cis13: mobile single sign-on: extending sso out to the client
DESCRIPTION
Scott Morrison, Chief Technology Officer, Layer7 Think SSO is just about reducing logins across servers? Think again. In the mobile world, the new twist is sharing sessions across mobile apps on a device. Learn how technologies like OAuth and OpenID Connect can be leveraged by native apps to achieve MSSO.TRANSCRIPT
Mobile Single Sign-‐On: Extending SSO Out To The Client
July 11, 2013
K. Sco' Morrison Senior Vice President and DisDnguished Engineer
Copyright © 2013 CA. All rights reserved.
Our Problem: Secure Mobile Access to Apps and Data
How Do We Make APIs Available? ü Secure Transmission
ü Authentication, Authorization & SSO
ü Firewall mazes
ü Diversity of back end systems
ü Clients and servers change at different rates
Enterprise Network
API/Service Client
API/Service Servers
Firewall 2
Firewall 1
Internet
Directory
Copyright © 2013 CA. All rights reserved.
We Want Classic SSO In An Ac;ve Profile For REST
Could leverage WS-Fed here ü SAML’s second act?
API/Service Servers
Apps making RESTful API
calls
Internet
Directory
Copyright © 2013 CA. All rights reserved.
But We Also Want Local App SSO
Single Sign On App Group (these apps will share sign-
on sessions)
A B C
API/Service Servers
So now it’s getting interesting…
Copyright © 2013 CA. All rights reserved.
App layer
Persistence layer
Mobile OS Isola;on is an issue
Silos
Layer 7 Technologies Overview
Mo;va;ons: Many of our customers have architectures like this
Gateway Cluster at Edge of Network ü DMZ deployment
ü Hardware appliance, virtual appliance or software
Enterprise Network
API/Service Servers
…
Firewall 2
Firewall 1
Partners
Mobile Devices
Cloud SSG Cluster
API/Service Client
Directory
Layer 7 Technologies Overview
Na;ve Single Sign-‐On SDK For Mobile Developers
Enterprise Network
iPhone
Android
iPad
App-sharable Secure Key Store
One time PIN SMS, APNS, call
API Servers Strong Security for Mobile Apps ü Cross-platform and built for a consumer or BYOD world
ü 100% Standards-based using OAuth+OpenID Connect
ü X-app SSO with multi-factor auth & secure channel
ü X.509 Certificate provisioning for strong auth and transaction signing
Standards-based
Copyright © 2013 CA. All rights reserved.
Three Importance En;;es
A A B C
Device
App
User
Layer 7 Technologies Overview
Self Service: User should be able to log out if device is lost or stolen
Copyright © 2012 CA. All rights reserved.
Layer 7 Technologies Overview
Strategy
A B C
username/password
ID Token
Access Token/Refresh Token
Per app
Authorization Server
OAuth + OpenID Connect ü Profiled for mobile
ü Clear distinction between device, user and app
Layer 7 Technologies Overview
Overall Architecture
Copyright © 2012 CA. All rights reserved.
Copyright © 2013 CA. All rights reserved.
Register device, streamlined, first usage
Copyright © 2013 CA. All rights reserved.
Request an access_token using JWT (SSO)
Copyright © 2013 CA. All rights reserved.
Administra;on of Tokens
Demo