guide – https://developer.pingidentity.com/en/resources/napps-native-app-sso.html • OAuth 2.0 for Native Apps – https://tools.ietf.org/html/draft-wdenniss-oauth-native-apps • JWT Library for Java/Android – https://bitbucket.org/b_c/jose4j/ • An old blog post – https://www.pingidentity.com/en/blog/2015/07/06/mobile_sso_are_we_there_yet.html
BRIAN CAMPBELL @__b_c

Recommended

Mobile SSO: are we there yet?
Mobile SSO: are we there yet?Mobile SSO: are we there yet?
Mobile SSO: are we there yet?
Brian Campbell
 
CIS 2015- Mobile SSO: Are We There Yet? - Brian Campbell
CIS 2015- Mobile SSO: Are We There Yet? - Brian CampbellCIS 2015- Mobile SSO: Are We There Yet? - Brian Campbell
CIS 2015- Mobile SSO: Are We There Yet? - Brian Campbell
CloudIDSummit
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
Brian Campbell
 
IAM/IRM CONSIDERATIONS FOR SAAS PROVIDER SELECTION
IAM/IRM CONSIDERATIONS FOR SAAS PROVIDER SELECTIONIAM/IRM CONSIDERATIONS FOR SAAS PROVIDER SELECTION
IAM/IRM CONSIDERATIONS FOR SAAS PROVIDER SELECTION
ForgeRock
 
CIS14: Lean In: Enterprise Cloud Identity
CIS14: Lean In: Enterprise Cloud IdentityCIS14: Lean In: Enterprise Cloud Identity
CIS14: Lean In: Enterprise Cloud Identity
CloudIDSummit
 
CIS13: Authorization Agent (AZA) Mobile Protocol
CIS13: Authorization Agent (AZA) Mobile ProtocolCIS13: Authorization Agent (AZA) Mobile Protocol
CIS13: Authorization Agent (AZA) Mobile Protocol
CloudIDSummit
 
OAuth 2.0 Token Exchange: An STS for the REST of Us
OAuth 2.0 Token Exchange: An STS for the REST of UsOAuth 2.0 Token Exchange: An STS for the REST of Us
OAuth 2.0 Token Exchange: An STS for the REST of Us
Brian Campbell
 
Securing and Scaling SaaS
Securing and Scaling SaaSSecuring and Scaling SaaS
Securing and Scaling SaaS
guest05bda0
 

Recommended

Mobile SSO: are we there yet?
Mobile SSO: are we there yet?Mobile SSO: are we there yet?
Mobile SSO: are we there yet?
Brian Campbell
 
CIS 2015- Mobile SSO: Are We There Yet? - Brian Campbell
CIS 2015- Mobile SSO: Are We There Yet? - Brian CampbellCIS 2015- Mobile SSO: Are We There Yet? - Brian Campbell
CIS 2015- Mobile SSO: Are We There Yet? - Brian Campbell
CloudIDSummit
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
Brian Campbell
 
IAM/IRM CONSIDERATIONS FOR SAAS PROVIDER SELECTION
IAM/IRM CONSIDERATIONS FOR SAAS PROVIDER SELECTIONIAM/IRM CONSIDERATIONS FOR SAAS PROVIDER SELECTION
IAM/IRM CONSIDERATIONS FOR SAAS PROVIDER SELECTION
ForgeRock
 
CIS14: Lean In: Enterprise Cloud Identity
CIS14: Lean In: Enterprise Cloud IdentityCIS14: Lean In: Enterprise Cloud Identity
CIS14: Lean In: Enterprise Cloud Identity
CloudIDSummit
 
CIS13: Authorization Agent (AZA) Mobile Protocol
CIS13: Authorization Agent (AZA) Mobile ProtocolCIS13: Authorization Agent (AZA) Mobile Protocol
CIS13: Authorization Agent (AZA) Mobile Protocol
CloudIDSummit
 
OAuth 2.0 Token Exchange: An STS for the REST of Us
OAuth 2.0 Token Exchange: An STS for the REST of UsOAuth 2.0 Token Exchange: An STS for the REST of Us
OAuth 2.0 Token Exchange: An STS for the REST of Us
Brian Campbell
 
Securing and Scaling SaaS
Securing and Scaling SaaSSecuring and Scaling SaaS
Securing and Scaling SaaS
guest05bda0
 
Standardizing Identity Provisioning with SCIM
Standardizing Identity Provisioning with SCIMStandardizing Identity Provisioning with SCIM
Standardizing Identity Provisioning with SCIMHasiniG
 
CIS13: Bootcamp: PingOne as a Simple Identity Service
CIS13: Bootcamp: PingOne as a Simple Identity ServiceCIS13: Bootcamp: PingOne as a Simple Identity Service
CIS13: Bootcamp: PingOne as a Simple Identity Service
CloudIDSummit
 
Standardizing Identity Provisioning with SCIM
Standardizing Identity Provisioning with SCIMStandardizing Identity Provisioning with SCIM
Standardizing Identity Provisioning with SCIM
WSO2
 
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
Brian Campbell
 
Moving To SaaS
Moving To SaaSMoving To SaaS
Moving To SaaS
Alistair Croll
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
Vladimir Dzhuvinov
 
Identity and Access Management - RSA 2017 Security Foundations Seminar
Identity and Access Management - RSA 2017 Security Foundations SeminarIdentity and Access Management - RSA 2017 Security Foundations Seminar
Identity and Access Management - RSA 2017 Security Foundations Seminar
Brian Campbell
 
Mobile Single Sign-On (Gluecon '15)
Mobile Single Sign-On (Gluecon '15)Mobile Single Sign-On (Gluecon '15)
Mobile Single Sign-On (Gluecon '15)
Brian Campbell
 
Richer Data History with Event Sourcing (SpringOne 2GX 2015
Richer Data History with Event Sourcing (SpringOne 2GX 2015Richer Data History with Event Sourcing (SpringOne 2GX 2015
Richer Data History with Event Sourcing (SpringOne 2GX 2015
Steve Pember
 
Token Binding Identiverse 2018
Token Binding Identiverse 2018 Token Binding Identiverse 2018
Token Binding Identiverse 2018
Brian Campbell
 
Instant commission-profits from warrior plus
Instant commission-profits from warrior plusInstant commission-profits from warrior plus
Instant commission-profits from warrior plus
digitalhungama
 
You shall not pass - Control your code quality gates with a wizard.
You shall not pass - Control your code quality gates with a wizard.You shall not pass - Control your code quality gates with a wizard.
You shall not pass - Control your code quality gates with a wizard.
Eryk Szymanski
 
Account entrapment
Account entrapmentAccount entrapment
Account entrapment
benlbroussard
 
Account Entrapment - Forcing a Victim into an Attacker’s Account
Account Entrapment - Forcing a Victim into an Attacker’s AccountAccount Entrapment - Forcing a Victim into an Attacker’s Account
Account Entrapment - Forcing a Victim into an Attacker’s Account
Denim Group
 
WordPress - Whats going on in the server?
WordPress - Whats going on in the server? WordPress - Whats going on in the server?
WordPress - Whats going on in the server?
Herb Miller
 
Brighton SEO April 2018 Craig Campbell
Brighton SEO April 2018 Craig CampbellBrighton SEO April 2018 Craig Campbell
Brighton SEO April 2018 Craig Campbell
Craig Campbell
 
Adobe summit 5 myths of video marketing
Adobe summit 5 myths of video marketingAdobe summit 5 myths of video marketing
Adobe summit 5 myths of video marketingAdobe Experience Cloud
 
Why We Use Perfect Audience for B2B Retargeting with HubSpot
Why We Use Perfect Audience for B2B Retargeting with HubSpotWhy We Use Perfect Audience for B2B Retargeting with HubSpot
Why We Use Perfect Audience for B2B Retargeting with HubSpot
Dan Stasiewski
 
Website optimization for SaaS conversions - muHive
Website optimization for SaaS conversions - muHiveWebsite optimization for SaaS conversions - muHive
Website optimization for SaaS conversions - muHive
muHive Technologies
 
Game On! Building Hulu’s Real-Time Notification Platform for Live TV with Ama...
Game On! Building Hulu’s Real-Time Notification Platform for Live TV with Ama...Game On! Building Hulu’s Real-Time Notification Platform for Live TV with Ama...
Game On! Building Hulu’s Real-Time Notification Platform for Live TV with Ama...
Amazon Web Services
 
Patterns to Bring Enterprise and Social Identity to the Cloud
Patterns to Bring Enterprise and Social Identity to the Cloud Patterns to Bring Enterprise and Social Identity to the Cloud
Patterns to Bring Enterprise and Social Identity to the Cloud
CA API Management
 
Amazon CI-CD Practices for Software Development Teams
Amazon CI-CD Practices for Software Development Teams Amazon CI-CD Practices for Software Development Teams
Amazon CI-CD Practices for Software Development Teams
Amazon Web Services
 

More Related Content

Viewers also liked

Standardizing Identity Provisioning with SCIM
Standardizing Identity Provisioning with SCIMStandardizing Identity Provisioning with SCIM
Standardizing Identity Provisioning with SCIMHasiniG
 
CIS13: Bootcamp: PingOne as a Simple Identity Service
CIS13: Bootcamp: PingOne as a Simple Identity ServiceCIS13: Bootcamp: PingOne as a Simple Identity Service
CIS13: Bootcamp: PingOne as a Simple Identity Service
CloudIDSummit
 
Standardizing Identity Provisioning with SCIM
Standardizing Identity Provisioning with SCIMStandardizing Identity Provisioning with SCIM
Standardizing Identity Provisioning with SCIM
WSO2
 
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
Brian Campbell
 
Moving To SaaS
Moving To SaaSMoving To SaaS
Moving To SaaS
Alistair Croll
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
Vladimir Dzhuvinov
 
Identity and Access Management - RSA 2017 Security Foundations Seminar
Identity and Access Management - RSA 2017 Security Foundations SeminarIdentity and Access Management - RSA 2017 Security Foundations Seminar
Identity and Access Management - RSA 2017 Security Foundations Seminar
Brian Campbell
 

Viewers also liked (7)

Standardizing Identity Provisioning with SCIM
Standardizing Identity Provisioning with SCIMStandardizing Identity Provisioning with SCIM
Standardizing Identity Provisioning with SCIM
 
CIS13: Bootcamp: PingOne as a Simple Identity Service
CIS13: Bootcamp: PingOne as a Simple Identity ServiceCIS13: Bootcamp: PingOne as a Simple Identity Service
CIS13: Bootcamp: PingOne as a Simple Identity Service
 
Standardizing Identity Provisioning with SCIM
Standardizing Identity Provisioning with SCIMStandardizing Identity Provisioning with SCIM
Standardizing Identity Provisioning with SCIM
 
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
 
Moving To SaaS
Moving To SaaSMoving To SaaS
Moving To SaaS
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
 
Identity and Access Management - RSA 2017 Security Foundations Seminar
Identity and Access Management - RSA 2017 Security Foundations SeminarIdentity and Access Management - RSA 2017 Security Foundations Seminar
Identity and Access Management - RSA 2017 Security Foundations Seminar
 

Similar to Denver Startup Week '15: Mobile SSO

Mobile Single Sign-On (Gluecon '15)
Mobile Single Sign-On (Gluecon '15)Mobile Single Sign-On (Gluecon '15)
Mobile Single Sign-On (Gluecon '15)
Brian Campbell
 
Richer Data History with Event Sourcing (SpringOne 2GX 2015
Richer Data History with Event Sourcing (SpringOne 2GX 2015Richer Data History with Event Sourcing (SpringOne 2GX 2015
Richer Data History with Event Sourcing (SpringOne 2GX 2015
Steve Pember
 
Token Binding Identiverse 2018
Token Binding Identiverse 2018 Token Binding Identiverse 2018
Token Binding Identiverse 2018
Brian Campbell
 
Instant commission-profits from warrior plus
Instant commission-profits from warrior plusInstant commission-profits from warrior plus
Instant commission-profits from warrior plus
digitalhungama
 
You shall not pass - Control your code quality gates with a wizard.
You shall not pass - Control your code quality gates with a wizard.You shall not pass - Control your code quality gates with a wizard.
You shall not pass - Control your code quality gates with a wizard.
Eryk Szymanski
 
Account entrapment
Account entrapmentAccount entrapment
Account entrapment
benlbroussard
 
Account Entrapment - Forcing a Victim into an Attacker’s Account
Account Entrapment - Forcing a Victim into an Attacker’s AccountAccount Entrapment - Forcing a Victim into an Attacker’s Account
Account Entrapment - Forcing a Victim into an Attacker’s Account
Denim Group
 
WordPress - Whats going on in the server?
WordPress - Whats going on in the server? WordPress - Whats going on in the server?
WordPress - Whats going on in the server?
Herb Miller
 
Brighton SEO April 2018 Craig Campbell
Brighton SEO April 2018 Craig CampbellBrighton SEO April 2018 Craig Campbell
Brighton SEO April 2018 Craig Campbell
Craig Campbell
 
Adobe summit 5 myths of video marketing
Adobe summit 5 myths of video marketingAdobe summit 5 myths of video marketing
Adobe summit 5 myths of video marketingAdobe Experience Cloud
 
Why We Use Perfect Audience for B2B Retargeting with HubSpot
Why We Use Perfect Audience for B2B Retargeting with HubSpotWhy We Use Perfect Audience for B2B Retargeting with HubSpot
Why We Use Perfect Audience for B2B Retargeting with HubSpot
Dan Stasiewski
 
Website optimization for SaaS conversions - muHive
Website optimization for SaaS conversions - muHiveWebsite optimization for SaaS conversions - muHive
Website optimization for SaaS conversions - muHive
muHive Technologies
 
Game On! Building Hulu’s Real-Time Notification Platform for Live TV with Ama...
Game On! Building Hulu’s Real-Time Notification Platform for Live TV with Ama...Game On! Building Hulu’s Real-Time Notification Platform for Live TV with Ama...
Game On! Building Hulu’s Real-Time Notification Platform for Live TV with Ama...
Amazon Web Services
 
Patterns to Bring Enterprise and Social Identity to the Cloud
Patterns to Bring Enterprise and Social Identity to the Cloud Patterns to Bring Enterprise and Social Identity to the Cloud
Patterns to Bring Enterprise and Social Identity to the Cloud
CA API Management
 
Amazon CI-CD Practices for Software Development Teams
Amazon CI-CD Practices for Software Development Teams Amazon CI-CD Practices for Software Development Teams
Amazon CI-CD Practices for Software Development Teams
Amazon Web Services
 
PCF Killed the ITSM Star
PCF Killed the ITSM StarPCF Killed the ITSM Star
PCF Killed the ITSM Star
Kyle Campos
 
A Ridiculously Simple Way - E-Commerce 101
A Ridiculously Simple Way - E-Commerce 101 A Ridiculously Simple Way - E-Commerce 101
A Ridiculously Simple Way - E-Commerce 101
fsdelrosario
 
Pivotal CenturyLink Cloud Platform Seminar Presentation: The Developer Experi...
Pivotal CenturyLink Cloud Platform Seminar Presentation: The Developer Experi...Pivotal CenturyLink Cloud Platform Seminar Presentation: The Developer Experi...
Pivotal CenturyLink Cloud Platform Seminar Presentation: The Developer Experi...
VMware Tanzu
 
Craig Campbell SEO, SMXL Milan 15th November 2017
Craig Campbell SEO, SMXL Milan 15th November 2017Craig Campbell SEO, SMXL Milan 15th November 2017
Craig Campbell SEO, SMXL Milan 15th November 2017
Craig Campbell
 
Website Migration Best Practices - Sukhjinder Singh - Brighton SEO - April 2022
Website Migration Best Practices - Sukhjinder Singh - Brighton SEO - April 2022Website Migration Best Practices - Sukhjinder Singh - Brighton SEO - April 2022
Website Migration Best Practices - Sukhjinder Singh - Brighton SEO - April 2022
I Do SEO
 

Similar to Denver Startup Week '15: Mobile SSO (20)

Mobile Single Sign-On (Gluecon '15)
Mobile Single Sign-On (Gluecon '15)Mobile Single Sign-On (Gluecon '15)
Mobile Single Sign-On (Gluecon '15)
 
Richer Data History with Event Sourcing (SpringOne 2GX 2015
Richer Data History with Event Sourcing (SpringOne 2GX 2015Richer Data History with Event Sourcing (SpringOne 2GX 2015
Richer Data History with Event Sourcing (SpringOne 2GX 2015
 
Token Binding Identiverse 2018
Token Binding Identiverse 2018 Token Binding Identiverse 2018
Token Binding Identiverse 2018
 
Instant commission-profits from warrior plus
Instant commission-profits from warrior plusInstant commission-profits from warrior plus
Instant commission-profits from warrior plus
 
You shall not pass - Control your code quality gates with a wizard.
You shall not pass - Control your code quality gates with a wizard.You shall not pass - Control your code quality gates with a wizard.
You shall not pass - Control your code quality gates with a wizard.
 
Account entrapment
Account entrapmentAccount entrapment
Account entrapment
 
Account Entrapment - Forcing a Victim into an Attacker’s Account
Account Entrapment - Forcing a Victim into an Attacker’s AccountAccount Entrapment - Forcing a Victim into an Attacker’s Account
Account Entrapment - Forcing a Victim into an Attacker’s Account
 
WordPress - Whats going on in the server?
WordPress - Whats going on in the server? WordPress - Whats going on in the server?
WordPress - Whats going on in the server?
 
Brighton SEO April 2018 Craig Campbell
Brighton SEO April 2018 Craig CampbellBrighton SEO April 2018 Craig Campbell
Brighton SEO April 2018 Craig Campbell
 
Adobe summit 5 myths of video marketing
Adobe summit 5 myths of video marketingAdobe summit 5 myths of video marketing
Adobe summit 5 myths of video marketing
 
Why We Use Perfect Audience for B2B Retargeting with HubSpot
Why We Use Perfect Audience for B2B Retargeting with HubSpotWhy We Use Perfect Audience for B2B Retargeting with HubSpot
Why We Use Perfect Audience for B2B Retargeting with HubSpot
 
Website optimization for SaaS conversions - muHive
Website optimization for SaaS conversions - muHiveWebsite optimization for SaaS conversions - muHive
Website optimization for SaaS conversions - muHive
 
Game On! Building Hulu’s Real-Time Notification Platform for Live TV with Ama...
Game On! Building Hulu’s Real-Time Notification Platform for Live TV with Ama...Game On! Building Hulu’s Real-Time Notification Platform for Live TV with Ama...
Game On! Building Hulu’s Real-Time Notification Platform for Live TV with Ama...
 
Patterns to Bring Enterprise and Social Identity to the Cloud
Patterns to Bring Enterprise and Social Identity to the Cloud Patterns to Bring Enterprise and Social Identity to the Cloud
Patterns to Bring Enterprise and Social Identity to the Cloud
 
Amazon CI-CD Practices for Software Development Teams
Amazon CI-CD Practices for Software Development Teams Amazon CI-CD Practices for Software Development Teams
Amazon CI-CD Practices for Software Development Teams
 
PCF Killed the ITSM Star
PCF Killed the ITSM StarPCF Killed the ITSM Star
PCF Killed the ITSM Star
 
A Ridiculously Simple Way - E-Commerce 101
A Ridiculously Simple Way - E-Commerce 101 A Ridiculously Simple Way - E-Commerce 101
A Ridiculously Simple Way - E-Commerce 101
 
Pivotal CenturyLink Cloud Platform Seminar Presentation: The Developer Experi...
Pivotal CenturyLink Cloud Platform Seminar Presentation: The Developer Experi...Pivotal CenturyLink Cloud Platform Seminar Presentation: The Developer Experi...
Pivotal CenturyLink Cloud Platform Seminar Presentation: The Developer Experi...
 
Craig Campbell SEO, SMXL Milan 15th November 2017
Craig Campbell SEO, SMXL Milan 15th November 2017Craig Campbell SEO, SMXL Milan 15th November 2017
Craig Campbell SEO, SMXL Milan 15th November 2017
 
Website Migration Best Practices - Sukhjinder Singh - Brighton SEO - April 2022
Website Migration Best Practices - Sukhjinder Singh - Brighton SEO - April 2022Website Migration Best Practices - Sukhjinder Singh - Brighton SEO - April 2022
Website Migration Best Practices - Sukhjinder Singh - Brighton SEO - April 2022
 

More from Brian Campbell

The Burden of Proof
The Burden of ProofThe Burden of Proof
The Burden of Proof
Brian Campbell
 
IAM Overview Identiverse 2018
IAM Overview Identiverse 2018IAM Overview Identiverse 2018
IAM Overview Identiverse 2018
Brian Campbell
 
Beyond Bearer: Token Binding as the Foundation for a More Secure Web
Beyond Bearer: Token Binding as the Foundation for a More Secure WebBeyond Bearer: Token Binding as the Foundation for a More Secure Web
Beyond Bearer: Token Binding as the Foundation for a More Secure Web
Brian Campbell
 
I Left My JWT in San JOSE
I Left My JWT in San JOSEI Left My JWT in San JOSE
I Left My JWT in San JOSE
Brian Campbell
 
JOSE Can You See...
JOSE Can You See...JOSE Can You See...
JOSE Can You See...
Brian Campbell
 
An Introduction to the Emerging JSON-Based Identity and Security Protocols (O...
An Introduction to the Emerging JSON-Based Identity and Security Protocols (O...An Introduction to the Emerging JSON-Based Identity and Security Protocols (O...
An Introduction to the Emerging JSON-Based Identity and Security Protocols (O...
Brian Campbell
 
Hope or Hype: A Look at the Next Generation of Identity Standards
Hope or Hype: A Look at the Next Generation of Identity StandardsHope or Hype: A Look at the Next Generation of Identity Standards
Hope or Hype: A Look at the Next Generation of Identity Standards
Brian Campbell
 
Introduction to the Emerging JSON-Based Identity and Security Protocols
Introduction to the Emerging JSON-Based Identity and Security ProtocolsIntroduction to the Emerging JSON-Based Identity and Security Protocols
Introduction to the Emerging JSON-Based Identity and Security Protocols
Brian Campbell
 
OAuth 101 & Secure APIs 2012 Cloud Identity Summit
OAuth 101 & Secure APIs 2012 Cloud Identity SummitOAuth 101 & Secure APIs 2012 Cloud Identity Summit
OAuth 101 & Secure APIs 2012 Cloud Identity Summit
Brian Campbell
 
OAuth 101 & Secure API's - Paul Madsen and Brian Campbell, Ping Identity
OAuth 101 & Secure API's - Paul Madsen and Brian Campbell, Ping IdentityOAuth 101 & Secure API's - Paul Madsen and Brian Campbell, Ping Identity
OAuth 101 & Secure API's - Paul Madsen and Brian Campbell, Ping Identity
Brian Campbell
 

More from Brian Campbell (10)

The Burden of Proof
The Burden of ProofThe Burden of Proof
The Burden of Proof
 
IAM Overview Identiverse 2018
IAM Overview Identiverse 2018IAM Overview Identiverse 2018
IAM Overview Identiverse 2018
 
Beyond Bearer: Token Binding as the Foundation for a More Secure Web
Beyond Bearer: Token Binding as the Foundation for a More Secure WebBeyond Bearer: Token Binding as the Foundation for a More Secure Web
Beyond Bearer: Token Binding as the Foundation for a More Secure Web
 
I Left My JWT in San JOSE
I Left My JWT in San JOSEI Left My JWT in San JOSE
I Left My JWT in San JOSE
 
JOSE Can You See...
JOSE Can You See...JOSE Can You See...
JOSE Can You See...
 
An Introduction to the Emerging JSON-Based Identity and Security Protocols (O...
An Introduction to the Emerging JSON-Based Identity and Security Protocols (O...An Introduction to the Emerging JSON-Based Identity and Security Protocols (O...
An Introduction to the Emerging JSON-Based Identity and Security Protocols (O...
 
Hope or Hype: A Look at the Next Generation of Identity Standards
Hope or Hype: A Look at the Next Generation of Identity StandardsHope or Hype: A Look at the Next Generation of Identity Standards
Hope or Hype: A Look at the Next Generation of Identity Standards
 
Introduction to the Emerging JSON-Based Identity and Security Protocols
Introduction to the Emerging JSON-Based Identity and Security ProtocolsIntroduction to the Emerging JSON-Based Identity and Security Protocols
Introduction to the Emerging JSON-Based Identity and Security Protocols
 
OAuth 101 & Secure APIs 2012 Cloud Identity Summit
OAuth 101 & Secure APIs 2012 Cloud Identity SummitOAuth 101 & Secure APIs 2012 Cloud Identity Summit
OAuth 101 & Secure APIs 2012 Cloud Identity Summit
 
OAuth 101 & Secure API's - Paul Madsen and Brian Campbell, Ping Identity
OAuth 101 & Secure API's - Paul Madsen and Brian Campbell, Ping IdentityOAuth 101 & Secure API's - Paul Madsen and Brian Campbell, Ping Identity
OAuth 101 & Secure API's - Paul Madsen and Brian Campbell, Ping Identity
 

Recently uploaded

制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
cuobya
 
test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...
Arif0071
 
Gen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needsGen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needs
Laura Szabó
 
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
fovkoyb
 
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC
 
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
ufdana
 
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
zoowe
 
guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
Rogerio Filho
 
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
uehowe
 
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
keoku
 
7 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 20247 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 2024
Danica Gill
 
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfMeet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Florence Consulting
 
Search Result Showing My Post is Now Buried
Search Result Showing My Post is Now BuriedSearch Result Showing My Post is Now Buried
Search Result Showing My Post is Now Buried
Trish Parr
 
[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024
hackersuli
 
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
cuobya
 
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
zyfovom
 
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Brad Spiegel Macon GA
 
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
cuobya
 
Explore-Insanony: Watch Instagram Stories Secretly
Explore-Insanony: Watch Instagram Stories SecretlyExplore-Insanony: Watch Instagram Stories Secretly
Explore-Insanony: Watch Instagram Stories Secretly
Trending Blogers
 
Understanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdfUnderstanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdf
SEO Article Boost
 

Recently uploaded (20)

制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
 
test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...
 
Gen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needsGen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needs
 
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
 
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
 
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
 
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
 
guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
 
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
 
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
 
7 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 20247 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 2024
 
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfMeet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
 
Search Result Showing My Post is Now Buried
Search Result Showing My Post is Now BuriedSearch Result Showing My Post is Now Buried
Search Result Showing My Post is Now Buried
 
[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024
 
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
 
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
 
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
 
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
 
Explore-Insanony: Watch Instagram Stories Secretly
Explore-Insanony: Watch Instagram Stories SecretlyExplore-Insanony: Watch Instagram Stories Secretly
Explore-Insanony: Watch Instagram Stories Secretly
 
Understanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdfUnderstanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdf
 

Denver Startup Week '15: Mobile SSO

  • 1. Mobile Single Sign-On Are we there yet? BRIAN CAMPBELL @__b_c
  • 2. @__b_c Copyright © 2015 Brian Campbell. All rights reserved. 2 Formalities, Introductions, etc. • No way this will take 90 minutes • There should be food and beer • Slides will be available – at http://www.slideshare.net/briandavidcampbell – & via https://twitter.com/__b_c • 2 underscores + • b + • 1 underscore + • c
  • 3. @__b_c Copyright © 2015 Brian Campbell. All rights reserved. 3 Formalities, Introductions, etc. • I’ve worked @ Ping Identity for over a decade • Ping is a Denver based ‘startup’ solving complex identity challenges Tel Aviv
  • 4. @__b_c Copyright © 2015 Brian Campbell. All rights reserved. 4 I should mention that…
  • 5. @__b_c Copyright © 2015 Brian Campbell. All rights reserved. 5
  • 6. @__b_c Copyright © 2015 Brian Campbell. All rights reserved. 6 • Disclaimers – Views or opinions presented herein are solely my own and do not necessarily represent those of the my employer – Wholly unqualified to talk about mobile – Primarily do server side development – And not even very much of that anymore • So, um… WTF? – Ping sponsored Denver Startup Week – And I do use a mobile phone… My ‘Safe Harbor’ Slide
  • 7. @__b_c Copyright © 2015 Brian Campbell. All rights reserved. 7 Though not very well
  • 8. @__b_c Copyright © 2015 Brian Campbell. All rights reserved. 8 But Sometimes… An outsider’s perspective can help see where things just aren’t quite right
  • 9. @__b_c Copyright © 2015 Brian Campbell. All rights reserved. 9 as demonstrated by a semi-contrived little story about me and my phone Premise: Single Sign-On just isn’t quite right on mobile
  • 10. @__b_c Copyright © 2015 Brian Campbell. All rights reserved. 10 I’m very busy and important As you can see by my opulent travel budget.
  • 11. @__b_c Copyright © 2015 Brian Campbell. All rights reserved. 11 So, while I am one of those luddites who still prefers a real computer for work, sometimes I have to use my phone…
  • 12. @__b_c Copyright © 2015 Brian Campbell. All rights reserved. 12 Just trying to join a meeting while out on the road.
  • 13. @__b_c Copyright © 2015 Brian Campbell. All rights reserved. 13
  • 14. @__b_c Copyright © 2015 Brian Campbell. All rights reserved. 14
  • 15. @__b_c Copyright © 2015 Brian Campbell. All rights reserved. 15
  • 16. @__b_c Copyright © 2015 Brian Campbell. All rights reserved. 16
  • 17. @__b_c Copyright © 2015 Brian Campbell. All rights reserved. 17
  • 18. @__b_c Copyright © 2015 Brian Campbell. All rights reserved. 18
  • 19. @__b_c Copyright © 2015 Brian Campbell. All rights reserved. 19
  • 20. @__b_c Copyright © 2015 Brian Campbell. All rights reserved. 20
  • 21. @__b_c Copyright © 2015 Brian Campbell. All rights reserved. 21
  • 22. @__b_c Copyright © 2015 Brian Campbell. All rights reserved. 22
  • 23. @__b_c Copyright © 2015 Brian Campbell. All rights reserved. 23
  • 24. @__b_c Copyright © 2015 Brian Campbell. All rights reserved. 24
  • 25. @__b_c Copyright © 2015 Brian Campbell. All rights reserved. 25
  • 26. @__b_c Copyright © 2015 Brian Campbell. All rights reserved. 26
  • 27. @__b_c Copyright © 2015 Brian Campbell. All rights reserved. 27
  • 28. @__b_c Copyright © 2015 Brian Campbell. All rights reserved. 28 Please excuse any intermittent time travel. I had some technical difficulties with something called “focus” and had to reshoot a few images.
  • 29. @__b_c Copyright © 2015 Brian Campbell. All rights reserved. 29
  • 30. @__b_c Copyright © 2015 Brian Campbell. All rights reserved. 30
  • 31. @__b_c Copyright © 2015 Brian Campbell. All rights reserved. 31 There’s my meeting!
  • 32. @__b_c Copyright © 2015 Brian Campbell. All rights reserved. 32
  • 33. @__b_c Copyright © 2015 Brian Campbell. All rights reserved. 33 (This happened on first use a long time ago)
  • 34. @__b_c Copyright © 2015 Brian Campbell. All rights reserved. 34
  • 35. @__b_c Copyright © 2015 Brian Campbell. All rights reserved. 35
  • 36. @__b_c Copyright © 2015 Brian Campbell. All rights reserved. 36
  • 37. @__b_c Copyright © 2015 Brian Campbell. All rights reserved. 37
  • 38. @__b_c Copyright © 2015 Brian Campbell. All rights reserved. 38
  • 39. @__b_c Copyright © 2015 Brian Campbell. All rights reserved. 39
  • 40. @__b_c Copyright © 2015 Brian Campbell. All rights reserved. 40
  • 41. @__b_c Copyright © 2015 Brian Campbell. All rights reserved. 41
  • 42. @__b_c Copyright © 2015 Brian Campbell. All rights reserved. 42
  • 43. @__b_c Copyright © 2015 Brian Campbell. All rights reserved. 43
  • 44. @__b_c Copyright © 2015 Brian Campbell. All rights reserved. 44
  • 45. @__b_c Copyright © 2015 Brian Campbell. All rights reserved. 45
  • 46. @__b_c Copyright © 2015 Brian Campbell. All rights reserved. 46
  • 47. @__b_c Copyright © 2015 Brian Campbell. All rights reserved. 47
  • 48. @__b_c Copyright © 2015 Brian Campbell. All rights reserved. 48 So… What went wrong there?
  • 49. @__b_c Copyright © 2015 Brian Campbell. All rights reserved. 49 What we want to happen 1. Be able to login to the SaaS native applications with existing Ping credentials and not some new login unique to each SaaS
  • 50. @__b_c Copyright © 2015 Brian Campbell. All rights reserved. 50 What we want to happen 1. Be able to login to the SaaS native applications with existing Ping credentials and not some new login unique to each SaaS 2. Be able to access multiple SaaS native applications throughout the day after only a single authentication to Ping
  • 51. @__b_c Copyright © 2015 Brian Campbell. All rights reserved. 51 What we want to happen 1. Be able to login to the SaaS native applications with existing Ping credentials and not some new login unique to each SaaS 2. Be able to access multiple SaaS native applications throughout the day after only a single authentication to Ping By combining SAML & OAuth protocols
  • 52. @__b_c Copyright © 2015 Brian Campbell. All rights reserved. 52 What we want to happen 1. Be able to login to the SaaS native applications with existing Ping credentials and not some new login unique to each SaaS 2. Be able to access multiple SaaS native applications throughout the day after only a single authentication to Ping By combining SAML & OAuth protocols Concur effectively forgot that that I had already logged in
  • 53. @__b_c Copyright © 2015 Brian Campbell. All rights reserved. 53 How did Concur forget? 1. When first logged in to Ping as part of accessing the Webex app, a cookie was set in the browser I was using. 2. That cookie acts as a record of the login. When next seen by the authentication system, it won’t prompt again for an explicit login (unless expired) 3. When Concur needed me authenticated by Ping, it used a different sort of browser, a webview 4. Cookies aren’t shared across these two different browser types 5. The cookie that was set earlier in the first browser wasn’t available, so I was prompted again to login
  • 54. @__b_c Copyright © 2015 Brian Campbell. All rights reserved. 54 That’s what went wrong Concur used a ‘webview’
  • 55. @__b_c Copyright © 2015 Brian Campbell. All rights reserved. 55 Why Concur? Why? • Until recently mobile app developers had only two choices for displaying web content (such as login pages) • The external system browser (e.g. Safari or Chrome) or a webview, in which the web content appears as part of the app’s own user interface • System browser – better security characteristics – cookie sharing (and so SSO across apps) • Webview – better UX
  • 56. @__b_c Copyright © 2015 Brian Campbell. All rights reserved. 56 • Behind the Scenes – Web Single Sign-On – OAuth 2.0 (ish)
  • 57. @__b_c Copyright © 2015 Brian Campbell. All rights reserved. 57 Web Single Sign-On in one Slide • Typically – SAML 2.0 – OpenID Connect • But also – SAML 1.1/1.0 – OpenID 2.0 – WS-Federation • And maybe – Facebook Connect/Login – Whatever Twitter does – Various other non-standard approaches Identity Provider (IDP) Service Provider (SP) Web Single Sign-On (SSO)
  • 58. @__b_c Copyright © 2015 Brian Campbell. All rights reserved. 58 OAuth 2.0 in one slide • client: An application obtaining authorization and making protected resource requests. – Native app on mobile device • resource server (RS): A server capable of accepting and responding to protected resource requests (typically APIs). • authorization server (AS): A server capable of issuing tokens after successfully authenticating the resource owner and obtaining authorization. A few other OAuth terms • Access token (AT) – Presented by client when accessed protected resources at the RS • Refresh token (RT) - Allows clients to obtain a fresh access token without re-obtaining authorization • Scope – A permission (or set of permissions) defined by the AS/RS • Authorization endpoint – used by the client to obtain authorization from the resource owner via user-agent redirection • Token endpoint – used for direct client to AS communication • Authorization Code – One time code issued by an AS to be exchanged for an AT. Client Resource Server Authorization Server
  • 59. @__b_c Copyright © 2015 Brian Campbell. All rights reserved. 59 Web SSO + OAuth = Mobile SSO Device Native App System Browser 1 https:// Home Service 1 2 3 Authorization Endpoint Token Endpoint 3 45 Enterprise or Social Identity Provider
  • 60. @__b_c Copyright © 2015 Brian Campbell. All rights reserved. 60 (1) Request Authorization • When user first needs to access some protected resource (not logged in), the app launches the system browser with an authorization request • ‘IDP Discovery’ can be done in the native application Device Native App System Browser 1 https:// Home Service 1 Authorization Endpoint Token Endpoint Enterprise or Social Identity Provider https://as.example.com/as/authz.oauth2?client_id=org.example.myapp&response_type=code &scope=update_status&idp=pingidentity.com&code_challenge=7gEsCAcCLtCTbDl2fml2z A quick note about Apple…
  • 61. @__b_c Copyright © 2015 Brian Campbell. All rights reserved. 61 (1a) PKCE https://as.example.com/as/authz.oauth2?client_id=org.example.myapp&response_type=code &scope=update_status&idp=pingidentity.com&code_challenge=7gEsCAcCLtCTbDl2fml2z • Proof Key for Code Exchange by OAuth Public Clients – PKCE, pronounced "pixy" – Binds the code exchange to the authorization request – Newly minted RFC 7636
  • 62. @__b_c Copyright © 2015 Brian Campbell. All rights reserved. 62 (2) Authenticate and Approve • Redirect to IDP for SSO & Service Provider is the SP Device Native App System Browser https:// Home Service 2 Authorization Endpoint Token Endpoint Enterprise or Social Identity Provider • User approves the requested access – (don’t skip this)
  • 63. @__b_c Copyright © 2015 Brian Campbell. All rights reserved. 63 (3) Handle Callback • Authorization server returns control to the app using HTTP redirection and includes an authorization code – URI with a custom scheme registered to the app • Reversed domain name as redirect_uri scheme – Resistant to accidental collisions – Proof of domain ownership provides better recourse against malicious collisions Device Native App System Browser https:// Home Service 3 Authorization Endpoint Token Endpoint 3 Enterprise or Social Identity Provider HTTP/1.1 302 Found Location: org.example.myapp://oauth.cb?code=n0esc3NRze7LTCu7iYzS6a5acc3f0ogp4
  • 64. @__b_c Copyright © 2015 Brian Campbell. All rights reserved. 64 (4) Trade Code for Token(s) Device Native App System Browser https:// Home Service Authorization Endpoint Token Endpoint 4 Enterprise or Social Identity Provider POST /as/token.oauth2 HTTP/1.1 Host: as.example.com Content-Type: application/x-www-form-urlencoded;charset=UTF-8 client_id=org.example.myapp& grant_type=authorization_code& code=n0esc3NRze7LTCu7iYzS6a5acc3f0ogp4& code_verifier=7gEsCAcCLtCTbDl2fml2z token endpoint request
  • 65. @__b_c Copyright © 2015 Brian Campbell. All rights reserved. 65 (4a) PKCE Again POST /as/token.oauth2 HTTP/1.1 Host: as.example.com Content-Type: application/x-www-form-urlencoded;charset=UTF-8 client_id=org.example.myapp& grant_type=authorization_code& code=n0esc3NRze7LTCu7iYzS6a5acc3f0ogp4& code_verifier=7gEsCAcCLtCTbDl2fml2z token endpoint request
  • 66. @__b_c Copyright © 2015 Brian Campbell. All rights reserved. 66 (4b) Trade Code for Token(s) Device Native App System Browser https:// Home Service Authorization Endpoint Token Endpoint 4 Enterprise or Social Identity Provider POST /as/token.oauth2 HTTP/1.1 Host: as.example.com Content-Type: application/x-www-form-urlencoded;charset=UTF-8 client_id=org.example.myapp& grant_type=authorization_code& code=n0esc3NRze7LTCu7iYzS6a5acc3f0ogp4& code_verifier=7gEsCAcCLtCTbDl2fml2z HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store { "token_type":"Bearer", "expires_in":3600, "access_token":"PeRTSD9RltacecQriuFfsxV41”, "refresh_token":"uyAVrtaccLZ2qPzI8rQ5ltckCdGJsz8XE58esc” } token endpoint request token endpoint response
  • 67. @__b_c Copyright © 2015 Brian Campbell. All rights reserved. 67 (5) Use Access Token Authenticate/authorize calls to the protected APIs by including AT in the HTTP Authorization header Device Native App System Browser https:// Home Service Authorization Endpoint Token Endpoint 5 Enterprise or Social Identity Provider POST /api/update-status HTTP/1.1 Host: rs.example.org Authorization: Bearer PeRTSD9RltacecQriuFfsxV41 Content-Type: application/json {"status" : "almost done with this presentation"}
  • 68. @__b_c Copyright © 2015 Brian Campbell. All rights reserved. 68 Rinse and Repeat • If All Goes well, • And if not, HTTP 401 • Use the refresh token to get a new access token • And if that doesn’t work or you don’t have a refresh token, initiate the authorization request flow again HTTP/1.1 200 OK
  • 69. @__b_c Copyright © 2015 Brian Campbell. All rights reserved. 69 Some Folks Like to … Device Native App System Browser 1 https:// Home Service 1 2 3 Authorization Endpoint Token Endpoint 3 45 Enterprise or Social Identity Provider
  • 70. @__b_c Copyright © 2015 Brian Campbell. All rights reserved. 70 … Use a Web-View Device Native App 1 https:// Home Service 1 2 3 Authorization Endpoint Token Endpoint 3 45 Web-View Enterprise or Social Identity Provider but…
  • 71. @__b_c Copyright © 2015 Brian Campbell. All rights reserved. 71 The Web-View Anti-Pattern • Usability Issues – No shared context (cookie) – Requires sign-in once per app even when web SSO is possible • Security Issues – Web-view typically isn’t sandboxed from invoking app so credentials and authentication cookies can be stolen – Requires/encourages users to enter credentials without the address bar and associated visual cues of site authenticity (HTTPS) • Missing Features – Some web-views unable to access to client certificates – Generally unable to use password managers, etc.
  • 72. @__b_c Copyright © 2015 Brian Campbell. All rights reserved. 72 Hope Springs Mobile • Latest versions of iOS & Android add a third option for displaying web content – iOS 9 Safari View Controllers – Android Chrome 45 Chrome Custom Tabs • Both provide new browser window with security advantages and shared context of the system browser but UX comparable to webviews
  • 73. @__b_c Copyright © 2015 Brian Campbell. All rights reserved. 73 Wait, what about OpenID Connect? • A simple[sic] single sign-on and identity layer on top of OAuth 2.0 • Adds an ID Token (JWT) for user authentication to the client • And a bunch of other stuff
  • 74. @__b_c Copyright © 2015 Brian Campbell. All rights reserved. 74 What about OpenID Connect? • Great for the web SSO part • Can be layered on the OAuth part Device Native App System Browser 1 https:// Home Service 1 2 3 Authorization Endpoint Token Endpoint 3 45 Enterprise or Social Identity Provider
  • 75. @__b_c Copyright © 2015 Brian Campbell. All rights reserved. 75 Near Term Recommendations • Use OAuth 2.0 + PKCE – & maybe OpenID Connect • Use Web SSO • Prompt for user consent (every time) • Use new View Controllers & Custom Tabs – Fallback to using the System Browser • Use a reversed Internet domain name in the custom scheme for the callback URI
  • 76. @__b_c Copyright © 2015 Brian Campbell. All rights reserved. 76 Useful Links (1997 Style) • Mobile SSO Developers Guide – https://developer.pingidentity.com/en/resources/napps-native-app-sso.html • OAuth 2.0 for Native Apps – https://tools.ietf.org/html/draft-wdenniss-oauth-native-apps • JWT Library for Java/Android – https://bitbucket.org/b_c/jose4j/ • An old blog post – https://www.pingidentity.com/en/blog/2015/07/06/mobile_sso_are_we_there_yet.html