SlideShare a Scribd company logo

Single sign-on Across Mobile Applications from RSAConference

Download as PPTX, PDF
CA API Management
CA API Management

How to implement a standards-based architecture for mobile app Single Sign-On - Presentation from RSA Conference -

1 of 19
Single sign-on across mobile applications Francois Lascelles Chief architect Layer 7 Technologies
Why SSO matters? Adoption UX Layer 7 Confidential 2
Per-app SSO vs across-app SSO Per-App X-app X-app and X-domain Web Cookies Cookies (domain • SAML apps cookies) • Social login • Open ID Connect Mobile OAuth access tokens apps ? … and x-device … Layer 7 Confidential 3
Mobile app isolation User-agent Domain A Webapp 1 Cookie domain A Webapp 2  webapps Cookie domain B Webapp 3 (can be different parties) APP A Access token 1 Domain A API 1  mobile apps APP B API 2 Access token 2 APP C API 3 Access token 3 Layer 7 Confidential 4
Why extending SSO across apps? 1/2 1. Provider avoids managing user accounts IdP  Authenticate once trust  Consent to multiple providers Provider  By delegating authentication to a User Accounts Sessions trusted IdP, multiple providers User name User Shared secret State avoid managing user accounts Email and effectively provide SSO UX Layer 7 Confidential 5
Why extending SSO across apps? 2/2 2. A group of coordinated apps domain - Example: a set of application targeting BYOD App A App B App C  Authenticate once  Consent to multiple applications IdP Layer 7 Confidential 6
Enablers  Client side  Provider side - Because each app works in isolation, - API infrastructure built-in with or there needs to be an app-to-app integrating with federation coordination - Even traditional web-based redirections require to switch between relying party app and browser app ID Federation API Security-as-a-service Infrastructure Apps Layer 7 Confidential 7
Client side redirections and callback  On iOS, apps can switch between each other and pass information through the redirection URL - Each app registers its own URL scheme - Calling such a URL switches to the other app - App gets information back by providing a callback URL tailored to its own scheme step 1 openURL AppA://something?callback=AppB://somethingelse App A App B openURL AppB://somethingelse?arg=that_thing_you_need step 2 Layer 7 Confidential 8
Client side redirections and callback (continued)  Is that secure enough to pass a token? APPLE: “If more than one third-party app registers to handle the same URL scheme, there is currently no process for determining which app will be given that scheme. ” --link Layer 7 Confidential 9
Redirection/callback limitations and risks What‟s at stake?  Social - An app tricks you into letting it get an access token to call your social provider on your behalf - Malicious app discovers your email - Posts something embarrassing on your wall (maybe)  Enterprise - An app tricks you into letting it getting an access token meant for an enterprise app - Malicious app now has access to all the same data as the app it pretended to be Layer 7 Confidential 10
Alternatives  Note: on iOS 6, facebook login is „built-in‟ - Once an app is authorized, there are no redirections required and the exchange is presumably more secure  But what if you don‟t trust the built-in social id broker?  Or what if you want to implement your own SSO across a set of coordinated applications? - E.g. A set of enterprise apps targeting BYOD Layer 7 Confidential 11
KeyChain Groups KC A KC B Shared Key Chain App A App B App A App B  Applications signed by the same developer key can share a key chain  Combining redirection/callbacks with keychain groups enables a more secure delegated authentication - You can still pass scope between applications using URL schemes - But the sharing of information between these apps can go through the secure KeyChain group Layer 7 Confidential 12
Provider side enablers: OAuth  OAuth is the standard for an app to get an access token - The access token is what is used to consume APIs by the app  OAuth 2.0 defines different grant types (handshakes) for different situations 1. OAuth handshake access token OAuth Authorization Server IdP 2. API consumption OAuth Resource Server Backend API Layer 7 Confidential 13
Provider-side enablers: OpenID Connect  NOT OpenID  Mimics social login pattern, but standardized  Leverage an OAuth handshake to delegate authentication OpenID Connect IdP 1. OIDC handshake OAuth Authorization Server access token Id token 2. Get user info /userinfo Now I know who user is Layer 7 Confidential 14
Federating OAuth using SAML  draft-ietf-oauth-saml2-bearer-xx - The SAML Bearer grant type lets an application get an access token in exchange for a SAML assertion - API Provider trusts ID Provider‟s signing certificate which is verified as part of the OAuth handshake ID Provider • SAML Web browser SSO • STS handshake Output: SAML Client API Provider application OAuth SAML Bearer Grant Output: access token Layer 7 Confidential 15
Federating OAuth using JWT  draft-ietf-oauth-jwt-bearer-xx - The JWT Bearer grant type lets an application get an access token in exchange for a JSON Web Token (JWT) - API Provider trusts ID Provider‟s JWS signature which is verified as part of the OAuth handshake (RSA or HMAC) - The JWT can be issued as part of a standard OpenID Connect handshake ID Provider OpenID Connect Handshake Output: id token (JWT) Client API Provider application OAuth JWT Bearer Grant Output: access token Layer 7 Confidential 16
Federating OAuth across multiple APIs  The same SAML or JWT can be trusted by multiple APIs ID Provider OpenID Connect Handshake Output: id token (JWT) trust Client API A application OAuth JWT Bearer Grant Output: access token API B Layer 7 Confidential 17
Applicability to X-app mobile SSO  On iOS, the JWT is stored in a shared keychain group  This is only accessible to applications signed by a common developer key (enterprise key) App Group KeyChain Group PUT OpenID Connect Identity +id token (JWT) Delegate App API Provider • Access Control GET • IdP +access token App 2 OAuth JWT Bearer Grant +access token App 1 Layer 7 Confidential 18
Role of various technology in mobile SSO?  WAM - Focuses on Web - Can be leveraged for management of permissions as part of mobile session handling  MDM - Focuses on device-side security - MAM can include user auth  API Management - API access control - Integrate with existing federation mechanism in place  VPN Connections - Does not provide application level security (no API access control) - Back door security hole in a mobile device - Better to enable strong auth from app to perimeter Layer 7 Confidential 19

Recommended

Mobile SSO: Give App Users a Break from Typing Passwords
Mobile SSO: Give App Users a Break from Typing PasswordsMobile SSO: Give App Users a Break from Typing Passwords
Mobile SSO: Give App Users a Break from Typing PasswordsCA API Management
 
Patterns and Practices in Mobile SSO
Patterns and Practices in Mobile SSOPatterns and Practices in Mobile SSO
Patterns and Practices in Mobile SSOWSO2
 
Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...
Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...
Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...CA API Management
 
Beyond MDM: 5 Things You Must do to Secure Mobile Devices in the Enterprise
Beyond MDM: 5 Things You Must do to Secure Mobile Devices in the EnterpriseBeyond MDM: 5 Things You Must do to Secure Mobile Devices in the Enterprise
Beyond MDM: 5 Things You Must do to Secure Mobile Devices in the EnterpriseCA API Management
 
Mobile Single-Sign On: Extending SSO Out to the Client - Layer 7's CTO Scott ...
Mobile Single-Sign On: Extending SSO Out to the Client - Layer 7's CTO Scott ...Mobile Single-Sign On: Extending SSO Out to the Client - Layer 7's CTO Scott ...
Mobile Single-Sign On: Extending SSO Out to the Client - Layer 7's CTO Scott ...CA API Management
 
Successful Enterprise Single Sign-on: Addressing Deployment Challenges
Successful Enterprise Single Sign-on: Addressing Deployment ChallengesSuccessful Enterprise Single Sign-on: Addressing Deployment Challenges
Successful Enterprise Single Sign-on: Addressing Deployment ChallengesHitachi ID Systems, Inc.
 
CIS14: Mobile SSO using NAPPS: OpenID Connect Profile for Native Apps-jain
CIS14: Mobile SSO using NAPPS: OpenID Connect Profile for Native Apps-jainCIS14: Mobile SSO using NAPPS: OpenID Connect Profile for Native Apps-jain
CIS14: Mobile SSO using NAPPS: OpenID Connect Profile for Native Apps-jainCloudIDSummit
 
Mobile SSO using NAPPS
Mobile SSO using NAPPSMobile SSO using NAPPS
Mobile SSO using NAPPSAshish Jain
 

Recommended

Mobile SSO: Give App Users a Break from Typing Passwords
Mobile SSO: Give App Users a Break from Typing PasswordsMobile SSO: Give App Users a Break from Typing Passwords
Mobile SSO: Give App Users a Break from Typing PasswordsCA API Management
 
Patterns and Practices in Mobile SSO
Patterns and Practices in Mobile SSOPatterns and Practices in Mobile SSO
Patterns and Practices in Mobile SSOWSO2
 
Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...
Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...
Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...CA API Management
 
Beyond MDM: 5 Things You Must do to Secure Mobile Devices in the Enterprise
Beyond MDM: 5 Things You Must do to Secure Mobile Devices in the EnterpriseBeyond MDM: 5 Things You Must do to Secure Mobile Devices in the Enterprise
Beyond MDM: 5 Things You Must do to Secure Mobile Devices in the EnterpriseCA API Management
 
Mobile Single-Sign On: Extending SSO Out to the Client - Layer 7's CTO Scott ...
Mobile Single-Sign On: Extending SSO Out to the Client - Layer 7's CTO Scott ...Mobile Single-Sign On: Extending SSO Out to the Client - Layer 7's CTO Scott ...
Mobile Single-Sign On: Extending SSO Out to the Client - Layer 7's CTO Scott ...CA API Management
 
Successful Enterprise Single Sign-on: Addressing Deployment Challenges
Successful Enterprise Single Sign-on: Addressing Deployment ChallengesSuccessful Enterprise Single Sign-on: Addressing Deployment Challenges
Successful Enterprise Single Sign-on: Addressing Deployment ChallengesHitachi ID Systems, Inc.
 
CIS14: Mobile SSO using NAPPS: OpenID Connect Profile for Native Apps-jain
CIS14: Mobile SSO using NAPPS: OpenID Connect Profile for Native Apps-jainCIS14: Mobile SSO using NAPPS: OpenID Connect Profile for Native Apps-jain
CIS14: Mobile SSO using NAPPS: OpenID Connect Profile for Native Apps-jainCloudIDSummit
 
Mobile SSO using NAPPS
Mobile SSO using NAPPSMobile SSO using NAPPS
Mobile SSO using NAPPSAshish Jain
 
Mobile Devices in the Enterprise: What IT needs to know
Mobile Devices in the Enterprise: What IT needs to knowMobile Devices in the Enterprise: What IT needs to know
Mobile Devices in the Enterprise: What IT needs to knowAshish Jain
 
CIS 2015 Mobile SSO
CIS 2015 Mobile SSOCIS 2015 Mobile SSO
CIS 2015 Mobile SSOAshish Jain
 
WSO2Con US 2013 - Securing Cloud and Mobile: Pragmatic Enterprise Security Ar...
WSO2Con US 2013 - Securing Cloud and Mobile: Pragmatic Enterprise Security Ar...WSO2Con US 2013 - Securing Cloud and Mobile: Pragmatic Enterprise Security Ar...
WSO2Con US 2013 - Securing Cloud and Mobile: Pragmatic Enterprise Security Ar...WSO2
 
Kodak - OpenID Retail Summit at PayPal
Kodak - OpenID Retail Summit at PayPalKodak - OpenID Retail Summit at PayPal
Kodak - OpenID Retail Summit at PayPalAshish Jain
 
CIS13: Mobile Single Sign-On: Extending SSO Out to the Client
CIS13: Mobile Single Sign-On: Extending SSO Out to the ClientCIS13: Mobile Single Sign-On: Extending SSO Out to the Client
CIS13: Mobile Single Sign-On: Extending SSO Out to the ClientCloudIDSummit
 
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...CA API Management
 
The curious case of mobile app security.pptx
The curious case of mobile app security.pptxThe curious case of mobile app security.pptx
The curious case of mobile app security.pptxAnkit Giri
 
Enabling the Multi-Device Universe
Enabling the Multi-Device UniverseEnabling the Multi-Device Universe
Enabling the Multi-Device UniverseCA API Management
 
Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...owaspindia
 
MCSDataSheet
MCSDataSheetMCSDataSheet
MCSDataSheetBilal Khan
 
Nexmo Verify SDK
Nexmo Verify SDKNexmo Verify SDK
Nexmo Verify SDKSrivatsan Srinivasan
 
Mobile_app_security
Mobile_app_securityMobile_app_security
Mobile_app_securityHassan El Hadary
 
5 Steps for End-to-End Mobile Security with Consumer Apps
5 Steps for End-to-End Mobile Security with Consumer Apps5 Steps for End-to-End Mobile Security with Consumer Apps
5 Steps for End-to-End Mobile Security with Consumer AppsCA API Management
 
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...CA Technologies
 
Enterprise API deployment best practice
Enterprise API deployment best practiceEnterprise API deployment best practice
Enterprise API deployment best practiceSanjay Roy
 
Qark DefCon 23
Qark DefCon 23Qark DefCon 23
Qark DefCon 23☠Tony Trummer☠
 
Penetrating Android Aapplications
Penetrating Android AapplicationsPenetrating Android Aapplications
Penetrating Android AapplicationsRoshan Thomas
 
Best Practices for API Security
Best Practices for API SecurityBest Practices for API Security
Best Practices for API SecurityMuleSoft
 
How APIs Can Be Secured in Mobile Environments
How APIs Can Be Secured in Mobile EnvironmentsHow APIs Can Be Secured in Mobile Environments
How APIs Can Be Secured in Mobile EnvironmentsWSO2
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application SecurityPrateek Jain
 
Mobile Single Sign-On (Gluecon '15)
Mobile Single Sign-On (Gluecon '15)Mobile Single Sign-On (Gluecon '15)
Mobile Single Sign-On (Gluecon '15)Brian Campbell
 
3 PR
3 PR3 PR
3 PRMichael Kareev
 

More Related Content

What's hot

Mobile Devices in the Enterprise: What IT needs to know
Mobile Devices in the Enterprise: What IT needs to knowMobile Devices in the Enterprise: What IT needs to know
Mobile Devices in the Enterprise: What IT needs to knowAshish Jain
 
CIS 2015 Mobile SSO
CIS 2015 Mobile SSOCIS 2015 Mobile SSO
CIS 2015 Mobile SSOAshish Jain
 
WSO2Con US 2013 - Securing Cloud and Mobile: Pragmatic Enterprise Security Ar...
WSO2Con US 2013 - Securing Cloud and Mobile: Pragmatic Enterprise Security Ar...WSO2Con US 2013 - Securing Cloud and Mobile: Pragmatic Enterprise Security Ar...
WSO2Con US 2013 - Securing Cloud and Mobile: Pragmatic Enterprise Security Ar...WSO2
 
Kodak - OpenID Retail Summit at PayPal
Kodak - OpenID Retail Summit at PayPalKodak - OpenID Retail Summit at PayPal
Kodak - OpenID Retail Summit at PayPalAshish Jain
 
CIS13: Mobile Single Sign-On: Extending SSO Out to the Client
CIS13: Mobile Single Sign-On: Extending SSO Out to the ClientCIS13: Mobile Single Sign-On: Extending SSO Out to the Client
CIS13: Mobile Single Sign-On: Extending SSO Out to the ClientCloudIDSummit
 
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...CA API Management
 
The curious case of mobile app security.pptx
The curious case of mobile app security.pptxThe curious case of mobile app security.pptx
The curious case of mobile app security.pptxAnkit Giri
 
Enabling the Multi-Device Universe
Enabling the Multi-Device UniverseEnabling the Multi-Device Universe
Enabling the Multi-Device UniverseCA API Management
 
Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...owaspindia
 
5 Steps for End-to-End Mobile Security with Consumer Apps
5 Steps for End-to-End Mobile Security with Consumer Apps5 Steps for End-to-End Mobile Security with Consumer Apps
5 Steps for End-to-End Mobile Security with Consumer AppsCA API Management
 
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...CA Technologies
 
Enterprise API deployment best practice
Enterprise API deployment best practiceEnterprise API deployment best practice
Enterprise API deployment best practiceSanjay Roy
 
Penetrating Android Aapplications
Penetrating Android AapplicationsPenetrating Android Aapplications
Penetrating Android AapplicationsRoshan Thomas
 
Best Practices for API Security
Best Practices for API SecurityBest Practices for API Security
Best Practices for API SecurityMuleSoft
 
How APIs Can Be Secured in Mobile Environments
How APIs Can Be Secured in Mobile EnvironmentsHow APIs Can Be Secured in Mobile Environments
How APIs Can Be Secured in Mobile EnvironmentsWSO2
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application SecurityPrateek Jain
 

What's hot (20)

Mobile Devices in the Enterprise: What IT needs to know
Mobile Devices in the Enterprise: What IT needs to knowMobile Devices in the Enterprise: What IT needs to know
Mobile Devices in the Enterprise: What IT needs to know
 
CIS 2015 Mobile SSO
CIS 2015 Mobile SSOCIS 2015 Mobile SSO
CIS 2015 Mobile SSO
 
WSO2Con US 2013 - Securing Cloud and Mobile: Pragmatic Enterprise Security Ar...
WSO2Con US 2013 - Securing Cloud and Mobile: Pragmatic Enterprise Security Ar...WSO2Con US 2013 - Securing Cloud and Mobile: Pragmatic Enterprise Security Ar...
WSO2Con US 2013 - Securing Cloud and Mobile: Pragmatic Enterprise Security Ar...
 
Kodak - OpenID Retail Summit at PayPal
Kodak - OpenID Retail Summit at PayPalKodak - OpenID Retail Summit at PayPal
Kodak - OpenID Retail Summit at PayPal
 
CIS13: Mobile Single Sign-On: Extending SSO Out to the Client
CIS13: Mobile Single Sign-On: Extending SSO Out to the ClientCIS13: Mobile Single Sign-On: Extending SSO Out to the Client
CIS13: Mobile Single Sign-On: Extending SSO Out to the Client
 
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
 
The curious case of mobile app security.pptx
The curious case of mobile app security.pptxThe curious case of mobile app security.pptx
The curious case of mobile app security.pptx
 
Enabling the Multi-Device Universe
Enabling the Multi-Device UniverseEnabling the Multi-Device Universe
Enabling the Multi-Device Universe
 
Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...
 
MCSDataSheet
MCSDataSheetMCSDataSheet
MCSDataSheet
 
Nexmo Verify SDK
Nexmo Verify SDKNexmo Verify SDK
Nexmo Verify SDK
 
Mobile_app_security
Mobile_app_securityMobile_app_security
Mobile_app_security
 
5 Steps for End-to-End Mobile Security with Consumer Apps
5 Steps for End-to-End Mobile Security with Consumer Apps5 Steps for End-to-End Mobile Security with Consumer Apps
5 Steps for End-to-End Mobile Security with Consumer Apps
 
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
 
Enterprise API deployment best practice
Enterprise API deployment best practiceEnterprise API deployment best practice
Enterprise API deployment best practice
 
Qark DefCon 23
Qark DefCon 23Qark DefCon 23
Qark DefCon 23
 
Penetrating Android Aapplications
Penetrating Android AapplicationsPenetrating Android Aapplications
Penetrating Android Aapplications
 
Best Practices for API Security
Best Practices for API SecurityBest Practices for API Security
Best Practices for API Security
 
How APIs Can Be Secured in Mobile Environments
How APIs Can Be Secured in Mobile EnvironmentsHow APIs Can Be Secured in Mobile Environments
How APIs Can Be Secured in Mobile Environments
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application Security
 

Viewers also liked

Mobile Single Sign-On (Gluecon '15)
Mobile Single Sign-On (Gluecon '15)Mobile Single Sign-On (Gluecon '15)
Mobile Single Sign-On (Gluecon '15)Brian Campbell
 
Introducing WSO2 API Manager for Mobile Applications and Rapid Integration
Introducing WSO2 API Manager for Mobile Applications and Rapid IntegrationIntroducing WSO2 API Manager for Mobile Applications and Rapid Integration
Introducing WSO2 API Manager for Mobile Applications and Rapid IntegrationWSO2
 
Single Sign On - Case Study
Single Sign On - Case StudySingle Sign On - Case Study
Single Sign On - Case StudyEbizon
 
CA API Gateway: Web API and Application Security
CA API Gateway: Web API and Application SecurityCA API Gateway: Web API and Application Security
CA API Gateway: Web API and Application SecurityCA Technologies
 
Should Mentors of Entrepreneurs be Trained or their Experience is Enough?
Should Mentors of Entrepreneurs be Trained or their Experience is Enough?Should Mentors of Entrepreneurs be Trained or their Experience is Enough?
Should Mentors of Entrepreneurs be Trained or their Experience is Enough?INNOVATION COPILOTS
 
Klera vilenskaya drupalconf_2011____
Klera vilenskaya drupalconf_2011____Klera vilenskaya drupalconf_2011____
Klera vilenskaya drupalconf_2011____drupalconf
 
분산형 컴퓨팅 플랫폼 [에테리움]
분산형 컴퓨팅 플랫폼 [에테리움]분산형 컴퓨팅 플랫폼 [에테리움]
분산형 컴퓨팅 플랫폼 [에테리움]inucreative
 
Bitcoin 2.0(blockchain technology 2)
Bitcoin 2.0(blockchain technology 2)Bitcoin 2.0(blockchain technology 2)
Bitcoin 2.0(blockchain technology 2)Wooseung Kim
 
SAML Protocol Overview
SAML Protocol OverviewSAML Protocol Overview
SAML Protocol OverviewMike Schwartz
 
Understanding private blockchains
Understanding private blockchainsUnderstanding private blockchains
Understanding private blockchainsCoin Sciences Ltd
 
Enterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSOEnterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSOOliver Mueller
 
WSO2Con USA 2017: Rise to the Challenge with WSO2 Identity Server and WSO2 AP...
WSO2Con USA 2017: Rise to the Challenge with WSO2 Identity Server and WSO2 AP...WSO2Con USA 2017: Rise to the Challenge with WSO2 Identity Server and WSO2 AP...
WSO2Con USA 2017: Rise to the Challenge with WSO2 Identity Server and WSO2 AP...WSO2
 

Viewers also liked (20)

Mobile Single Sign-On (Gluecon '15)
Mobile Single Sign-On (Gluecon '15)Mobile Single Sign-On (Gluecon '15)
Mobile Single Sign-On (Gluecon '15)
 
3 PR
3 PR3 PR
3 PR
 
Introducing WSO2 API Manager for Mobile Applications and Rapid Integration
Introducing WSO2 API Manager for Mobile Applications and Rapid IntegrationIntroducing WSO2 API Manager for Mobile Applications and Rapid Integration
Introducing WSO2 API Manager for Mobile Applications and Rapid Integration
 
Single Sign On - Case Study
Single Sign On - Case StudySingle Sign On - Case Study
Single Sign On - Case Study
 
SINGLE SIGN-ON
SINGLE SIGN-ONSINGLE SIGN-ON
SINGLE SIGN-ON
 
SSO - SIngle Sign On
SSO - SIngle Sign OnSSO - SIngle Sign On
SSO - SIngle Sign On
 
SSO introduction
SSO introductionSSO introduction
SSO introduction
 
Oauth2.0
Oauth2.0Oauth2.0
Oauth2.0
 
CA API Gateway: Web API and Application Security
CA API Gateway: Web API and Application SecurityCA API Gateway: Web API and Application Security
CA API Gateway: Web API and Application Security
 
Single sign on
Single sign onSingle sign on
Single sign on
 
Should Mentors of Entrepreneurs be Trained or their Experience is Enough?
Should Mentors of Entrepreneurs be Trained or their Experience is Enough?Should Mentors of Entrepreneurs be Trained or their Experience is Enough?
Should Mentors of Entrepreneurs be Trained or their Experience is Enough?
 
Klera vilenskaya drupalconf_2011____
Klera vilenskaya drupalconf_2011____Klera vilenskaya drupalconf_2011____
Klera vilenskaya drupalconf_2011____
 
분산형 컴퓨팅 플랫폼 [에테리움]
분산형 컴퓨팅 플랫폼 [에테리움]분산형 컴퓨팅 플랫폼 [에테리움]
분산형 컴퓨팅 플랫폼 [에테리움]
 
블록체인
블록체인블록체인
블록체인
 
Bitcoin 2.0(blockchain technology 2)
Bitcoin 2.0(blockchain technology 2)Bitcoin 2.0(blockchain technology 2)
Bitcoin 2.0(blockchain technology 2)
 
SAML Protocol Overview
SAML Protocol OverviewSAML Protocol Overview
SAML Protocol Overview
 
Understanding private blockchains
Understanding private blockchainsUnderstanding private blockchains
Understanding private blockchains
 
Single sign on using SAML
Single sign on using SAML Single sign on using SAML
Single sign on using SAML
 
Enterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSOEnterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSO
 
WSO2Con USA 2017: Rise to the Challenge with WSO2 Identity Server and WSO2 AP...
WSO2Con USA 2017: Rise to the Challenge with WSO2 Identity Server and WSO2 AP...WSO2Con USA 2017: Rise to the Challenge with WSO2 Identity Server and WSO2 AP...
WSO2Con USA 2017: Rise to the Challenge with WSO2 Identity Server and WSO2 AP...
 

Similar to Single sign-on Across Mobile Applications from RSAConference

Balancing Mobile UX & Security: An API Management Perspective Presentation fr...
Balancing Mobile UX & Security: An API Management Perspective Presentation fr...Balancing Mobile UX & Security: An API Management Perspective Presentation fr...
Balancing Mobile UX & Security: An API Management Perspective Presentation fr...CA API Management
 
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityFederation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityCA API Management
 
Building Cross Platform Mobile Apps Dev Tools, MBaaS, Architecture, APIs
Building Cross Platform Mobile Apps Dev Tools, MBaaS, Architecture, APIsBuilding Cross Platform Mobile Apps Dev Tools, MBaaS, Architecture, APIs
Building Cross Platform Mobile Apps Dev Tools, MBaaS, Architecture, APIsCA API Management
 
API Management and Mobile App Enablement
API Management and Mobile App EnablementAPI Management and Mobile App Enablement
API Management and Mobile App EnablementCA API Management
 
5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...
5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...
5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...CA API Management
 
LUMIA APP LABS: WINDOWS PHONE 8 FOR NOKIA DEVELOPERS
LUMIA APP LABS: WINDOWS PHONE 8 FOR NOKIA DEVELOPERSLUMIA APP LABS: WINDOWS PHONE 8 FOR NOKIA DEVELOPERS
LUMIA APP LABS: WINDOWS PHONE 8 FOR NOKIA DEVELOPERSMicrosoft Mobile Developer
 
SeaBeyond 2011 ProcessOne - Nokia: Jukka Alakontiola - Notifications API
SeaBeyond 2011 ProcessOne - Nokia: Jukka Alakontiola - Notifications APISeaBeyond 2011 ProcessOne - Nokia: Jukka Alakontiola - Notifications API
SeaBeyond 2011 ProcessOne - Nokia: Jukka Alakontiola - Notifications APIProcessOne
 
Simplifying Enterprise Mobility - Powering Mobile Apps from The Cloud
Simplifying Enterprise Mobility - Powering Mobile Apps from The CloudSimplifying Enterprise Mobility - Powering Mobile Apps from The Cloud
Simplifying Enterprise Mobility - Powering Mobile Apps from The CloudJoe Drumgoole
 
IBM Mobile Foundation POT - Part 3 securing and managing mobile appilcations ...
IBM Mobile Foundation POT - Part 3 securing and managing mobile appilcations ...IBM Mobile Foundation POT - Part 3 securing and managing mobile appilcations ...
IBM Mobile Foundation POT - Part 3 securing and managing mobile appilcations ...AIP Foundation
 
Cross Platform Mobile Apps with APIs from Qcon San Francisco
Cross Platform Mobile Apps with APIs from Qcon San FranciscoCross Platform Mobile Apps with APIs from Qcon San Francisco
Cross Platform Mobile Apps with APIs from Qcon San FranciscoCA API Management
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...Brian Campbell
 
Saas webinar-dec6-01
Saas webinar-dec6-01Saas webinar-dec6-01
Saas webinar-dec6-01Paul Madsen
 
Leapfrogging with legacy
Leapfrogging with legacyLeapfrogging with legacy
Leapfrogging with legacyclive boulton
 
Developing SharePoint-powered mobile apps
Developing SharePoint-powered mobile appsDeveloping SharePoint-powered mobile apps
Developing SharePoint-powered mobile appsSPC Adriatics
 
Developing SharePoint-powered mobile apps
Developing SharePoint-powered mobile appsDeveloping SharePoint-powered mobile apps
Developing SharePoint-powered mobile appsAdis Jugo
 
F5 Application Delivery Optimization
F5 Application Delivery OptimizationF5 Application Delivery Optimization
F5 Application Delivery OptimizationF5 Networks
 
DevOps for Mobile - DevOpsDays, NY, 2013
DevOps for Mobile - DevOpsDays, NY, 2013DevOps for Mobile - DevOpsDays, NY, 2013
DevOps for Mobile - DevOpsDays, NY, 2013Sanjeev Sharma
 
ANODE – Continuous Deployment with Node.js over Azure, Yosef Dinerstein
ANODE – Continuous Deployment with Node.js over Azure, Yosef DinersteinANODE – Continuous Deployment with Node.js over Azure, Yosef Dinerstein
ANODE – Continuous Deployment with Node.js over Azure, Yosef DinersteinDevOpsDays Tel Aviv
 

Similar to Single sign-on Across Mobile Applications from RSAConference (20)

Balancing Mobile UX & Security: An API Management Perspective Presentation fr...
Balancing Mobile UX & Security: An API Management Perspective Presentation fr...Balancing Mobile UX & Security: An API Management Perspective Presentation fr...
Balancing Mobile UX & Security: An API Management Perspective Presentation fr...
 
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityFederation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
 
Building Cross Platform Mobile Apps Dev Tools, MBaaS, Architecture, APIs
Building Cross Platform Mobile Apps Dev Tools, MBaaS, Architecture, APIsBuilding Cross Platform Mobile Apps Dev Tools, MBaaS, Architecture, APIs
Building Cross Platform Mobile Apps Dev Tools, MBaaS, Architecture, APIs
 
API Management and Mobile App Enablement
API Management and Mobile App EnablementAPI Management and Mobile App Enablement
API Management and Mobile App Enablement
 
5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...
5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...
5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...
 
LUMIA APP LABS: WINDOWS PHONE 8 FOR NOKIA DEVELOPERS
LUMIA APP LABS: WINDOWS PHONE 8 FOR NOKIA DEVELOPERSLUMIA APP LABS: WINDOWS PHONE 8 FOR NOKIA DEVELOPERS
LUMIA APP LABS: WINDOWS PHONE 8 FOR NOKIA DEVELOPERS
 
SeaBeyond 2011 ProcessOne - Nokia: Jukka Alakontiola - Notifications API
SeaBeyond 2011 ProcessOne - Nokia: Jukka Alakontiola - Notifications APISeaBeyond 2011 ProcessOne - Nokia: Jukka Alakontiola - Notifications API
SeaBeyond 2011 ProcessOne - Nokia: Jukka Alakontiola - Notifications API
 
Simplifying Enterprise Mobility - Powering Mobile Apps from The Cloud
Simplifying Enterprise Mobility - Powering Mobile Apps from The CloudSimplifying Enterprise Mobility - Powering Mobile Apps from The Cloud
Simplifying Enterprise Mobility - Powering Mobile Apps from The Cloud
 
IBM Mobile Foundation POT - Part 3 securing and managing mobile appilcations ...
IBM Mobile Foundation POT - Part 3 securing and managing mobile appilcations ...IBM Mobile Foundation POT - Part 3 securing and managing mobile appilcations ...
IBM Mobile Foundation POT - Part 3 securing and managing mobile appilcations ...
 
Cross Platform Mobile Apps with APIs from Qcon San Francisco
Cross Platform Mobile Apps with APIs from Qcon San FranciscoCross Platform Mobile Apps with APIs from Qcon San Francisco
Cross Platform Mobile Apps with APIs from Qcon San Francisco
 
Single Sign-On for Mobile
Single Sign-On for MobileSingle Sign-On for Mobile
Single Sign-On for Mobile
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
 
Saas webinar-dec6-01
Saas webinar-dec6-01Saas webinar-dec6-01
Saas webinar-dec6-01
 
Leapfrogging with legacy
Leapfrogging with legacyLeapfrogging with legacy
Leapfrogging with legacy
 
Developing SharePoint-powered mobile apps
Developing SharePoint-powered mobile appsDeveloping SharePoint-powered mobile apps
Developing SharePoint-powered mobile apps
 
Developing SharePoint-powered mobile apps
Developing SharePoint-powered mobile appsDeveloping SharePoint-powered mobile apps
Developing SharePoint-powered mobile apps
 
F5 Application Delivery Optimization
F5 Application Delivery OptimizationF5 Application Delivery Optimization
F5 Application Delivery Optimization
 
Authentication Server
Authentication ServerAuthentication Server
Authentication Server
 
DevOps for Mobile - DevOpsDays, NY, 2013
DevOps for Mobile - DevOpsDays, NY, 2013DevOps for Mobile - DevOpsDays, NY, 2013
DevOps for Mobile - DevOpsDays, NY, 2013
 
ANODE – Continuous Deployment with Node.js over Azure, Yosef Dinerstein
ANODE – Continuous Deployment with Node.js over Azure, Yosef DinersteinANODE – Continuous Deployment with Node.js over Azure, Yosef Dinerstein
ANODE – Continuous Deployment with Node.js over Azure, Yosef Dinerstein
 

More from CA API Management

Api architectures for the modern enterprise
Api architectures for the modern enterpriseApi architectures for the modern enterprise
Api architectures for the modern enterpriseCA API Management
 
Mastering Digital Channels with APIs
Mastering Digital Channels with APIsMastering Digital Channels with APIs
Mastering Digital Channels with APIsCA API Management
 
Takeaways from API Security Breaches Webinar
Takeaways from API Security Breaches WebinarTakeaways from API Security Breaches Webinar
Takeaways from API Security Breaches WebinarCA API Management
 
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...CA API Management
 
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...CA API Management
 
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...CA API Management
 
API Monetization: Unlock the Value of Your Data
API Monetization: Unlock the Value of Your DataAPI Monetization: Unlock the Value of Your Data
API Monetization: Unlock the Value of Your DataCA API Management
 
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...CA API Management
 
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...CA API Management
 
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...CA API Management
 
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...CA API Management
 
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...CA API Management
 
Adapting to Digital Change: Use APIs to Delight Customers & Win
Adapting to Digital Change: Use APIs to Delight Customers & WinAdapting to Digital Change: Use APIs to Delight Customers & Win
Adapting to Digital Change: Use APIs to Delight Customers & WinCA API Management
 
5 steps end to end security consumer apps
5 steps end to end security consumer apps5 steps end to end security consumer apps
5 steps end to end security consumer appsCA API Management
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...CA API Management
 
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...CA API Management
 
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...CA API Management
 
Using APIs to Create an Omni-Channel Retail Experience
Using APIs to Create an Omni-Channel Retail ExperienceUsing APIs to Create an Omni-Channel Retail Experience
Using APIs to Create an Omni-Channel Retail ExperienceCA API Management
 
Panel Session: Security & Privacy for Connected Cars w/ Scott Morrison, SVP ...
Panel Session: Security & Privacy for Connected Cars w/ Scott Morrison, SVP ... Panel Session: Security & Privacy for Connected Cars w/ Scott Morrison, SVP ...
Panel Session: Security & Privacy for Connected Cars w/ Scott Morrison, SVP ...CA API Management
 
Clients Matter, Services Don't - Mike Amundsen's talk from QCon New York 2014
Clients Matter, Services Don't - Mike Amundsen's talk from QCon New York 2014Clients Matter, Services Don't - Mike Amundsen's talk from QCon New York 2014
Clients Matter, Services Don't - Mike Amundsen's talk from QCon New York 2014CA API Management
 

More from CA API Management (20)

Api architectures for the modern enterprise
Api architectures for the modern enterpriseApi architectures for the modern enterprise
Api architectures for the modern enterprise
 
Mastering Digital Channels with APIs
Mastering Digital Channels with APIsMastering Digital Channels with APIs
Mastering Digital Channels with APIs
 
Takeaways from API Security Breaches Webinar
Takeaways from API Security Breaches WebinarTakeaways from API Security Breaches Webinar
Takeaways from API Security Breaches Webinar
 
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
 
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
 
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
 
API Monetization: Unlock the Value of Your Data
API Monetization: Unlock the Value of Your DataAPI Monetization: Unlock the Value of Your Data
API Monetization: Unlock the Value of Your Data
 
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
 
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
 
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
 
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
 
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
 
Adapting to Digital Change: Use APIs to Delight Customers & Win
Adapting to Digital Change: Use APIs to Delight Customers & WinAdapting to Digital Change: Use APIs to Delight Customers & Win
Adapting to Digital Change: Use APIs to Delight Customers & Win
 
5 steps end to end security consumer apps
5 steps end to end security consumer apps5 steps end to end security consumer apps
5 steps end to end security consumer apps
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
 
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
 
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...
 
Using APIs to Create an Omni-Channel Retail Experience
Using APIs to Create an Omni-Channel Retail ExperienceUsing APIs to Create an Omni-Channel Retail Experience
Using APIs to Create an Omni-Channel Retail Experience
 
Panel Session: Security & Privacy for Connected Cars w/ Scott Morrison, SVP ...
Panel Session: Security & Privacy for Connected Cars w/ Scott Morrison, SVP ... Panel Session: Security & Privacy for Connected Cars w/ Scott Morrison, SVP ...
Panel Session: Security & Privacy for Connected Cars w/ Scott Morrison, SVP ...
 
Clients Matter, Services Don't - Mike Amundsen's talk from QCon New York 2014
Clients Matter, Services Don't - Mike Amundsen's talk from QCon New York 2014Clients Matter, Services Don't - Mike Amundsen's talk from QCon New York 2014
Clients Matter, Services Don't - Mike Amundsen's talk from QCon New York 2014
 

Single sign-on Across Mobile Applications from RSAConference

  • 1. Single sign-on across mobile applications Francois Lascelles Chief architect Layer 7 Technologies
  • 2. Why SSO matters? Adoption UX Layer 7 Confidential 2
  • 3. Per-app SSO vs across-app SSO Per-App X-app X-app and X-domain Web Cookies Cookies (domain • SAML apps cookies) • Social login • Open ID Connect Mobile OAuth access tokens apps ? … and x-device … Layer 7 Confidential 3
  • 4. Mobile app isolation User-agent Domain A Webapp 1 Cookie domain A Webapp 2  webapps Cookie domain B Webapp 3 (can be different parties) APP A Access token 1 Domain A API 1  mobile apps APP B API 2 Access token 2 APP C API 3 Access token 3 Layer 7 Confidential 4
  • 5. Why extending SSO across apps? 1/2 1. Provider avoids managing user accounts IdP  Authenticate once trust  Consent to multiple providers Provider  By delegating authentication to a User Accounts Sessions trusted IdP, multiple providers User name User Shared secret State avoid managing user accounts Email and effectively provide SSO UX Layer 7 Confidential 5
  • 6. Why extending SSO across apps? 2/2 2. A group of coordinated apps domain - Example: a set of application targeting BYOD App A App B App C  Authenticate once  Consent to multiple applications IdP Layer 7 Confidential 6
  • 7. Enablers  Client side  Provider side - Because each app works in isolation, - API infrastructure built-in with or there needs to be an app-to-app integrating with federation coordination - Even traditional web-based redirections require to switch between relying party app and browser app ID Federation API Security-as-a-service Infrastructure Apps Layer 7 Confidential 7
  • 8. Client side redirections and callback  On iOS, apps can switch between each other and pass information through the redirection URL - Each app registers its own URL scheme - Calling such a URL switches to the other app - App gets information back by providing a callback URL tailored to its own scheme step 1 openURL AppA://something?callback=AppB://somethingelse App A App B openURL AppB://somethingelse?arg=that_thing_you_need step 2 Layer 7 Confidential 8
  • 9. Client side redirections and callback (continued)  Is that secure enough to pass a token? APPLE: “If more than one third-party app registers to handle the same URL scheme, there is currently no process for determining which app will be given that scheme. ” --link Layer 7 Confidential 9
  • 10. Redirection/callback limitations and risks What‟s at stake?  Social - An app tricks you into letting it get an access token to call your social provider on your behalf - Malicious app discovers your email - Posts something embarrassing on your wall (maybe)  Enterprise - An app tricks you into letting it getting an access token meant for an enterprise app - Malicious app now has access to all the same data as the app it pretended to be Layer 7 Confidential 10
  • 11. Alternatives  Note: on iOS 6, facebook login is „built-in‟ - Once an app is authorized, there are no redirections required and the exchange is presumably more secure  But what if you don‟t trust the built-in social id broker?  Or what if you want to implement your own SSO across a set of coordinated applications? - E.g. A set of enterprise apps targeting BYOD Layer 7 Confidential 11
  • 12. KeyChain Groups KC A KC B Shared Key Chain App A App B App A App B  Applications signed by the same developer key can share a key chain  Combining redirection/callbacks with keychain groups enables a more secure delegated authentication - You can still pass scope between applications using URL schemes - But the sharing of information between these apps can go through the secure KeyChain group Layer 7 Confidential 12
  • 13. Provider side enablers: OAuth  OAuth is the standard for an app to get an access token - The access token is what is used to consume APIs by the app  OAuth 2.0 defines different grant types (handshakes) for different situations 1. OAuth handshake access token OAuth Authorization Server IdP 2. API consumption OAuth Resource Server Backend API Layer 7 Confidential 13
  • 14. Provider-side enablers: OpenID Connect  NOT OpenID  Mimics social login pattern, but standardized  Leverage an OAuth handshake to delegate authentication OpenID Connect IdP 1. OIDC handshake OAuth Authorization Server access token Id token 2. Get user info /userinfo Now I know who user is Layer 7 Confidential 14
  • 15. Federating OAuth using SAML  draft-ietf-oauth-saml2-bearer-xx - The SAML Bearer grant type lets an application get an access token in exchange for a SAML assertion - API Provider trusts ID Provider‟s signing certificate which is verified as part of the OAuth handshake ID Provider • SAML Web browser SSO • STS handshake Output: SAML Client API Provider application OAuth SAML Bearer Grant Output: access token Layer 7 Confidential 15
  • 16. Federating OAuth using JWT  draft-ietf-oauth-jwt-bearer-xx - The JWT Bearer grant type lets an application get an access token in exchange for a JSON Web Token (JWT) - API Provider trusts ID Provider‟s JWS signature which is verified as part of the OAuth handshake (RSA or HMAC) - The JWT can be issued as part of a standard OpenID Connect handshake ID Provider OpenID Connect Handshake Output: id token (JWT) Client API Provider application OAuth JWT Bearer Grant Output: access token Layer 7 Confidential 16
  • 17. Federating OAuth across multiple APIs  The same SAML or JWT can be trusted by multiple APIs ID Provider OpenID Connect Handshake Output: id token (JWT) trust Client API A application OAuth JWT Bearer Grant Output: access token API B Layer 7 Confidential 17
  • 18. Applicability to X-app mobile SSO  On iOS, the JWT is stored in a shared keychain group  This is only accessible to applications signed by a common developer key (enterprise key) App Group KeyChain Group PUT OpenID Connect Identity +id token (JWT) Delegate App API Provider • Access Control GET • IdP +access token App 2 OAuth JWT Bearer Grant +access token App 1 Layer 7 Confidential 18
  • 19. Role of various technology in mobile SSO?  WAM - Focuses on Web - Can be leveraged for management of permissions as part of mobile session handling  MDM - Focuses on device-side security - MAM can include user auth  API Management - API access control - Integrate with existing federation mechanism in place  VPN Connections - Does not provide application level security (no API access control) - Back door security hole in a mobile device - Better to enable strong auth from app to perimeter Layer 7 Confidential 19