Embed Size (px)
DESCRIPTION
Michael Smith, Product Manager, Box Single sign-on support is a prerequisite for any enterprise product, and while SSO has been solved for the web, adapting it to native apps on mobile devices is a tough problem. With the explosion of tablets and mobile devices in business, SSO is a must for any business app developer. In this session learn how Box has tackled SSO in its mobile applications and how it has helped hundreds of other applications build SSO to support some of the biggest enterprises in the world.
Citation preview
1
Michael Smith Mobile Product Manager, Box
Enterprise enabling your app with SSO
2
We Live In A Whole New World
The Cloud Consumer Devices
3
Mobile Business Users
Sales Reps
Field Engineers
Mobile Workers
4
User Wants
IT Needs
ü Easy to use ü Accessible anywhere ü Social CollaboraLon
ü Enterprise grade security ü Simple to deploy and maintain ü Lower TCO
The Challenge
5
GePng Mobility Right
Enable Employee ProducLvity
Address security and compliance requirements
Make it easy for IT to manage mobility
1
2
3
6
Single Sign On: Today on iOS
7
User Provisioning
Benefits of SSO
Access control
No password exchange
1
2
3
8 8
9
User Name
Password
OAuth SAML SSO
API Resource
Access Granted
AuthenLcaLon Required
10
Fun Facts SP-‐ini8ated SSO
TargetResource used to redirect to the right API Auth page
Uses iOS WebView to embed a browser
11
More on WebViews
NaLve ApplicaLon
Code
Sets Webview URLs
Returns Redirect Informa8on
12
Road Blocks
Minimize Taps
Prompted for email address
twice
Webview security func8onality
limited
13
Single Sign On: Samsung Knox + Centrify
14
Benefits of Samsung Knox + Centrify
Mobilize app and service access
ContainerizaLon to separate work from personal
Integrate mobile and applicaLon administraLon
1
2
3
15
• Leveraging your exisLng centralized idenLty infrastructure – typically AD
• Use PKI authenLcaLon for SSO to Exchange, Wi-‐Fi and VPN
• Enable SSO for Web apps leveraging federaLon where possible
• Integrate Mobile AuthenLcaLon SDK to enables SSO for custom applicaLons
Mobilize App and Service Access
16
Mobilize Apps with Zero Sign-‐On
Cloud Proxy Server
IDP as a Service
Firewall
Move to federated app authenLcaLon
Ensure Device Security
Integrate Mobile App AuthenLcaLon
Works great for one mobile app, but what about mul8ple apps on the device?
Web Application
Mobile OS
Mobile App
Mobile Auth SDK
MDM
Step 2 One time user authentication
& device registration
Step 1 Web Application Registration
Step 4 Token based Authentication
Step 3 Token Generation
ID
17
• Secure Container built on a Secure OS for both security and usability • Provides dual persona usage of popular mobile applicaLons
• SSO for all apps in container -‐ enabling the laptop experience on a mobile device
ContainerizaLon Separates Work From Personal
18
• MulL-‐applicaLon SSO is built into the Knox Container
• The container idenLfies the user to the apps
• The container can get AD abributes for the apps
• Apps can request security tokens for their web app/service
ContainerizaLon with MulL-‐App SSO
Cloud Proxy Server
IDP as a Service
Firewall
Web Application
SE Android Step 2
One time user authentication
& Container registration
Step 1 Web Application Registration
Step 4 Token based Authentication
ID
Knox Container
Mobile App 2
Mobile Auth SDK
Enterprise SSO
Mobile App 1
Mobile Auth SDK Personal
App Step 3 Token Generation
19
• Dual persona enables usage of the same app with different personaliLes – Personal Mail on the device, Business Mail in the container – Personal Box account on the device, Business Box account in the container
ContainerizaLon for Personal and Work Use
Office 365: [email protected] Box: [email protected]
Mail: [email protected] Gmail: [email protected]
Box: [email protected]
20
• Enabling IT to manage security policies for Mobile, WorkstaLons and Servers
• Unifying ApplicaLon management into one interface for Mobile, Web and SaaS ApplicaLons
• Leveraging automated lifecycle management through AD
Integrated Mobile and App AdministraLon
21
• Mobile device security policies follow the user’s account lifecycle automaLcally
• Policy changes automaLcally apply to devices the user enrolled:
Integrated AdministraLon Follows User Lifecycle
User enrolls their own devices
Update device security settings or new group
de-provision device
Lock account and full device wipe
Delete or disable account and de-provision device
Active Directory
22
GePng Mobility Right
Enable Employee ProducLvity
Address security and compliance requirements
Make it easy for IT to manage mobility
1
2
3
23 23
