steffo.weber@oracle.com maximilian.liesegang@esentri.com SECURING THE NEW DIGITAL EXPERIENCE Steffo Weber, Oracle & Max Liesegang, esentri BridgFilling the UX gap for mobile enterprise applications. May,-2014 Latest Entries Protecting IDPs from malformed SAML requests Read more Write secure code, don t write security code. Read more Fine-grained authorization and XACML. Read more Tuning the industry s most trusted directory server. Read more Hands-On SOA and Web Security. Read more Harnessing Sun s OpenSSO Authentication and Authorization. Read more
Overview Motivation Foundation Experience What for? UI vs UX vs Security Channels WebSSO vs AppSSO OAuth XCode How long? How complicated? Alternatives
M Motivation Importance of mobile access management
The UX gap varies depending on your objectives UX Success Factors courtesy of Jar Creative (http://www.slideshare.net/ jarcreative/jar-ux-10elements)
Motivation Evolution of UX Pro Prosumer Consumer Information & Data Design Graphical UI User Experienced Design
Motivation Why UX is not UI Touchscreen with GUI Application (MVC) Background Services (REST)
Motivation Some findings (hypothesis first) 13.6 million tablets shipped to enterprises (2011) 96.3 million tablets shipped to enterprises (2016) Mobile Apps. What Consumers really want (Compuware) http://www.mobilestatistics.com/mobile-news/the-rise-of-the-enterprise-tablet.aspx
Motivation Some findings (hypothesis first) 85% prefer mobile apps over mobile websites 79% will not retry an app if the failed once or twice 48% will delete an app if it is too slow Mobile Apps. What Consumers really want (Compuware) http://www.mobilestatistics.com/mobile-news/the-rise-of-the-enterprise-tablet.aspx
Consumer Don't make me think.
Consumer Now what the relationship to identity? Why can't I use Facebook/Twitter login?
Buying process and corresponding identity. Recognition 1.Problem/Need 2.Information Search of Alternatives 3.Evaluation 4.Purchase Decision 5.Post-purchase Behaviour? Social ID Social ID Web Trail Social ID Web Trail Address Billing Rel Social ID Web Trail Address Billing Rel Customer ID This is where real identity comes into play.
Customer Loyalty UX Security CRM
Customer Loyalty Advice: all channels are equal. mobile sites, mobile apps, Cookies, web SSO Multiple apps traditional channels. Cookies, web SSO
Customer Loyalty Advice: all channels are equal. WebSSO Access Management (WAM) Mobile Access Management ios built-in Kerberos/mobile VPN
Customer Loyalty Advice: all channels are equal. Unified Access Management
Φ Foundation How to achieve SSO for multiple apps?
You know WebSSO eg at Amazon, Oracle
App SSO is difficult because Each App has its own address space
Foundation Why mobile is different. In a browser world, we don t access services layers directly. Presentation Layer Business/ Services Layer Data Layer Accessing the services layer from untrusted devices exposes new risks. iphone is the new presention layer No trust between ext DMZ and service zone.
Foundation OAuth concepts one user token vs. multiple access tokens
Foundation AppSSO flow. ios/andoid App SSO Agent Mobile & Social REST WebService User starts App A Who is the SSO Agent on this iphone? You can reach it via URL scheme agent:// B C agent://<get access token> If user has not been authn, present login dialog and request user token. D1 If user token is present, get access token for app/service. D2 F Issue access token Forward access token E2 Make REST call using libidmmobilesdk. Access token is inserted automatically by SDK E1
Foundation Service REST, SOAP, etc Oracle Access Manager Mobile & Social HTTP Call (intercepted) check for cookies check for JWT GET http://oracle:7777/hello/steffo User-Agent:OIC-Authentication Authorization: OAM-Auth rcfpxhcf1eywcq
Foundation Objective C Java RESTful Identity Services (CRUD, AuthN/Z, Token Services) Oracle Access Management Services libmobile Classical WebSSO REST/JSON/JWT/OAuth WebGate API Gateway w Mobile & Social Access Manager Adaptive Access Manager Entitlements Server (OpenAZ, XACML) Directory Services (LDAP) XACML/OpenAZ Oracle Service Bus OWSM (WS-Sec) Legacy Services SOAP-WS
Foundation Import libidmmobilesdk.a
Foundation Register a URL scheme
Foundation SSO relevant code in ios app #import "IDMMobileSDK.h" /* we have @property (nonatomic,retain) OMMobileSecurityService *mobileservices; from header */! - (void)connecttooicserverandsetup { OMMobileSecurityService *mss = [[OMMobileSecurityService alloc] initwithurl:self.oicurl // e.g. http://token.net:14100/ appname:self.applicationname // e.g. SampleApp or Art domain:self.oicservicedomainname // e.g. MagServiceDomain delegate:self]; self.mobileservices = mss; UIBarButtonItem *rightbutton = [[UIBarButtonItem alloc] initwithtitle:@"login" style:uibarbuttonitemstylebordered target:self action:@selector(dologin:)]; }! - (IBAction)doLogin:(id)object {.. NSError *error = nil; error = [self.mobileservices startauthenticationprocess:nil presenterviewcontroller:self];}! - (void)didfinishauthentication:(omauthenticationcontext *)context error:(nserror *)error {... username = context.username; } Initialize app & load profile from central server Login button & event config Event handler
Σ Experience How long? How complex?
Experience How long did it take? Good Easy ios integration (SSO is transparent to the developer) Complete service protection No hazzle with Apple app store Suggested enhancements Currently uses old app delegate pattern
Experience How long did it take? 2 4 daysoracle Access Manager Mobile & Social 0.5-1 day 0.5-1 day 1 day
Experience What about ios 7 native SSO Requires Configuration Profile No Application Can Control Authentication Flow Customizable Authentication Experience and UI Mobile & Social Yes Yes ios Enterprise SSO Protocol OAuth, REST Kerberos only Adaptive Access Support Yes No Yes, only acceptable with MDM use cases Device Registration Yes MDM type registration with Configuration Profile Resources Definition Apps Definition Dynamic through Admin console Dynamic through Admin console No No Need to redistribute Configuration Profile to add new URLs Need to redistribute Configuration Profile to add new App Bundle Id, need to confirm whether wild card could cause security issue.
Identity Culture http://flip.it/caxra!! Will IoT be the new mobile?