Mobile Single SignOn: Extending SSO Out To The Client July 11, 2013 K. Sco’ Morrison Senior Vice President and DisDnguished Engineer
Jun 09, 2015
Mobile Single Sign-‐On: Extending SSO Out To The Client
July 11, 2013
K. Sco' Morrison Senior Vice President and DisDnguished Engineer
Copyright © 2013 CA. All rights reserved.
Our Problem: Secure Mobile Access to Apps and Data
How Do We Make APIs Available? ü Secure Transmission
ü Authentication, Authorization & SSO
ü Firewall mazes
ü Diversity of back end systems
ü Clients and servers change at different rates
Enterprise Network
API/Service Client
API/Service Servers
Firewall 2
Firewall 1
Internet
Directory
Copyright © 2013 CA. All rights reserved.
We Want Classic SSO In An Ac;ve Profile For REST
Could leverage WS-Fed here ü SAML’s second act?
API/Service Servers
Apps making RESTful API
calls
Internet
Directory
Copyright © 2013 CA. All rights reserved.
But We Also Want Local App SSO
Single Sign On App Group (these apps will share sign-
on sessions)
A B C
API/Service Servers
So now it’s getting interesting…
Copyright © 2013 CA. All rights reserved.
App layer
Persistence layer
Mobile OS Isola;on is an issue
Silos
Layer 7 Technologies Overview
Mo;va;ons: Many of our customers have architectures like this
Gateway Cluster at Edge of Network ü DMZ deployment
ü Hardware appliance, virtual appliance or software
Enterprise Network
API/Service Servers
…
Firewall 2
Firewall 1
Partners
Mobile Devices
Cloud SSG Cluster
API/Service Client
Directory
Layer 7 Technologies Overview
Na;ve Single Sign-‐On SDK For Mobile Developers
Enterprise Network
iPhone
Android
iPad
App-sharable Secure Key Store
One time PIN SMS, APNS, call
API Servers Strong Security for Mobile Apps ü Cross-platform and built for a consumer or BYOD world
ü 100% Standards-based using OAuth+OpenID Connect
ü X-app SSO with multi-factor auth & secure channel
ü X.509 Certificate provisioning for strong auth and transaction signing
Standards-based
Copyright © 2013 CA. All rights reserved.
Three Importance En;;es
A A B C
Device
App
User
Layer 7 Technologies Overview
Self Service: User should be able to log out if device is lost or stolen
Copyright © 2012 CA. All rights reserved.
Layer 7 Technologies Overview
Strategy
A B C
username/password
ID Token
Access Token/Refresh Token
Per app
Authorization Server
OAuth + OpenID Connect ü Profiled for mobile
ü Clear distinction between device, user and app
Layer 7 Technologies Overview
Overall Architecture
Copyright © 2012 CA. All rights reserved.
Copyright © 2013 CA. All rights reserved.
Register device, streamlined, first usage
Copyright © 2013 CA. All rights reserved.
Request an access_token using JWT (SSO)
Copyright © 2013 CA. All rights reserved.
Administra;on of Tokens
Demo