© 2014 VMware Inc. All rights reserved.
Mobile SSO using NAPPS
Ashish Jain
@itickr
CIS 2014
Why is this important ?
0
300
600
900
2009 2010 2011 2012
Smartphones and tablets PC shipments
of information workers use three or more devices for w o r k t o i n c r e a s e p r o d u c t i v i t y
EXPLOSIVE GROWTH in shipments of smartphones and tablets
Sources: IDC, BGR, Forrester
FLAT pc shipments
New Device Platforms New Apps New User Expectations New Device Platforms
BYOD & JIT
The Changing Device Mix
148 141
202 240 128
352
722
1516
0
1000
2000
2012 2017
Smartphone
Tablet
Portable PC
Desktop PC
Source: IDC's Worldwide Smart Connected Device Tracker Forecast Data, February 28, 2013
Connected Device Market by Product Category, Shipments, 2012-2017 in Millions
The Changing Device Mix
Source: IDC's Worldwide Smart Connected Device Tracker Forecast Data, September 11, 2013
By 2017, 87% of connected devices will be smart phones and tablets
App 1
App 1
App 2 App 3
App 1
App 2 App 3
App 4
App 1 App 2 App 3
AD
App 1 App 3
AD
Policy Server
App 2
App 1
AD
Policy Server
App 2
App 3 App 1
AD
Policy Server
App 2
App 3
App 1
AD
Policy Server
App 2
App 3 App 1
AD
Policy Server
App 2
App 3
App 1
AD
SAML IdP
App 2
App 3 App 1
AD
App 2
App 3
Policy Server
SAML RP
Policy Server
SAML
App 1
AD
SAML IdP
App 2
App 3 App 1
AD
App 2
App 3
Policy Server
SAML RP
Policy Server
SAML
App 1
AD
SAML IdP
App 2
App 3
App 1
AD
App 2
App 3
Policy Server
SAML RP
Policy Server
SAML
App 1
AD
SAML IdP
App 2
App 1
AD
App 2
App 3
Policy Server
SAML RP
Policy Server
SAML
App 3 SAML RP
App 1
AD
SAML IdP
App 2
App 1
AD
App 2
App 3
Policy Server
SAML RP
Policy Server
SAML
iOS App
App 3 SAML RP
App 1
AD
SAML IdP
App 2
App 1
AD
App 2
App 3
Policy Server
SAML RP
Policy Server
SAML
iOS App
App 3 SAML RP
App 1
AD
SAML IdP
App 2
App 1
AD
App 2
App 3
Policy Server
SAML RP
Policy Server
SAML
OAuth AS
iOS App
App 3 SAML RP
App 1
AD
SAML IdP
App 2
App 1
AD
App 2
App 3
Policy Server
SAML RP
Policy Server
SAML
iOS App iOS App
OAuth AS App 3 SAML RP
App 1
AD
SAML IdP
App 2
App 1
AD
App 2
App 3
Policy Server
SAML RP
Policy Server
SAML
iOS App iOS App
OAuth AS App 3 SAML RP
App 1
AD
SAML IdP
App 2
App 1
AD
App 2
App 3
Policy Server
SAML RP
Policy Server
SAML
iOS App iOS App
OAuth AS
OAuth AS App 3 SAML RP
App 1
AD
SAML IdP
App 2
App 1
AD
App 2
App 3
Policy Server
SAML RP
Policy Server
SAML
iOS App iOS App
OAuth AS
OpenID Connect
OpenID Connect OAuth AS App 3 SAML RP
App 1
AD
SAML IdP
App 2
App 1
AD
App 2
App 3
Policy Server
SAML RP
Policy Server
SAML
iOS App iOS App
OAuth AS
OpenID Connect
OpenID Connect OAuth AS App 3 SAML RP
TA
Web SSO Flow
1
2
3
4
SAML
IdP RP
AD
Mobile App Auth Flow
1
2
4
3
SAML
IdP RP / RS
AD
Mobile App
AS
5
6
7 OAuth
Mobile App
Mobile App(s) Auth Flow
1
2
4
3
SAML
IdP RP / RS
AD
Mobile App
AS
5
6
7OAuth
Mobile App Auth Flow
IdP Discovery
IdP Discovery
IdP Login
Access to App
Mobile App Auth Flow
IdP Discovery
IdP Discovery
IdP Login
App Access
App Access
Mobile App
Mobile App(s) Auth Flow
1
2
4
3
SAML
IdP RP / RS
AD
Mobile App
AS
5
6
7 OAuth
Issues § Authentication per Mobile App. § No invalidation of access token § No clean up of offline/cached data on device
Mobile App SSO – SP Init
Mobile App SSO – IdP Init
Mobile App SSO
Mobile App SSO
Where are we today ?
• Layer 7
• Centrify
• Samsung Knox
• Google Auth
App 1 App 3
AD
Policy Server
App 2
Deployment Models
• Enterprise in-house native apps
• Native App for a SaaS provider
• Multiple native apps for a single SaaS provider
NAPPS
• OIDF working group
• Profile of OpenIDConnect
• Participants include (VMware, AirWatch, Ping
Identity, Mobile Iron, Okta, OneLogin…)
NAPPS Terminology
• Token Agent: Native app that obtains access tokens on behalf of
other native apps
• AppInfo Endpoint: Endpoint to obtain metadata about apps
• Primary Token: OAuth token obtained by TA for its own use
• Secondary Token: OAuth token obtained by TA on behalf of other
native app
Mobile App SSO
1
2 3
SAML IdP RP / RS
AD
Mobile App
AS
5
9 OAuth
Token Agent
3
PT
6
ST
4
5 7
8
Mobile App SSO
Thank You!