Enabling SSO for native applications

Similar documents

A Standards-based Mobile Application IdM Architecture

Simple Cloud Identity Management (SCIM)

Enterprise Access Control Patterns For REST and Web APIs

PRACTICAL IDENTITY AND ACCESS MANAGEMENT FOR CLOUD - A PRIMER ON THREE COMMON ADOPTION PATTERNS FOR CLOUD SECURITY

The Future of Cloud Identity Security. Michael Schwartz Founder / CEO Gluu

The Essential OAuth Primer: Understanding OAuth for Securing Cloud APIs

MOBILITY. Transforming the mobile device from a security liability into a business asset. pingidentity.com

HOL9449 Access Management: Secure web, mobile and cloud access

The Role of Identity Enabled Web Services in Cloud Computing

PingFederate. Windows Live Cloud Identity Connector. User Guide. Version 1.0

Federation architectures for mobile applications OAuth 2.0 Drivers OAuth 2.0 Overview Mobile walkthrough

Connecting Users with Identity as a Service

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES

Dell One Identity Cloud Access Manager How to Develop OpenID Connect Apps

Mobile Security. Policies, Standards, Frameworks, Guidelines

Agenda. Federation using ADFS and Extensibility options. Office 365 Identity overview. Federation and Synchronization

OpenLogin: PTA, SAML, and OAuth/OpenID

An Oracle White Paper Dec Oracle Access Management OAuth Service

Administering Jive Mobile Apps

Single Sign On. SSO & ID Management for Web and Mobile Applications

Flexible Identity Federation

How to Extend Identity Security to Your APIs

OpenID Connect 1.0 for Enterprise

MIT Tech Talk, May 2013 Justin Richer, The MITRE Corporation

How to Provide Secure Single Sign-On and Identity-Based Access Control for Cloud Applications

TrustedX: eidas Platform

Copyright Pivotal Software Inc, of 10

Interoperate in Cloud with Federation

Blending Embedded Hardware OTP, SSO, and Out of Band Auth for Secure Cloud Access

SAML 101. Executive Overview WHITE PAPER

Globus Auth. Steve Tuecke. The University of Chicago

Customer Identity and Access Management (CIAM) Buyer s Guide

How To Use Salesforce Identity Features

Identity Management with Spring Security. Dave Syer, VMware, SpringOne 2011

Federated single sign-on (SSO) and identity management. Secure mobile access. Social identity integration. Automated user provisioning.

SINGLE & SAME SIGN-ON ASPECTS

Cloud Elements! Marketing Hub Provisioning and Usage Guide!

OAuth 2.0. Weina Ma

Identity and Access Management (IAM) Across Cloud and On-premise Environments: Best Practices for Maintaining Security and Control

White Paper. McAfee Cloud Single Sign On Reviewer s Guide

Extend and Enhance AD FS

UNIVERSITY OF COLORADO Procurement Service Center INTENT TO SOLE SOURCE PROCUREMENT CU-JL SS. Single Sign-On (SSO) Solution

Glinda Cummings World Wide Tivoli Security Product Manager

Identity. Provide. ...to Office 365 & Beyond

The Top 5 Federated Single Sign-On Scenarios

Salesforce Opportunities Portlet Documentation v2

Building Secure Applications. James Tedrick

Configuration Guide - OneDesk to SalesForce Connector

OPENIAM ACCESS MANAGER. Web Access Management made Easy

OAuth 2.0 Developers Guide. Ping Identity, Inc th Street, Suite 100, Denver, CO

Egnyte Single Sign-On (SSO) Installation for OneLogin

Keeping access control while moving to the cloud. Presented by Zdenek Nejedly Computing & Communications Services University of Guelph

CA Single Sign-On Migration Guide

The Password Problem Will Only Get Worse

Salesforce Integration User Guide Version 1.1

Google Identity Services for work

Flexible Identity Federation

SUPERVALU Successfully Leverages Tablet Technology and Identity and Access Management Infrastructure for Increased Security and Business Productivity

Identity and Access Management for the Hybrid Enterprise

Using SAML for Single Sign-On in the SOA Software Platform

An Overview of Samsung KNOX Active Directory-based Single Sign-On

User Identity and Authentication

Getting Started with Clearlogin A Guide for Administrators V1.01

SaaS at Pfizer. Challenges, Solutions, Recommendations. Worldwide Business Technology

Secure Identity in Cloud Computing

Federated Identity and Single Sign-On using CA API Gateway

Identity Implementation Guide

SAML AS AN SSO STANDARD FOR CUSTOMER IDENTITY MANAGEMENT. How to Create a Frictionless, Secure Customer Identity Management Strategy

How to Get to Single Sign-On

How To Manage A Plethora Of Identities In A Cloud System (Saas)

The increasing popularity of mobile devices is rapidly changing how and where we

An Identity Management Survey. on Cloud Computing

The Challenges of Web single sign-on

The Primer: Nuts and Bolts of Federated Identity Management

Cloud Security: Is It Safe To Go In Yet?

OAuth2 and UMA for ACE draft-maler-ace-oauth-uma-00.txt. Eve Maler, Erik Wahlström, Samuel Erdtman, Hannes Tschofenig

Interoperability and Portability for Cloud Computing: A Guide

Authentication Strategy: Balancing Security and Convenience

Onegini Token server / Web API Platform

BYE BYE PASSWORDS. The Future of Online Identity. Hans Zandbelt Sr. Technical Architect. CTO Office - Ping Identity

managing SSO with shared credentials

Securing WebFOCUS A Primer. Bob Hoffman Information Builders

Single-Sign-On between On-Premises and the Cloud: Leveraging Windows Azure Active Directory to authenticate custom solutions and Apps

Secure Your Enterprise with Usher Mobile Identity

Using ArcGIS with OAuth 2.0. Aaron CTO, Esri R&D Center Portland

pingidentity.com IDENTITY SECURITY TRENDS IN THE MOBILE ERA

WHITEPAPER. NAPPS: A Game-Changer for Mobile Single Sign-On (SSO)

Office365Mon Developer API

Web 2.0 Lecture 9: OAuth and OpenID

SAML 101 WHITE PAPER

Easy as 1-2-3: The Steps to XE. Mark Hoye Services Portfolio Consultant

Salesforce.com Integration Guide

Transcription:

Enabling SSO for native applications Paul Madsen Ping Identity Session ID: IAM F42B Session Classification: Intermediate

Mobile Modes Source - 'How to Connect with Mobile Consumers' Yahoo!

Overview Enterprise employees use multiple applications (combo of browser & native) in their jobs Current reality is that an Single Sign On (SSO) experience is limited to the browser apps As the number of native apps an employee uses each day increases, the burden of authenticating grows linearly Introducing a native 'authorization agent' onto device can mitigate this usability challenge enabling a SSO experience for native applications Will present a standards-based model for the authorization agent interactions with server endpoints & native applications

Variations Provider Provider Provider Multiple native apps calling independent providers each with its own API API App App API App Multiple native apps calling single provider's multiple APIs all sharing same Provider API App API App API App

Default authentication pattern Employee authentication/authorizes each native application individually Authorization manifested as the issuance of an OAuth token to each native app this presented on subsequent API calls to corresponding server Initial token issuance requires the user of the application to be authenticated (either directly or vis SSO)

Default authentication pattern App1 App2 Browser Native App2 Native App1 7

Default authentication pattern App1 App2 Browser Native App2 Native App1 8

Default authentication pattern App1 App2 Browser Native App2 Native App1 9

Implications of default pattern Employee bears burden of authenticating (and potentially authorizing) each native application separately Even if done infrequently, may be unacceptable For workforce->saas, each SaaS must directly support OAuth (running an Authorization Server) Enterprise 'distanced' from employee's use of native applications involved only at initial token issuance

Native Authorization Agent By introducing an AZA onto the device, an employee is able to collectively authenticate each native application on device in one step Rather than each application individually obtaining OAuth tokens for itself the tokens are obtained by a dedicated 'authorization agent' (AZA) Once handed the tokens from the AZA, native applications use them as normal on API calls Advantages For user, enables an SSO experience for native applications For enterprise, provides a centralized control point for application access

AZA flow App1 App2 Browser Native App2 Native App1 12

AZA flow App1 App2 Browser Native App2 Native App1 13

AZA flow App1 App2 Browser Native App2 AZA Native App1 14

AZA flow App1 App2 Browser Native App2 AZA Native App1 15

AZA flow App1 App2 Browser Native App2 AZA Native App1 16

AZA flow App1 App2 Browser Native App2 AZA Native App1 17

Advantages Employee performs explicit authentication & authorization only for the AZA results in tokens issued down to the AZA Other apps able to benefit from this AZA authentication for their own AZA tokens used to obtain application tokens User can enjoy SSO across those native applications

Standardization Multiple pieces (from potentially different providers) implies need for standards AZA to Cloud AZA to native SaaS SaaS to Cloud A number of industry players (including Ping Identity, Salesforce & VMWare) are working on a profile of OpenID Connect to meet the AZA use case For more information http://goo.gl/bjje2

Summary Usability Burden of authenticating/authorizing native applications significantly reduced Enterprise control More directly involved in token issuance Simpler mechanism for revoking employee access to SaaS applications Simplicity Smaller SaaS can outsource OAuth functionality

For more information pmadsen@pingidentity.com @paulmadsen http://goo.gl/bjje2