Denver Startup Week '15: Mobile SSO

Mobile Single Sign-On

Are we there yet?

BRIAN CAMPBELL@__b_c

@__b_c

Formalities, Introductions, etc.• No way this will take 90 minutes• There should be food and beer• Slides will be available

– at http://www.slideshare.net/briandavidcampbell– & via https://twitter.com/__b_c

• 2 underscores +• b +• 1 underscore +• c

@__b_c

Formalities, Introductions, etc.• I’ve worked @ Ping Identity for over a decade• Ping is a Denver based ‘startup’ solving complex

identity challenges

Denver

Vancouver

London

Tel Aviv

@__b_c

I should mention that…

@__b_c

https://www.pingidentity.com/en/about/careers.html

Hiring!Ping is

@__b_c

• Disclaimers– Views or opinions presented herein are solely my own and

do not necessarily represent those of the my employer– Wholly unqualified to talk about mobile– Primarily do server side development– And not even very much of that anymore

• So, um… WTF?– Ping sponsored Denver Startup Week – And I do use a mobile phone…

My ‘Safe Harbor’ Slide

@__b_c

Though not very well

@__b_c

But Sometimes…An outsider’s perspective can help see where things just aren’t quite right

@__b_c

Premise: Single Sign-On just isn’t quite right

on mobile

@__b_c

I’m very busy and important

As you can see by my

opulent travel budget.

@__b_c

So, while I am one of those luddites who still prefers a real computer for work, sometimes I have to use my phone…

@__b_c

Just trying to join a meeting while out on the road.

@__b_c

Please excuse any intermittent time travel.

I had some technical difficulties with

something called “focus” and had to reshoot a few

images.

@__b_c

There’s my meeting!

@__b_c

(This happened on first use a long time ago)

@__b_c

What went wrong there?

@__b_c

What we want to happen1. Be able to login to the SaaS

native applications with existing Ping credentials and not some new login unique to each SaaS

@__b_c

2. Be able to access multiple SaaS native applications throughout the day after only a single authentication to Ping

@__b_c

By combining SAML & OAuth

protocols

@__b_c

By combining SAML & OAuth

protocols

Concur effectively forgot that that I

had already logged in

@__b_c

How did Concur forget?1. When first logged in to Ping as part of accessing

the Webex app, a cookie was set in the browser I was using.

2. That cookie acts as a record of the login. When next seen by the authentication system, it won’t prompt again for an explicit login (unless expired)

3. When Concur needed me authenticated by Ping, it used a different sort of browser, a webview

4. Cookies aren’t shared across these two different browser types

5. The cookie that was set earlier in the first browser wasn’t available, so I was prompted again to login

@__b_c

That’s what went wrong

Concur used a ‘webview’

@__b_c

Why Concur? Why?• Until recently mobile app developers had only two choices

for displaying web content (such as login pages) • The external system browser (e.g. Safari or Chrome) or a

webview, in which the web content appears as part of the app’s own user interface

• System browser– better security characteristics– cookie sharing (and so SSO across apps)

• Webview– better UX

@__b_c

• Behind the Scenes– Web Single Sign-On – OAuth 2.0 (ish)

@__b_c

Web Single Sign-On in one Slide• Typically

– SAML 2.0– OpenID Connect

• But also– SAML 1.1/1.0– OpenID 2.0– WS-Federation

• And maybe– Facebook Connect/Login– Whatever Twitter does– Various other non-standard

approaches

Identity Provider

Service Provider

Web Single Sign-On (SSO)

nly Log

@__b_c

OAuth 2.0 in one slide• client: An application obtaining

authorization and making protected resource requests.

– Native app on mobile device• resource server (RS): A server

capable of accepting and responding to protected resource requests (typically APIs).

• authorization server (AS): A server capable of issuing tokens after successfully authenticating the resource owner and obtaining authorization.

A few other OAuth terms• Access token (AT) – Presented by client when accessed protected

resources at the RS • Refresh token (RT) - Allows clients to obtain a fresh access token

without re-obtaining authorization • Scope – A permission (or set of permissions) defined by the AS/RS• Authorization endpoint – used by the client to obtain authorization

from the resource owner via user-agent redirection• Token endpoint – used for direct client to AS communication• Authorization Code – One time code issued by an AS to be

exchanged for an AT.

ClientResource

Server

Get a token

Use a token

AuthorizationServer

@__b_c

Web SSO + OAuth = Mobile SSO

Device

NativeApp

System Browser

https:// Home Service

Authorization Endpoint

Token Endpoint

Enterprise or Social Identity

Provider

@__b_c

(1) Request Authorization• When user first needs to access some

protected resource (not logged in), the app launches the system browser with an authorization request

• ‘IDP Discovery’ can be done in the native application

Device

NativeApp

System Browser

Token Endpoint

Provider

https://as.example.com/as/authz.oauth2?client_id=org.example.myapp&response_type=code&scope=update_status&idp=pingidentity.com&code_challenge=7gEsCAcCLtCTbDl2fml2z

A quick note about

Apple…

@__b_c

(1a) PKCE

https://as.example.com/as/authz.oauth2?client_id=org.example.myapp&response_type=code&scope=update_status&idp=pingidentity.com&code_challenge=7gEsCAcCLtCTbDl2fml2z

• Proof Key for Code Exchange by OAuth Public Clients

– PKCE, pronounced "pixy"– Binds the code exchange to the authorization

request – Newly minted RFC 7636

@__b_c

(2) Authenticate and Approve• Redirect to IDP for SSO & Service Provider

is the SP

Device

NativeApp

System Browser

Token Endpoint

Provider

• User approves the requested access

– (don’t skip this)

@__b_c

(3) Handle Callback• Authorization server returns control to the

app using HTTP redirection and includes an authorization code

– URI with a custom scheme registered to the app

• Reversed domain name as redirect_uri scheme

– Resistant to accidental collisions – Proof of domain ownership provides better recourse

against malicious collisions

Device

NativeApp

System Browser

Token Endpoint

Provider

HTTP/1.1 302 FoundLocation: org.example.myapp://oauth.cb?code=n0esc3NRze7LTCu7iYzS6a5acc3f0ogp4

@__b_c

(4) Trade Code for Token(s)

Device

NativeApp

System Browser

Token Endpoint

Provider

POST /as/token.oauth2 HTTP/1.1Host: as.example.comContent-Type: application/x-www-form-urlencoded;charset=UTF-8

client_id=org.example.myapp&grant_type=authorization_code&code=n0esc3NRze7LTCu7iYzS6a5acc3f0ogp4&code_verifier=7gEsCAcCLtCTbDl2fml2z

token endpoint request

@__b_c

(4a) PKCE AgainPOST /as/token.oauth2 HTTP/1.1Host: as.example.comContent-Type: application/x-www-form-urlencoded;charset=UTF-8

@__b_c

(4b) Trade Code for Token(s)

Device

NativeApp

System Browser

Token Endpoint

Provider

POST /as/token.oauth2 HTTP/1.1Host: as.example.comContent-Type: application/x-www-form-urlencoded;charset=UTF-8

HTTP/1.1 200 OKContent-Type: application/json;charset=UTF-8Cache-Control: no-store

{ "token_type":"Bearer", "expires_in":3600, "access_token":"PeRTSD9RltacecQriuFfsxV41”, "refresh_token":"uyAVrtaccLZ2qPzI8rQ5ltckCdGJsz8XE58esc”}

token endpoint response

@__b_c

(5) Use Access TokenAuthenticate/authorize calls to the protected APIs by including AT in the HTTP Authorization header

Device

NativeApp

System Browser

Token Endpoint

Provider

POST /api/update-status HTTP/1.1Host: rs.example.orgAuthorization: Bearer PeRTSD9RltacecQriuFfsxV41Content-Type: application/json

{"status" : "almost done with this presentation"}

@__b_c

Rinse and Repeat• If All Goes well,

• And if not, HTTP 401• Use the refresh token to get a new access token• And if that doesn’t work or you don’t have a

refresh token, initiate the authorization request flow again

HTTP/1.1 200 OK

@__b_c

Some Folks Like to …

Device

NativeApp

System Browser

Token Endpoint

Provider

@__b_c

… Use a Web-View

Device

NativeApp

Token Endpoint

Web-View

Provider

but…

@__b_c

The Web-View Anti-Pattern• Usability Issues

– No shared context (cookie)– Requires sign-in once per app even when web SSO is possible

• Security Issues– Web-view typically isn’t sandboxed from invoking app so credentials

and authentication cookies can be stolen– Requires/encourages users to enter credentials without the address

bar and associated visual cues of site authenticity (HTTPS) • Missing Features

– Some web-views unable to access to client certificates– Generally unable to use password managers, etc.

@__b_c

Hope Springs Mobile• Latest versions of iOS & Android add a

third option for displaying web content – iOS 9 Safari View Controllers– Android Chrome 45 Chrome Custom Tabs

• Both provide new browser window with security advantages and shared context of the system browser but UX comparable to webviews

@__b_c

Wait, what about OpenID Connect?

• A simple[sic] single sign-on and identity layer on top of OAuth 2.0

• Adds an ID Token (JWT) for user authentication to the client

• And a bunch of other stuff

@__b_c

What about OpenID Connect?• Great for the

web SSO part • Can be layered

on the OAuth part

Device

NativeApp

System Browser

Token Endpoint

Provider

@__b_c

Near Term Recommendations• Use OAuth 2.0 + PKCE

– & maybe OpenID Connect• Use Web SSO• Prompt for user consent (every time)• Use new View Controllers & Custom Tabs

– Fallback to using the System Browser• Use a reversed Internet domain name in the

custom scheme for the callback URI

@__b_c

Useful Links (1997 Style)

• Mobile SSO Developers Guide – https://developer.pingidentity.com/en/resources/napps-native-app-sso.html

• OAuth 2.0 for Native Apps– https://tools.ietf.org/html/draft-wdenniss-oauth-native-apps

• JWT Library for Java/Android– https://bitbucket.org/b_c/jose4j/

• An old blog post– https://www.pingidentity.com/en/blog/2015/07/06/mobile_sso_are_we_there_yet.html

BRIAN CAMPBELL@__b_c

THANKS! (time permitting)

QUESTIONS?

Denver Startup Week '15: Mobile SSO

Internet

Transcript of Denver Startup Week '15: Mobile SSO

SonicWall™ SSO API · 2020. 9. 24. · SSO API Reference Guide SSO Overview 1 3 SSO Overview This document specifies the external application program interface (API) for third party

Denver Startup Week: Product Management from the Trenches

Devlopmental Stages of the StartUp ~ Customer Relationship (Denver StartUp Week)

Design Considerations for Integrated Features · DesignConsiderationsforIntegratedFeatures •SingleSign-On(SSO)Considerations,onpage1 Single Sign-On (SSO)Considerations TheSingleSign-on(SSO

Accounting 101 for Entrepreneurs - Denver Startup Week 2014

Let's Build Software Everyone Can Use (Denver Startup Week 2016)

Single Sign-On Instructions (SSO) - State of · PDF fileSingle Sign-On Instructions (SSO) Registration for the SSO Step 1: Registration to Single Sign-On (SSO) Skip this section if

How to support your customers painlessly (for you and them) - Denver Startup Week 2014

Mvc denver startup week 2014

SSO Case Study - cdn.ttgtmedia.comcdn.ttgtmedia.com/searchSecurity/downloads/EDITED_GRIMES_CASE.… · SSO Case Study: The USPS Gives SSO Its ... Secrets to a successful SSO project?

Boostrapping a company to 1 million in revenue - Denver Startup Week Presentatio

Sso - Training Course

O365/Outlook Integration with SSO - view.zendesk.com · O365/Outlook Integration with SSO FAQs Can we utilize SSO without the O365/Outlook integration and vice versa? • SSO and

SSO Presentation

Alfresco SSO

Denver Startup Week - "700+ Breweries, 3,000+ Beers, 49,000 Enthusiasts, and 1 Amazing Experience"

How Denver is Leading the Internet of Things - Denver Startup Week - October 2, 2015

VIDEO - Visionary Leadership through Design Thinking - Denver Startup Week (DSW)

STATE SAFETY VERSIGHT CORE FEATURES...1. SSO commitment 2. SSO authority, organization 3. SSO minimum standards 4. SSO enforcement apparatus 5. Methodology for accident investigations,

Pick Your Poison – Mobile Web, Native, or Hybrid? - Denver Startup Week - October 24, 2012