AAI for Mobile Apps How mobile Apps can use SAML Authentication and Attributes. Lukas Hämmerle lukas.haemmerle@switch.ch



Similar documents
Identity Federation: Bridging the Identity Gap. Michael Koyfman, Senior Global Security Solutions Architect

OpenLogin: PTA, SAML, and OAuth/OpenID

Agenda. How to configure

Egnyte Single Sign-On (SSO) Installation for OneLogin

This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:

Configuration Guide - OneDesk to SalesForce Connector

Shibboleth Identity Provider (IdP) Sebastian Rieger

Getting Started with AD/LDAP SSO

Logout Support on SP and Application

A Standards-based Mobile Application IdM Architecture

Copyright Pivotal Software Inc, of 10

SAML Security Option White Paper

DocuSign Single Sign On Implementation Guide Published: March 17, 2016

INUVIKA OPEN VIRTUAL DESKTOP ENTERPRISE

HOL9449 Access Management: Secure web, mobile and cloud access

How to create a SP and a IDP which are visible across tenant space via Config files in IS

INTEGRATION GUIDE. DIGIPASS Authentication for Google Apps using IDENTIKEY Federation Server

Single Sign-On for the UQ Web

INTEGRATION GUIDE. DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server

Masdar Institute Single Sign-On: Standards-based Identity Federation. John Mikhael ICT Department

Building Secure Applications. James Tedrick

Configuring EPM System for SAML2-based Federation Services SSO

WWPass External Authentication Solution for IBM Security Access Manager 8.0

Add Microsoft Azure as the Federated Authenticator in WSO2 Identity Server

OIOSAML 2.0 Toolkits Test results May 2009

Integrating Apex into Federated Environment using SAML 2.0. Jon Tupman Portalsoft Solutions Ltd

How do I Install and Configure MS Remote Desktop for the Haas Terminal Server on my Mac?

About Me. Software Architect with ShapeBlue Specialise in. 3 rd party integrations and features in CloudStack

Single Sign On. SSO & ID Management for Web and Mobile Applications

Authentication and Single Sign On

nexus Hybrid Access Gateway

The increasing popularity of mobile devices is rapidly changing how and where we

How To Use Saml 2.0 Single Sign On With Qualysguard

Flexible Identity Federation

Samsung KNOX EMM Authentication Services. SDK Quick Start Guide

Use Enterprise SSO as the Credential Server for Protected Sites

Salesforce1 Mobile Security Guide

Deploying RSA ClearTrust with the FirePass controller

SAML application scripting guide

Multi Factor Authentication API

Centrify Mobile Authentication Services for Samsung KNOX

HOTPin Integration Guide: Salesforce SSO with Active Directory Federated Services

F5 BIG-IP: Configuring v11 Access Policy Manager APM

Authentication Methods

Dell One Identity Cloud Access Manager How to Develop OpenID Connect Apps

Federated Identity Management and Shibboleth. Noreen Hogan Asst. Director Enterprise Admin. Applications

Secure Your Enterprise with Usher Mobile Identity

Computer Systems Security 2013/2014. Single Sign-On. Bruno Maia Pedro Borges

Administering Jive Mobile Apps

OpenAM. 1 open source 1 community experience distilled. Single Sign-On (SSO) tool for securing your web. applications in a fast and easy way

OAuth 2.0 Developers Guide. Ping Identity, Inc th Street, Suite 100, Denver, CO

Federations 101. An Introduction to Federated Identity Management. Peter Gietz, Martin Haase

SAML Single-Sign-On (SSO)

Establishing two-factor authentication with Barracuda NG Firewall and HOTPin authentication server from Celestix Networks

Livezilla How to Install on Shared Hosting By: Jon Manning

Single Sign On for ShareFile with NetScaler. Deployment Guide

DEPLOYMENT GUIDE. SAML 2.0 Single Sign-on (SSO) Deployment Guide with Ping Identity

SAP HANA Cloud Platform Security Tutorial Securing your Web API with OAuth 2.0

Active Directory Integration for Greentree

Centrify Mobile Authentication Services

PingFederate. Windows Live Cloud Identity Connector. User Guide. Version 1.0

DIGIPASS Authentication for Check Point Connectra

Luminis to Banner Single Sign-On

PowerLink for Blackboard Vista and Campus Edition Install Guide

PingFederate. SSO Integration Overview

Mobility, Security and Trusted Identities: It s Right In The Palm of Your Hands. Ian Wills Country Manager, Entrust Datacard

SSO Plugin. Case study: Integrating with Ping Federate. J System Solutions. Version 4.0

Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x

Copyright: WhosOnLocation Limited

Security and ArcGIS Web Development. Heather Gonzago and Jeremy Bartley

MYOB EXO BUSINESS WHITE PAPER

DIGIPASS Authentication for Sonicwall Aventail SSL VPN

Novell Access Manager

Connected Data. Connected Data requirements for SSO

How do I Install and Configure MS Remote Desktop for the Haas Terminal Server on my Mac?

Axway API Gateway. Version 7.4.1

Configuring Single Sign-On from the VMware Identity Manager Service to Office 365

Using SAML for Single Sign-On in the SOA Software Platform

Establishing two-factor authentication with Cyberoam UTM appliances and HOTPin authentication server from Celestix Networks

Enrollment Process for Android Devices

Enterprise Access Control Patterns For REST and Web APIs

Single Sign On (SSO) Implementation Manual. For Connect 5 & MyConnect Sites

McAfee Cloud Identity Manager

OpenLDAP Oracle Enterprise Gateway Integration Guide

Administering Jive for Outlook

Establishing two-factor authentication with Check Point and HOTPin authentication server from Celestix Networks

Entrust IdentityGuard Comprehensive

CA Technologies SiteMinder

Acunetix Web Vulnerability Scanner. Getting Started. By Acunetix Ltd.

Microsoft Active Directory Oracle Enterprise Gateway Integration Guide

Web app AAI Integration How to integrate web applications with AAI in general?

Ameritas Single Sign-On (SSO) and Enterprise SAML Standard. Architectural Implementation, Patterns and Usage Guidelines

MIT Tech Talk, May 2013 Justin Richer, The MITRE Corporation

CMDBuild Authentication (file auth.conf)

STUDY ON IMPROVING WEB SECURITY USING SAML TOKEN

Implementation Guide SAP NetWeaver Identity Management Identity Provider

Only LDAP-synchronized users can access SAML SSO-enabled web applications. Local end users and applications users cannot access them.

UP L18 Enhanced MDM and Updated Protection Hands-On Lab

Configuring Single Sign-on from the VMware Identity Manager Service to WebEx

Transcription:

AAI for Mobile Apps How mobile Apps can use SAML Authentication and Attributes Lukas Hämmerle lukas.haemmerle@switch.ch Berne, 13. August 2014

Introduction App by University of St. Gallen Universities offer apps, e.g. for e-learning and campus info Apps need authentication Apps usually are non-browser applications Authentication and Authorisation Infrastructure (AAI) based on SAML2 are difficult to use for non-browser applications 2

Prerequisites for a Solution App users from many AAI organisations Excludes authentication with LDAP or HTTP Basic Auth No changes/updates/plugins for Identity Provider needed Excludes SAML Enhanced Client and Proxy (ECP) profile Solution wanted that works today in AAI 3

App Requirements App should not emulate a web-browser for authentication Excludes already known approaches App should not save user s university password Would cause problems (app data stolen by other app, commercial company offering app, password change) App should not ask user to authenticate too often Apps should be easy to use and behave like other apps App should always get up-to-date user attributes on start Excludes approaches based on caching user attributes 4

Solution SAML OAuth/REST/JSON IdP Attributes SP Mobile Proxy DB Attributes Uni App Querying personal data and settings... DB App-specific service Other App data A (Mobile) Proxy translates authentication/attribute information from SAML2 to OAuth/REST/JSON Mobile Proxy includes an OAuth2 Server that grants access tokens, which are mapped to a SAML2 persistent ID 5

Concept of Mobile Proxy 1 User authenticates once at Mobile proxy via web browser 2 Mobile Proxy gets persistent ID of user 3 Proxy stores persistent ID and binds it to an OAuth2 access token, which is stored in the App 4 App queries Mobile proxy for AAI attributes with token 5 Mobile Proxy uses persistentid to query user s AAI attributes via a SAML Attribute Query 6

User s Perspective: First App Start User starts app for the first time App asks user to authenticate with AAI on device or desktop PC Mobile browser opens and user selects his organisation Uni App Uni App Use your AAI login to authenticate. Login with Mobile Browser or Desktop Browser https://saml-pro Select your organisation University A University B University C University D Continue 7

User s Perspective: First App Start Continued Authentication with AAI at home organisation in web browser Mobile Proxy SP gets user s attributes including persistentid and issues OAuth token Uni App uses token to get user attributes from Mobile Proxy https://aai-login University Login Username w.tell Password uniapp://myapp/3z Uni App Querying your personal data... Login Link with custom URL scheme is opened automatically E.g. uniapp://{app-identifier}/{40-byte-access Token} 8

User s Perspective: Further App Starts User starts app App fetches user attributes with OAuth access token from proxy App gets other app-specific data with access token Uni App Uni App Querying your personal data... Uni App Timetable for: William Tell 9.00 Cross-bow lessons 10.30 Anger management... 9

Demo of Sample Uni App A quick demo is available on the AAI for Apps web page: https://www.switch.ch/aai/support/tools/aai-for-apps.html Two options for initial AAI login: Browser on mobile device Browser on another computer (requires typing or scanning QR code) 10

Mobile Browser vs Desktop Browser To get persistent ID, User must login with a web browser at least once with AAI. But with which browser? In-App browser: In app browser might not have access to browser saved passwords user has to type in again username password at IdP Browser on mobile device: Benefit from SSO session that user might have already Default browser on device is used Browser on Desktop: Most flexible browser that might support authentication methods other than username/password. E.g. X.509 Requires user to type URL/token or scan a QR code 11

Data Flow Initial Web SSO authentication 1 with browser persistentid: IdP sdf9823nou Mobile SP Proxy SAML DB 3 Attribute Statement Attribute Query to: /idp/profile/saml2/soap/attributequery + sdf9823nou (persistentid) 2 Mapping Table Token persistent ID 2$892 23cj32r0hw 69m.i asd823enc 4k@s8 sdf9823nou. AA SAML Attribute Aggregation from additional Authorities 4 SAML Attribute Statement e.g. groups 5 JSON/XML User record Attribute Request to Mobile Proxy: /mp/uni-app/attributes + 4k@8 Uni App Querying personal data and settings... App-specific service 6 App-specific user data Request to get additional data from resource service with OAuth access token 12

App Logout / Access Token Revocation How about revocation of OAuth access token? For example in case the device is sold or lost. OAuth Access token is used to: Authenticate with Mobile Proxy Retrieve up-to-date AAI attributes from Mobile Proxy Retrieve arbitrary protected resources from third party resource server Token can be revoked by: Expiration because validity is configurable User within App by clicking on Logout User via administration interface with web browser 13

Logout/Token Revocation via Web Interface Multiple devices for same user and same app Authenticated user 14

Advantages of this Approach App never gets user s AAI credentials Any type of authentication can be used Can be deployed immediately without changes to federation Requires that IdPs support persistentid (with storedid) and attribute queries. This is the case for all SWITCHaai IdPs. Approach also works when SP aggregates attributes from additional attribute authorities (Virtual Organization/Group attribute providers) One instance of Mobile Proxy can serve multiple apps Apps can have different attribute requirements Individual <EntityDescriptors> for each app possible 15

Availability and Future Plans Software available as Open Source software (BSD license) Sample Uni App: Java, Android App ready for customization Mobile Proxy: PHP, Includes OAuth server and simple web interface Resource Server: PHP, Returns back a default time table Developed as Prototype. No production quality yet. More information and link to SVN repository: http://swit.ch/aai-for-apps SWITCH is considering to turn Mobile Proxy into a service if community is interested and contacts us 16

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information