CloudIDSummit, profile picture
Uploaded byCloudIDSummit
1,062 views

CIS 2015 SSO for Mobile and Web Apps Ashish Jain

The document discusses Single Sign-On (SSO) solutions for mobile and web applications, outlining the current and desired user experiences. It introduces various options for implementing SSO, such as using system browsers, enrolling devices, and leveraging different authentication methods. Additionally, it highlights challenges faced in mobile SSO and suggests potential strategies to enhance user access and security.

Embed presentation

Downloaded 34 times
© 2014 VMware Inc. All rights reserved. SSO for Mobile and Web Apps Ashish Jain @itickr CIS 2015
What we will cover in this Session ? 2 1 Why is this important ? 2 What’s the current experience? 3 What’s the desired experience ? What are my options ? What’s the challenge ? Q & A 4 5 6
Why is this important?
What’s the current experience ?
Mobile App •  Click on Mobile App •  Enter server and user information. Tenant discovery happens. •  Click login. Get redirected to login screen (AD or else) •  Enter AD credentials (or local/MFA) •  You have access Web App •  Open Mobile Safari •  Enter web url – e.g. https:// www.salesforce.com •  Click login. Get redirected to login screen (AD or else) •  Enter AD credentials (or local/MFA) •  You have access. 10
Mobile App •  Start VPN app •  Start SecurID App. •  Enter SecurID pin. •  Enter SecurID passcode on VPN app •  Click on Mobile App •  Enter server and user information. Tenant discovery happens. •  Click login. Get redirected to login screen (AD or else) •  Enter AD credentials (or local/MFA) •  You have access Web App •  Start VPN app •  Start SecurID App. •  Enter SecurID pin. •  Enter SecurID passcode on VPN app •  Open Mobile Safari •  Enter web url – e.g. https:// www.salesforce.com •  Click login. Get redirected to login screen (AD or else) •  Enter AD credentials (or local/MFA) •  You have access. 11
What’s the desired experience ?
What’s the challenge?
Mobile SSO flow 1.  User access Mobile App 2.  App connects to server 3.  Redirects to IdP 4.  IdP authenticates via AD 5.  IdP sends SAML back to App Server 6.  App Server sends AT back to App 7.  App uses AT to access 1 Mobile App Web View 2 3 4 5 IdP AD 6 7 App Server OAuth AS SAML OAuth
Mobile SSO flow 1.  User access Mobile App 2.  App connects to server 3.  Redirects to IdP 4.  IdP authenticates via AD 5.  IdP sends SAML back to App Server 6.  App Server sends AT back to App 7.  App uses AT to access Mobile App Web View 2 3 4 5 IdP AD 6 7 Mobile App OAuth AS App ServerSAML OAuth 1
Mobile SSO flow 1.  User access Mobile App 2.  App connects to server 3.  Redirects to IdP 4.  IdP authenticates via AD 5.  IdP sends SAML back to App Server 6.  App Server sends AT back to App 7.  App uses AT to access Mobile App Web View 2 3 4 5 IdP AD 6 7 Mobile App OAuth AS App Server Challenges •  Authentication per mobile app •  No validation of access token •  No clean up of cached / offline data OAuth SAML 1
What are my options ?
Use System browser Enroll your device JavaScript trickery Windows 10 NAPPS Use Vendor SDK
1 Mobile App 2 3 4 5 IdP AD 6 7 App Server OAuth AS Use System browser System browser 8 1.  User access Mobile App 2.  App opens system browser 3.  App connects to server 4.  Redirects to IdP 5.  IdP authenticates via AD 6.  IdP sends SAML back to App Server 7.  App Server sends AT back to App 8.  App uses AT to access
1.  User access Mobile App 2.  App connects to server 3.  Redirects to IdP 4.  IdP sends 401 negotiate 5.  iOS intercepts 6.  On-demand VPN session 7.  Sends Cert to KDC to get a ticket 8.  IdP validates Kerb ticket 9.  IdP sends SAML to App server 10. App server sends OAuth AT to App Mobile App Web View 2 3 4 5 IdP Kerb Adapter AD KDC 67 8 9 10 App Server OAuth AS Enroll your device 1
1.  User access Mobile App 2.  App connects to server 3.  Redirects to IdP 4.  IdP caches the request 5.  IdP connects with its agent 6.  User authenticates 7.  Sends token back to IdP 8.  IdP sends SAML to App server 9.  App server sends OAuth AT to App 1 Mobile App Web View 2 3 4 5 IdP 6 7 8 App Server OAuth AS IdP Agent 9 JavaScript trickery
1.  User access Mobile App 2.  App RequestTokenAsync to Web Account Manager (WAM) 3.  WAM request token from registered Web Account Provider (WAP) 4.  WAP redirects to IdP 5.  User Authenticates 6.  IdP sends the token back to WAP 7.  WAP sends the token to WAM 8.  WAM returns RequestResult to App 9.  App can access the resource 1 Mobile App 23 4 5 IdP 6 7 8 App Server OAuth AS WAP 9 WAM Web View Windows 10
1 Mobile App 2 4 5 IdP AD 6 7 App Server OAuth AS NAPPS Token Agent 1.  User access Mobile App 2.  Mobile App requests ACDC token 3.  TA gets its own AT/RT 4.  IdP authenticates via AD 5.  TA uses AT to get ACDC for Mobile App 6.  TA passes ACDC to Mobile App 7.  Mobile App uses ACDC to get its AT 8.  App uses AT to access OAuth AS 3 8
Summary
Everything will be amazing but no one will be happy
Use System browser Enroll your device JavaScript trickery Windows 10 NAPPS Use Vendor SDK Minimal code change. Can be implemented now. No code change. Best experience. Requires MDM. Cross platform. Open Standard. Still in spec stage. No code change. Limited App support. Only works for enterprise apps. Platform specific. Not available now.
Q & A Ashish Jain @itickr

More Related Content

PDF
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
byCloudIDSummit
 
PDF
CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
byCloudIDSummit
 
PDF
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
byCloudIDSummit
 
PPTX
Bigger, Better Business With OAuth
byApigee | Google Cloud
 
PDF
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
byCA Technologies
 
PDF
CIS14: PingAccess in Action
byCloudIDSummit
 
PPTX
OAuth - Don’t Throw the Baby Out with the Bathwater
byApigee | Google Cloud
 
PPTX
Best Practices for API Security
byMuleSoft
 
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
byCloudIDSummit
 
CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
byCloudIDSummit
 
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
byCloudIDSummit
 
Bigger, Better Business With OAuth
byApigee | Google Cloud
 
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
byCA Technologies
 
CIS14: PingAccess in Action
byCloudIDSummit
 
OAuth - Don’t Throw the Baby Out with the Bathwater
byApigee | Google Cloud
 
Best Practices for API Security
byMuleSoft
 

What's hot

PPTX
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
byCA API Management
 
PPTX
Spring Boot Authentication...and More!
byStormpath
 
PPTX
Developing and deploying Identity-enabled applications for the cloud
byMaarten Balliauw
 
PDF
O365Con18 - Introduction to Azure Web Applications - Eric Shupps
byNCCOMMS
 
PDF
Introduction to The 6 Insights of API Practice (Bill Doerrfeld)
byNordic APIs
 
PDF
The Case For Next Generation IAM
byPatrick Harding
 
PDF
CA Security - Deloitte IAM Summit - Vasu
byVasu Surabhi
 
PPTX
How to Use Stormpath in angular js
byStormpath
 
PPT
SSO Strategy Implementation Considerations
byJohn Bauer
 
PPTX
Multi-Tenancy with Spring Boot
byStormpath
 
PPTX
The bits and pieces of Azure AD B2C
byAnton Staykov
 
PPTX
Microsoft Reactor Toronto 5/5/2020 | Azure Kubernetes In Action - Running and...
byRoy Kim
 
ODP
Security components in mule esb
byhimajareddys
 
ODP
Security in mulesoft
byakshay yeluru
 
PPTX
Kondo-ing API Authorization
byNordic APIs
 
PDF
WSO2Con EU 2016: Real-time Monitoring of API Architectures
byWSO2
 
PDF
CIS14: Enterprise Identity APIs
byCloudIDSummit
 
PPTX
Stormpath 101: Spring Boot + Spring Security
byStormpath
 
PPTX
Secure API Services in Node with Basic Auth and OAuth2
byStormpath
 
PPTX
Intuit QuickBooks Payments API
byIntuit Developer
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
byCA API Management
 
Spring Boot Authentication...and More!
byStormpath
 
Developing and deploying Identity-enabled applications for the cloud
byMaarten Balliauw
 
O365Con18 - Introduction to Azure Web Applications - Eric Shupps
byNCCOMMS
 
Introduction to The 6 Insights of API Practice (Bill Doerrfeld)
byNordic APIs
 
The Case For Next Generation IAM
byPatrick Harding
 
CA Security - Deloitte IAM Summit - Vasu
byVasu Surabhi
 
How to Use Stormpath in angular js
byStormpath
 
SSO Strategy Implementation Considerations
byJohn Bauer
 
Multi-Tenancy with Spring Boot
byStormpath
 
The bits and pieces of Azure AD B2C
byAnton Staykov
 
Microsoft Reactor Toronto 5/5/2020 | Azure Kubernetes In Action - Running and...
byRoy Kim
 
Security components in mule esb
byhimajareddys
 
Security in mulesoft
byakshay yeluru
 
Kondo-ing API Authorization
byNordic APIs
 
WSO2Con EU 2016: Real-time Monitoring of API Architectures
byWSO2
 
CIS14: Enterprise Identity APIs
byCloudIDSummit
 
Stormpath 101: Spring Boot + Spring Security
byStormpath
 
Secure API Services in Node with Basic Auth and OAuth2
byStormpath
 
Intuit QuickBooks Payments API
byIntuit Developer
 

Viewers also liked

PPTX
AssureBridge - SSO to Many B2B Service Providers - Marketing presentation
byAssureBridge
 
PPTX
OpenIG Webinar: Your Swiss Army Knife for Protecting and Securing Web Apps, A...
byForgeRock
 
PPTX
Engineering Cryptographic Applications: Symmetric Encryption
byDavid Evans
 
PPTX
A CONTEMPLATION OF OPENIG DEEP THOUGHTS
byForgeRock
 
PDF
OpenSSL Basic Function Call Flow
byWilliam Lee
 
PPTX
Securing Access Through a Multi-Purpose Credential and Digital ID
byForgeRock
 
PPTX
Webinar: OpenAM 12.0 - New Featurs
byForgeRock
 
PPTX
OpenIDM: An Introduction
byForgeRock
 
PDF
Pki and OpenSSL
byTony Fabeen
 
PPT
Information Security Lesson 9 - Keys - Eric Vanderburg
byEric Vanderburg
 
PPTX
Identity Manager Opensource OpenIDM Architecture
byAidy Tificate
 
PPTX
Cryptography and PKI
byRabei Hassan
 
PDF
Crypto With OpenSSL
byZhi Guan
 
PPTX
CIS 2015 Mobile SSO
byAshish Jain
 
PPTX
OpenDJ - An Introduction
byForgeRock
 
PDF
Enhancing System Security Using PKI
byChin Wan Lim
 
PPTX
Opendj - A LDAP Server for dummies
byClaudio Borges
 
PDF
Virtual-HSM: Virtualization of Hardware Security Modules in Linux Containers
byOSLL
 
PDF
Federation in Practice
byForgeRock
 
PPTX
Identity Gateway with the ForgeRock Identity Platform - So What’s New?
byForgeRock
 
AssureBridge - SSO to Many B2B Service Providers - Marketing presentation
byAssureBridge
 
OpenIG Webinar: Your Swiss Army Knife for Protecting and Securing Web Apps, A...
byForgeRock
 
Engineering Cryptographic Applications: Symmetric Encryption
byDavid Evans
 
A CONTEMPLATION OF OPENIG DEEP THOUGHTS
byForgeRock
 
OpenSSL Basic Function Call Flow
byWilliam Lee
 
Securing Access Through a Multi-Purpose Credential and Digital ID
byForgeRock
 
Webinar: OpenAM 12.0 - New Featurs
byForgeRock
 
OpenIDM: An Introduction
byForgeRock
 
Pki and OpenSSL
byTony Fabeen
 
Information Security Lesson 9 - Keys - Eric Vanderburg
byEric Vanderburg
 
Identity Manager Opensource OpenIDM Architecture
byAidy Tificate
 
Cryptography and PKI
byRabei Hassan
 
Crypto With OpenSSL
byZhi Guan
 
CIS 2015 Mobile SSO
byAshish Jain
 
OpenDJ - An Introduction
byForgeRock
 
Enhancing System Security Using PKI
byChin Wan Lim
 
Opendj - A LDAP Server for dummies
byClaudio Borges
 
Virtual-HSM: Virtualization of Hardware Security Modules in Linux Containers
byOSLL
 
Federation in Practice
byForgeRock
 
Identity Gateway with the ForgeRock Identity Platform - So What’s New?
byForgeRock
 

Similar to CIS 2015 SSO for Mobile and Web Apps Ashish Jain

PDF
CIS13: Gateway to the Enterprise: Supporting SSO in Mobile Apps
byCloudIDSummit
 
PPTX
Saas webinar-dec6-01
byPaul Madsen
 
PDF
Gluecon oauth-03
byPaul Madsen
 
PPTX
CIS 2012 - Going Mobile with PingFederate and OAuth 2
byscotttomilson
 
PPTX
Single sign-on Across Mobile Applications from RSAConference
byCA API Management
 
PPTX
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
byBrian Campbell
 
PPTX
Mobile Single-Sign On: Extending SSO Out to the Client - Layer 7's CTO Scott ...
byCA API Management
 
PPTX
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
byCA API Management
 
PDF
CIS 2015- Mobile SSO: Are We There Yet? - Brian Campbell
byCloudIDSummit
 
PDF
Mobile SSO: Give App Users a Break from Typing Passwords
byCA API Management
 
PPTX
Mobile Single Sign-On (Gluecon '15)
byBrian Campbell
 
PPTX
Mobile SSO using NAPPS
byAshish Jain
 
PDF
WSO2Con US 2013 - Securing Cloud and Mobile: Pragmatic Enterprise Security Ar...
byWSO2
 
PDF
CIS14: Mobile SSO using NAPPS: OpenID Connect Profile for Native Apps-jain
byCloudIDSummit
 
PPTX
Authentication Server
byAbhishek Chikane
 
PPTX
Balancing Mobile UX & Security: An API Management Perspective Presentation fr...
byCA API Management
 
PDF
CIS13: Mobile Single Sign-On: Extending SSO Out to the Client
byCloudIDSummit
 
PDF
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
byCA API Management
 
PPTX
Mobile SSO: are we there yet?
byBrian Campbell
 
PPTX
Leveraging the azure cloud for your mobile apps
byMarcel de Vries
 
CIS13: Gateway to the Enterprise: Supporting SSO in Mobile Apps
byCloudIDSummit
 
Saas webinar-dec6-01
byPaul Madsen
 
Gluecon oauth-03
byPaul Madsen
 
CIS 2012 - Going Mobile with PingFederate and OAuth 2
byscotttomilson
 
Single sign-on Across Mobile Applications from RSAConference
byCA API Management
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
byBrian Campbell
 
Mobile Single-Sign On: Extending SSO Out to the Client - Layer 7's CTO Scott ...
byCA API Management
 
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
byCA API Management
 
CIS 2015- Mobile SSO: Are We There Yet? - Brian Campbell
byCloudIDSummit
 
Mobile SSO: Give App Users a Break from Typing Passwords
byCA API Management
 
Mobile Single Sign-On (Gluecon '15)
byBrian Campbell
 
Mobile SSO using NAPPS
byAshish Jain
 
WSO2Con US 2013 - Securing Cloud and Mobile: Pragmatic Enterprise Security Ar...
byWSO2
 
CIS14: Mobile SSO using NAPPS: OpenID Connect Profile for Native Apps-jain
byCloudIDSummit
 
Authentication Server
byAbhishek Chikane
 
Balancing Mobile UX & Security: An API Management Perspective Presentation fr...
byCA API Management
 
CIS13: Mobile Single Sign-On: Extending SSO Out to the Client
byCloudIDSummit
 
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
byCA API Management
 
Mobile SSO: are we there yet?
byBrian Campbell
 
Leveraging the azure cloud for your mobile apps
byMarcel de Vries
 

More from CloudIDSummit

PPTX
CIS 2016 Content Highlights
byCloudIDSummit
 
PPTX
Top 6 Reasons You Should Attend Cloud Identity Summit 2016
byCloudIDSummit
 
PDF
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
byCloudIDSummit
 
PDF
Mobile security, identity & authentication reasons for optimism 20150607 v2
byCloudIDSummit
 
PDF
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
byCloudIDSummit
 
PDF
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
byCloudIDSummit
 
PDF
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
byCloudIDSummit
 
PDF
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
byCloudIDSummit
 
PDF
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
byCloudIDSummit
 
PDF
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
byCloudIDSummit
 
PDF
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
byCloudIDSummit
 
PDF
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
byCloudIDSummit
 
PDF
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
byCloudIDSummit
 
PDF
CIS 2015 The IDaaS Dating Game - Sean Deuby
byCloudIDSummit
 
PDF
The Industrial Internet, the Identity of Everything and the Industrial Enterp...
byCloudIDSummit
 
PDF
CIS 2015 Identity Relationship Management in the Internet of Things
byCloudIDSummit
 
PDF
CIS 2015 The Ethics of Personal Data - Robin Wilton
byCloudIDSummit
 
PDF
CIS 2015 What’s next? Discovery, Dynamic Registration, Mobile Connect and mor...
byCloudIDSummit
 
PDF
CIS 2015 OpenID Connect and Mobile Applications - David Chase
byCloudIDSummit
 
PDF
CIS 2015 OpenID Connect Workshop Part 1: Challenges for mobile - B. Allyn Fay
byCloudIDSummit
 
CIS 2016 Content Highlights
byCloudIDSummit
 
Top 6 Reasons You Should Attend Cloud Identity Summit 2016
byCloudIDSummit
 
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
byCloudIDSummit
 
Mobile security, identity & authentication reasons for optimism 20150607 v2
byCloudIDSummit
 
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
byCloudIDSummit
 
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
byCloudIDSummit
 
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
byCloudIDSummit
 
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
byCloudIDSummit
 
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
byCloudIDSummit
 
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
byCloudIDSummit
 
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
byCloudIDSummit
 
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
byCloudIDSummit
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
byCloudIDSummit
 
CIS 2015 The IDaaS Dating Game - Sean Deuby
byCloudIDSummit
 
The Industrial Internet, the Identity of Everything and the Industrial Enterp...
byCloudIDSummit
 
CIS 2015 Identity Relationship Management in the Internet of Things
byCloudIDSummit
 
CIS 2015 The Ethics of Personal Data - Robin Wilton
byCloudIDSummit
 
CIS 2015 What’s next? Discovery, Dynamic Registration, Mobile Connect and mor...
byCloudIDSummit
 
CIS 2015 OpenID Connect and Mobile Applications - David Chase
byCloudIDSummit
 
CIS 2015 OpenID Connect Workshop Part 1: Challenges for mobile - B. Allyn Fay
byCloudIDSummit
 

Recently uploaded

PDF
Security-Fails-in-the-Gaps-Between-Systems.pptx.pdf
byOhhproJunction
 
PDF
Explaining the flow of purpose-specific BOM
byakipii ogaoga
 
PDF
Python Automation in Action: Real-World Use Cases and Practical Implementation
byDenys Smirnov
 
PDF
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
PDF
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
PDF
GenerationAI Paris 2025 | How Agentic AI is Reinventing Organizations
byapidays
 
PDF
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
PPTX
Workflow and decision Automation with Flowable
bychakib ch
 
PPTX
Computer architecture, Computer architecture ,Computer architecture
bywaheedqazi123
 
PDF
Why Many Smart Device Platforms Fail to Scale?
byPromeraki Developments
 
PPTX
PPTX game guess the logo with a twistppt
byAdrianAnig
 
PPTX
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
PPTX
How Does an ICO Launchpad Work Step-by-Step Breakdown.pptx
byTom Hardy S
 
PPTX
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
PDF
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
PPTX
Working Session — Build a Document Understanding Automation Using an OOTB ML ...
byDianaGray10
 
PDF
TravelTech Paris 2025 | The EU Digital Identity Wallet and it’s impact on Tra...
byapidays
 
PDF
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
PDF
How to Prepare for the RWA Tokenization Trend
byrose mason
 
PDF
The Manifesto for AI-enabled Governance !
byYannis Charalabidis
 
Security-Fails-in-the-Gaps-Between-Systems.pptx.pdf
byOhhproJunction
 
Explaining the flow of purpose-specific BOM
byakipii ogaoga
 
Python Automation in Action: Real-World Use Cases and Practical Implementation
byDenys Smirnov
 
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
GenerationAI Paris 2025 | How Agentic AI is Reinventing Organizations
byapidays
 
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
Workflow and decision Automation with Flowable
bychakib ch
 
Computer architecture, Computer architecture ,Computer architecture
bywaheedqazi123
 
Why Many Smart Device Platforms Fail to Scale?
byPromeraki Developments
 
PPTX game guess the logo with a twistppt
byAdrianAnig
 
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
How Does an ICO Launchpad Work Step-by-Step Breakdown.pptx
byTom Hardy S
 
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
Working Session — Build a Document Understanding Automation Using an OOTB ML ...
byDianaGray10
 
TravelTech Paris 2025 | The EU Digital Identity Wallet and it’s impact on Tra...
byapidays
 
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
How to Prepare for the RWA Tokenization Trend
byrose mason
 
The Manifesto for AI-enabled Governance !
byYannis Charalabidis
 

CIS 2015 SSO for Mobile and Web Apps Ashish Jain

  • 1.
    © 2014 VMwareInc. All rights reserved. SSO for Mobile and Web Apps Ashish Jain @itickr CIS 2015
  • 2.
    What we willcover in this Session ? 2 1 Why is this important ? 2 What’s the current experience? 3 What’s the desired experience ? What are my options ? What’s the challenge ? Q & A 4 5 6
  • 3.
    Why is thisimportant?
  • 9.
  • 10.
    Mobile App •  Clickon Mobile App •  Enter server and user information. Tenant discovery happens. •  Click login. Get redirected to login screen (AD or else) •  Enter AD credentials (or local/MFA) •  You have access Web App •  Open Mobile Safari •  Enter web url – e.g. https:// www.salesforce.com •  Click login. Get redirected to login screen (AD or else) •  Enter AD credentials (or local/MFA) •  You have access. 10
  • 11.
    Mobile App •  StartVPN app •  Start SecurID App. •  Enter SecurID pin. •  Enter SecurID passcode on VPN app •  Click on Mobile App •  Enter server and user information. Tenant discovery happens. •  Click login. Get redirected to login screen (AD or else) •  Enter AD credentials (or local/MFA) •  You have access Web App •  Start VPN app •  Start SecurID App. •  Enter SecurID pin. •  Enter SecurID passcode on VPN app •  Open Mobile Safari •  Enter web url – e.g. https:// www.salesforce.com •  Click login. Get redirected to login screen (AD or else) •  Enter AD credentials (or local/MFA) •  You have access. 11
  • 12.
  • 15.
  • 16.
    Mobile SSO flow 1. User access Mobile App 2.  App connects to server 3.  Redirects to IdP 4.  IdP authenticates via AD 5.  IdP sends SAML back to App Server 6.  App Server sends AT back to App 7.  App uses AT to access 1 Mobile App Web View 2 3 4 5 IdP AD 6 7 App Server OAuth AS SAML OAuth
  • 17.
    Mobile SSO flow 1. User access Mobile App 2.  App connects to server 3.  Redirects to IdP 4.  IdP authenticates via AD 5.  IdP sends SAML back to App Server 6.  App Server sends AT back to App 7.  App uses AT to access Mobile App Web View 2 3 4 5 IdP AD 6 7 Mobile App OAuth AS App ServerSAML OAuth 1
  • 18.
    Mobile SSO flow 1. User access Mobile App 2.  App connects to server 3.  Redirects to IdP 4.  IdP authenticates via AD 5.  IdP sends SAML back to App Server 6.  App Server sends AT back to App 7.  App uses AT to access Mobile App Web View 2 3 4 5 IdP AD 6 7 Mobile App OAuth AS App Server Challenges •  Authentication per mobile app •  No validation of access token •  No clean up of cached / offline data OAuth SAML 1
  • 19.
    What are myoptions ?
  • 20.
    Use System browser Enrollyour device JavaScript trickery Windows 10 NAPPS Use Vendor SDK
  • 21.
    1 Mobile App 2 3 4 5 IdP AD 6 7 App Server OAuth AS Use System browser System browser 8 1. User access Mobile App 2.  App opens system browser 3.  App connects to server 4.  Redirects to IdP 5.  IdP authenticates via AD 6.  IdP sends SAML back to App Server 7.  App Server sends AT back to App 8.  App uses AT to access
  • 22.
    1.  User accessMobile App 2.  App connects to server 3.  Redirects to IdP 4.  IdP sends 401 negotiate 5.  iOS intercepts 6.  On-demand VPN session 7.  Sends Cert to KDC to get a ticket 8.  IdP validates Kerb ticket 9.  IdP sends SAML to App server 10. App server sends OAuth AT to App Mobile App Web View 2 3 4 5 IdP Kerb Adapter AD KDC 67 8 9 10 App Server OAuth AS Enroll your device 1
  • 23.
    1.  User accessMobile App 2.  App connects to server 3.  Redirects to IdP 4.  IdP caches the request 5.  IdP connects with its agent 6.  User authenticates 7.  Sends token back to IdP 8.  IdP sends SAML to App server 9.  App server sends OAuth AT to App 1 Mobile App Web View 2 3 4 5 IdP 6 7 8 App Server OAuth AS IdP Agent 9 JavaScript trickery
  • 24.
    1.  User accessMobile App 2.  App RequestTokenAsync to Web Account Manager (WAM) 3.  WAM request token from registered Web Account Provider (WAP) 4.  WAP redirects to IdP 5.  User Authenticates 6.  IdP sends the token back to WAP 7.  WAP sends the token to WAM 8.  WAM returns RequestResult to App 9.  App can access the resource 1 Mobile App 23 4 5 IdP 6 7 8 App Server OAuth AS WAP 9 WAM Web View Windows 10
  • 25.
    1 Mobile App 2 4 5 IdP AD 6 7 App Server OAuth AS NAPPS Token Agent 1.  User accessMobile App 2.  Mobile App requests ACDC token 3.  TA gets its own AT/RT 4.  IdP authenticates via AD 5.  TA uses AT to get ACDC for Mobile App 6.  TA passes ACDC to Mobile App 7.  Mobile App uses ACDC to get its AT 8.  App uses AT to access OAuth AS 3 8
  • 26.
  • 27.
    Everything will beamazing but no one will be happy
  • 28.
    Use System browser Enrollyour device JavaScript trickery Windows 10 NAPPS Use Vendor SDK Minimal code change. Can be implemented now. No code change. Best experience. Requires MDM. Cross platform. Open Standard. Still in spec stage. No code change. Limited App support. Only works for enterprise apps. Platform specific. Not available now.
  • 29.
    Q & A AshishJain @itickr