Patterns & Practices in Mobile SSO

Prabath Siriwardena, Director of Security, WSO2

About  WSO2  

๏  Global  enterprise,  founded  in  2005  by  acknowledged  leaders  in  XML,  web  services    technologies,  standards    and  open  source  

๏  Provides  only  open  source  pla:orm-­‐as-­‐a-­‐service  for  private,  public  and  hybrid  cloud  deployments  

๏  All  WSO2  products  are  100%  open  source  and  released  under  the  Apache  License  Version  2.0.  

๏  Is  an  AcIve  Member  of  OASIS,  Cloud  Security  Alliance,  OSGi  Alliance,  AMQP  Working  Group,  OpenID  FoundaIon  and  W3C.  

๏  Driven  by  InnovaIon  

๏  Launched  first  open  source  API  Management  soluIon  in  2012  

๏  Launched  App  Factory  in  2Q  2013  

๏  Launched  Enterprise  Store  and  first  open  source  Mobile  soluIon  in  4Q  2013  

 

What  WSO2  Deliver  

Within the first decade of the 21st century – internet worldwide increased from 350

million to more than 2 billion.

Mobile phone subscribers increased from

750 million to 5 billion

Today it’s around 6 billion

Only 30% of mobile users, password protect their mobile devices

Many SaaS providers ignore multifactor authentication for mobile applications

113 cell phones are lost or stolen every minute in the U.S and $7 million worth

of smartphones are lost daily

62% of mobile workers currently use their personal smartphones

for work

http://www.websense.com/assets/reports/websense-2013-threat-report.pdf

Mobile Device Management systems need to be an integral part of the corporate

Identity Management

Cloud service providers are becoming mobile friendly with REST/JSON APIs

OAuth 2.0 dominates Mobile and API security

Avoid using Resource Owner Password OAuth grant type

Mobile applications secured with OAuth can be vulnerable to phishing

Your Facebook or Twitter account credentials can be quite easily phished

through your mobile phone - than from a laptop computer

The need to bake-in client key and the secret key into the mobile app itself is an

issue yet to solve

OAuth has given a better failover capability to mobile applications in case

of an attack

It takes an average of 20 seconds for a user to log into a resource

Single Sign On increases user productivity

Browser based Single Sign On

Native App Native Web Browser

Authorization Server (IdP)

Mobile Device

Native Single Sign On

Native App Native IdP App

Mobile Device

OpenID Foundation is working on standardizing Native Single Sign On based on

OpenID Connect

Federated Single Sign On

Native App Native Web Browser

Authorization Server (IdP)

Mobile Device

SAML2 IdP

SAML2 IdP

Federated Single Sign On with heterogeneous Authorization Servers

Native App Native Web Browser

Authorization Server (IdP)

Mobile Device

Federation Hub

Authorization Server (IdP)

1 Native IdP Proxy App

2 Native IdP App

3 Native IdP App

4 Native IdP App

5 Native IdP App

Contact us !