Steffo Weber, Oracle & Max Liesegang, esentri Tuesday, 21-May-2013 Latest Entries Write secure code, don’t write security code. Read more Tuning the industry’s most trusted directory server. Read more Harnessing Sun’s OpenSSO Authentication and Authorization. Read more Hands-On SOA and Web Security. Read more Fine-grained authorization and XACML. Read more THE NEW DIGITAL EXPERIENCE SECURING steffo.weber@oracle.com maximilian.liesegang@esentri.com Protecting IDPs from malformed SAML requests Read more Mobile & Social Apps Wednesday, November 6, 13
33
Embed
SECURING THE NEW DIGITAL EXPERIENCE · Harnessing Sun’s OpenSSO Authentication and Authorization. Hands-On SOA and Web Security. ... Data Design Graphical UI Pro Prosumer Consumer
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
M MotivationImportance of mobile access management
Wednesday, November 6, 13
Evolution of UXMotivation
Information &Data Design
Graphical UI
Pro
Pros
umer
Cons
umer
User Experienced Design
Wednesday, November 6, 13
Why UX is not UIMotivation
‣ Touchscreen with GUI‣ Application (MVC)‣ Background Services (REST)
Wednesday, November 6, 13
Some findings (hypothesis first)Motivation
13.6 million tablets shipped to enterprises (2011)
96.3 million tablets shipped to enterprises (2016)
http://www.mobilestatistics.com/mobile-news/the-rise-of-the-enterprise-tablet.aspxMobile Apps. What Consumers really want (Compuware)
Wednesday, November 6, 13
Some findings (hypothesis first)Motivation
85% prefer mobile apps over mobile websites
79% will not retry an app if the failed once or twice
48% will delete an app if it is too slow
http://www.mobilestatistics.com/mobile-news/the-rise-of-the-enterprise-tablet.aspxMobile Apps. What Consumers really want (Compuware)
Wednesday, November 6, 13
Consumer
Don't make me think.
Wednesday, November 6, 13
Buying process
1.Problem/NeedRecognition 2.Information
Search 3.Evaluation ofAlternatives 4.Purchase
Decision 5.Post-purchaseBehaviour
Social ID Social IDWeb Trail
Social IDWeb TrailAddressBilling Rel
Social IDWeb TrailAddressBilling RelCustomer ID
?
and corresponding identity.
This is where real identity comes into play.
Wednesday, November 6, 13
Customer Loyalty
UX Security
CRM
Wednesday, November 6, 13
Customer Loyalty
mobile sites, mobile apps, traditional channels.
Cookies, web SSO
Cookies, web SSO
Multiple apps…
Advice: all channels are equal.
Wednesday, November 6, 13
Customer Loyalty Advice: all channels are equal.
WebSSO Access Management (WAM)
Mobile Access Management
iOS built-in Kerberos
Wednesday, November 6, 13
Customer Loyalty Advice: all channels are equal.
Unified Access Management
Wednesday, November 6, 13
Φ FoundationHow to achieve SSO for multiple apps?
Wednesday, November 6, 13
Foundation
Wednesday, November 6, 13
Foundation
Business/ServicesLayer
PresentationLayer
DataLayer
Wednesday, November 6, 13
Foundation
In a browser world, we don’taccess services layers directly.
Business/ServicesLayer
PresentationLayer
DataLayer
Wednesday, November 6, 13
Foundation
In a browser world, we don’taccess services layers directly.
Business/ServicesLayer
PresentationLayer
DataLayer
Wednesday, November 6, 13
Foundation
In a browser world, we don’taccess services layers directly.
Business/ServicesLayer
PresentationLayer
DataLayer
Wednesday, November 6, 13
Foundation
Accessing the serviceslayer from untrusted devicesexposes new risks.
In a browser world, we don’taccess services layers directly.
iPhone is the new presention layer
Business/ServicesLayer
PresentationLayer
DataLayer
Wednesday, November 6, 13
Foundation
Accessing the serviceslayer from untrusted devicesexposes new risks.
In a browser world, we don’taccess services layers directly.
iPhone is the new presention layer
Business/ServicesLayer
PresentationLayer
DataLayer
No trust between ext DMZ and service zone.
Wednesday, November 6, 13
Foundation
one user tokenvs.
multiple access tokens
OAuth concepts
Wednesday, November 6, 13
Foundation
iOS/Andoid App SSO Agent Mobile & Social
User starts App
BA
REST WebService
Who is the SSO Agent on this iPhone?
agent://<get access token>C
Issue access token
F
D1
Make REST call using libIDMMobileSDK. Access token is inserted automatically by SDK
You can reach it via URL scheme agent://
If user has not been authN, present login dialog and request user token.
D2
If user token is present, get access token for app/service.
Forward access tokenE1
E2
Wednesday, November 6, 13
Foundation
HTTP Call (intercepted)‣ check for cookies‣ check for JWT
Service REST, SOAP, etc
Oracle Access ManagerMobile & Social
Wednesday, November 6, 13
Foundation
Oracle Access Management Services
Access Manager
Adaptive Access Manager
Entitlements Server (OpenAZ, XACML)
Directory Services (LDAP)
Mob
ile &
Soc
ial
libMobileREST/JSON/JWT/OAuth
Objective C Java
RESTful Identity Services (CRUD, AuthN/Z, Token
Services)
OWSM (WS-Sec) SOAP-WS
Legacy Services
XACML/OpenAZ
WebGateClassical WebSSO
Oracle Service Bus
API Gateway w
Wednesday, November 6, 13
Import libIDMMobileSDK.aFoundation
Wednesday, November 6, 13
Register a URL schemeFoundation
Wednesday, November 6, 13
SSO relevant code in iOS appFoundation#import "IDMMobileSDK.h"/* we have @property (nonatomic,retain) OMMobileSecurityService *mobileServices; from header */
- (void)connectToOICServerAndSetup { …… OMMobileSecurityService *mss = [[OMMobileSecurityService alloc] initWithURL:self.oicURL // e.g. http://token.net:14100/ appName:self.applicationName // e.g. SampleApp or Art domain:self.oicServiceDomainName // e.g. MagServiceDomain delegate:self]; self.mobileServices = mss; …… UIBarButtonItem *rightButton = [[UIBarButtonItem alloc] initWithTitle:@"Login" style:UIBarButtonItemStyleBordered target:self action:@selector(doLogin:)]; }