CIS13: Mobile Single Sign-On: Extending SSO Out to the Client

Mobile  Single  Sign-­‐On:  Extending  SSO  Out  To  The  Client  

July  11,  2013  

K.  Sco'  Morrison  Senior  Vice  President  and  DisDnguished  Engineer  

Copyright © 2013 CA. All rights reserved.  

Our  Problem:  Secure  Mobile  Access  to  Apps  and  Data  

How Do We Make APIs Available? ü  Secure Transmission

ü  Authentication, Authorization & SSO

ü  Firewall mazes

ü  Diversity of back end systems

ü  Clients and servers change at different rates

Enterprise Network

API/Service Client

API/Service Servers

Firewall 2

Firewall 1

Internet

Directory

Copyright © 2013 CA. All rights reserved.  

We  Want  Classic  SSO  In  An  Ac;ve  Profile  For  REST  

Could leverage WS-Fed here ü  SAML’s second act?

API/Service Servers

Apps making RESTful API

calls

Internet

Directory

Copyright © 2013 CA. All rights reserved.  

But  We  Also  Want  Local  App  SSO  

Single Sign On App Group (these apps will share sign-

on sessions)

A B C

API/Service Servers

So now it’s getting interesting…

Copyright © 2013 CA. All rights reserved.  

App  layer  

Persistence  layer  

Mobile  OS  Isola;on  is  an  issue  

Silos  

Layer  7  Technologies  Overview  

Mo;va;ons:  Many  of  our  customers  have  architectures  like  this  

Gateway Cluster at Edge of Network ü  DMZ deployment

ü  Hardware appliance, virtual appliance or software

Enterprise Network

API/Service Servers

…

Firewall 2

Firewall 1

Partners

Mobile Devices

Cloud SSG Cluster

API/Service Client

Directory

Layer  7  Technologies  Overview  

Na;ve  Single  Sign-­‐On  SDK  For  Mobile  Developers  

Enterprise Network

iPhone

Android

iPad

App-sharable Secure Key Store

One time PIN SMS, APNS, call

API Servers Strong Security for Mobile Apps ü  Cross-platform and built for a consumer or BYOD world

ü  100% Standards-based using OAuth+OpenID Connect

ü  X-app SSO with multi-factor auth & secure channel

ü  X.509 Certificate provisioning for strong auth and transaction signing

Standards-based

Copyright © 2013 CA. All rights reserved.  

Three  Importance  En;;es  

A A B C

Device  

App  

User  

Layer  7  Technologies  Overview  

Self  Service:  User  should  be  able  to  log  out  if  device  is  lost  or  stolen  

Copyright  ©  2012  CA.  All  rights  reserved.  

Layer  7  Technologies  Overview  

Strategy  

A B C

username/password  

ID  Token  

Access  Token/Refresh  Token  

Per  app  

Authorization Server

OAuth + OpenID Connect ü  Profiled for mobile

ü  Clear distinction between device, user and app

Layer  7  Technologies  Overview  

Overall  Architecture  

Copyright  ©  2012  CA.  All  rights  reserved.  

Copyright © 2013 CA. All rights reserved.  

Register  device,  streamlined,  first  usage  

Copyright © 2013 CA. All rights reserved.  

Request  an  access_token  using  JWT  (SSO)  

Copyright © 2013 CA. All rights reserved.  

Administra;on  of  Tokens  

Demo  

QuesDons?  

K.  ScoT  Morrison    

smorrison@layer7.com  (604)  681-­‐9377