Embed Size (px)
DESCRIPTION
Mobile SSO using NAPPS - OpenID Connect profile for native apps
Citation preview
© 2014 VMware Inc. All rights reserved.
Mobile SSO using NAPPS
Ashish Jain
@itickr
CIS 2014
Why is this important ?
2009 2010 2011 20120
300
600
900
Smartphones and tablets PC shipments
52%
of information workers use three or more devices for work to increase productivity
EXPLOSIVE GROWTHin shipments of smartphones and tablets
Sources: IDC, BGR, Forrester
FLATpc shipments
New Device Platforms New Apps New User ExpectationsNew Device Platforms
BYOD & JIT
The Changing Device Mix
2012 20170
1000
2000
148 141
202 240
128
352
722
1516SmartphoneTabletPortable PCDesktop PC
Source: IDC's Worldwide Smart Connected Device Tracker Forecast Data, February 28, 2013
Connected Device Market by Product Category, Shipments, 2012-2017 in Millions
The Changing Device Mix
Source: IDC's Worldwide Smart Connected Device Tracker Forecast Data, September 11, 2013
By 2017, 87% of connected devices will be smart phones and tablets
App 1
App 1
App 2 App 3
App 1
App 2 App 3
App 4
App 1 App 2 App 3
AD
App 1 App 3
AD
Policy Server
App 2
App 1
AD
Policy Server
App 2
App 3 App 1
AD
Policy Server
App 2
App 3
App 1
AD
Policy Server
App 2
App 3 App 1
AD
Policy Server
App 2
App 3
App 1
AD
SAMLIdP
App 2
App 3 App 1
AD
App 2
App 3
Policy Server
SAMLRP
Policy Server
SAML
App 1
AD
SAMLIdP
App 2
App 3 App 1
AD
App 2
App 3
Policy Server
SAMLRP
Policy Server
SAML
App 1
AD
SAMLIdP
App 2
App 3
App 1
AD
App 2
App 3
Policy Server
SAMLRP
Policy Server
SAML
App 1
AD
SAMLIdP
App 2
App 1
AD
App 2
App 3
Policy Server
SAMLRP
Policy Server
SAML
App 3SAML RP
App 1
AD
SAMLIdP
App 2
App 1
AD
App 2
App 3
Policy Server
SAMLRP
Policy Server
SAML
iOS App
App 3SAML RP
App 1
AD
SAMLIdP
App 2
App 1
AD
App 2
App 3
Policy Server
SAMLRP
Policy Server
SAML
iOS App
App 3SAML RP
App 1
AD
SAMLIdP
App 2
App 1
AD
App 2
App 3
Policy Server
SAMLRP
Policy Server
SAML
OAuth AS
iOS App
App 3SAML RP
App 1
AD
SAMLIdP
App 2
App 1
AD
App 2
App 3
Policy Server
SAMLRP
Policy Server
SAML
iOS AppiOS App
OAuth ASApp 3SAML RP
App 1
AD
SAMLIdP
App 2
App 1
AD
App 2
App 3
Policy Server
SAMLRP
Policy Server
SAML
iOS AppiOS App
OAuth ASApp 3SAML RP
App 1
AD
SAMLIdP
App 2
App 1
AD
App 2
App 3
Policy Server
SAMLRP
Policy Server
SAML
iOS AppiOS App
OAuthAS
OAuth ASApp 3SAML RP
App 1
AD
SAMLIdP
App 2
App 1
AD
App 2
App 3
Policy Server
SAMLRP
Policy Server
SAML
iOS AppiOS App
OAuthAS
OpenIDConnect
OpenID Connect
OAuth ASApp 3SAML RP
App 1
AD
SAMLIdP
App 2
App 1
AD
App 2
App 3
Policy Server
SAMLRP
Policy Server
SAML
iOS AppiOS App
OAuthAS
OpenIDConnect
OpenID Connect
OAuth ASApp 3SAML RP
TA
Web SSO Flow
1
2
3
4
SAML
IdP RP
AD
Mobile App Auth Flow
1
2
4
3
SAML
IdP RP / RS
AD
Mobile App
AS
5
6
7
OAuth
Mobile App
Mobile App(s) Auth Flow
1
2
4
3
SAML
IdP RP / RS
AD
Mobile App
AS
5
6
7
OAuth
Mobile App Auth Flow
IdP Discovery
IdP Discovery
IdP Login
Access to App
Mobile App Auth Flow
IdP Discovery
IdP Discovery
IdP Login
App Access
App Access
Mobile App
Mobile App(s) Auth Flow
1
2
4
3
SAML
IdP RP / RS
AD
Mobile App
AS
5
6
7
OAuth
Issues Authentication per Mobile App. No invalidation of access token No clean up of offline/cached data on device
Mobile App SSO – SP Init
Mobile App SSO – IdP Init
Mobile App SSO
Mobile App SSO
Where are we today ?
• Layer 7
• Centrify
• Samsung Knox
• Google Auth
App 1 App 3
AD
Policy Server
App 2
Deployment Models
• Enterprise in-house native apps
• Native App for a SaaS provider
• Multiple native apps for a single SaaS provider
NAPPS
• OIDF working group
• Profile of OpenIDConnect
• Participants include (VMware, AirWatch, Ping
Identity, Mobile Iron, Okta, OneLogin…)
NAPPS Terminology
• Token Agent: Native app that obtains access tokens on behalf of
other native apps
• AppInfo Endpoint: Endpoint to obtain metadata about apps
• Primary Token: OAuth token obtained by TA for its own use
• Secondary Token: OAuth token obtained by TA on behalf of other
native app
Mobile App SSO
1
23
SAMLIdP RP / RS
AD
Mobile App
AS
5
9OAuth
TokenAgent
3
PT
6
ST
4
5 7
8
Mobile App SSO
Thank You!
