2. Why is this important ?
0
300
600
900
2009 2010 2011 2012
Smartphones and tablets PC shipments
of information workers use
three or more devices for
w o r k t o i n c r e a s e
p r o d u c t i v i t y
EXPLOSIVE
GROWTH
in shipments of
smartphones and tablets
Sources: IDC, BGR, Forrester
FLAT
pc shipments
New Device Platforms New Apps New User ExpectationsNew Device Platforms
BYOD & JIT
3. The Changing Device Mix
148 141
202 240
128
352
722
1516
0
1000
2000
2012 2017
Smartphone
Tablet
Portable PC
Desktop PC
Source: IDC's Worldwide Smart Connected Device Tracker Forecast Data, February 28, 2013
Connected Device Market by Product Category,
Shipments, 2012-2017 in Millions
4. The Changing Device Mix
Source: IDC's Worldwide Smart Connected Device Tracker Forecast Data, September 11, 2013
By 2017, 87% of connected devices will be smart phones and tablets
18. App 1
AD
SAML
IdP
App 2
App 1
AD
App 2
App 3
Policy
Server
SAML
RP
Policy
Server
SAML
OAuth AS
iOS App
App 3SAML RP
19. App 1
AD
SAML
IdP
App 2
App 1
AD
App 2
App 3
Policy
Server
SAML
RP
Policy
Server
SAML
iOS AppiOS App
OAuth ASApp 3SAML RP
20. App 1
AD
SAML
IdP
App 2
App 1
AD
App 2
App 3
Policy
Server
SAML
RP
Policy
Server
SAML
iOS AppiOS App
OAuth ASApp 3SAML RP
21. App 1
AD
SAML
IdP
App 2
App 1
AD
App 2
App 3
Policy
Server
SAML
RP
Policy
Server
SAML
iOS AppiOS App
OAuth
AS
OAuth ASApp 3SAML RP
22. App 1
AD
SAML
IdP
App 2
App 1
AD
App 2
App 3
Policy
Server
SAML
RP
Policy
Server
SAML
iOS AppiOS App
OAuth
AS
OpenID
Connect
OpenID
Connect
OAuth ASApp 3SAML RP
23. App 1
AD
SAML
IdP
App 2
App 1
AD
App 2
App 3
Policy
Server
SAML
RP
Policy
Server
SAML
iOS AppiOS App
OAuth
AS
OpenID
Connect
OpenID
Connect
OAuth ASApp 3SAML RP
TA
38. Mobile
App
Mobile App(s) Auth Flow
1
2
4
3
SAML
IdP RP / RS
AD
Mobile
App
AS
5
6
7
OAuth
Issues
Authentication per Mobile App.
No invalidation of access token
No clean up of offline/cached data on device
45. Deployment Models
• Enterprise in-house native apps
• Native App for a SaaS provider
• Multiple native apps for a single SaaS provider
46. NAPPS
• OIDF working group
• Profile of OpenIDConnect
• Participants include (VMware, AirWatch, Ping
Identity, Mobile Iron, Okta, OneLogin…)
47. NAPPS Terminology
• Token Agent: Native app that obtains access tokens on behalf of
other native apps
• AppInfo Endpoint: Endpoint to obtain metadata about apps
• Primary Token: OAuth token obtained by TA for its own use
• Secondary Token: OAuth token obtained by TA on behalf of other
native app