mobile sso using napps
DESCRIPTION
Mobile SSO using NAPPS - OpenID Connect profile for native appsTRANSCRIPT
![Page 1: Mobile SSO using NAPPS](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c264614a795967748b4595/html5/thumbnails/1.jpg)
© 2014 VMware Inc. All rights reserved.
Mobile SSO using NAPPS
Ashish Jain
@itickr
CIS 2014
![Page 2: Mobile SSO using NAPPS](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c264614a795967748b4595/html5/thumbnails/2.jpg)
Why is this important ?
2009 2010 2011 20120
300
600
900
Smartphones and tablets PC shipments
52%
of information workers use three or more devices for work to increase productivity
EXPLOSIVE GROWTHin shipments of smartphones and tablets
Sources: IDC, BGR, Forrester
FLATpc shipments
New Device Platforms New Apps New User ExpectationsNew Device Platforms
BYOD & JIT
![Page 3: Mobile SSO using NAPPS](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c264614a795967748b4595/html5/thumbnails/3.jpg)
The Changing Device Mix
2012 20170
1000
2000
148 141
202 240
128
352
722
1516SmartphoneTabletPortable PCDesktop PC
Source: IDC's Worldwide Smart Connected Device Tracker Forecast Data, February 28, 2013
Connected Device Market by Product Category, Shipments, 2012-2017 in Millions
![Page 4: Mobile SSO using NAPPS](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c264614a795967748b4595/html5/thumbnails/4.jpg)
The Changing Device Mix
Source: IDC's Worldwide Smart Connected Device Tracker Forecast Data, September 11, 2013
By 2017, 87% of connected devices will be smart phones and tablets
![Page 5: Mobile SSO using NAPPS](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c264614a795967748b4595/html5/thumbnails/5.jpg)
App 1
![Page 6: Mobile SSO using NAPPS](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c264614a795967748b4595/html5/thumbnails/6.jpg)
App 1
App 2 App 3
![Page 7: Mobile SSO using NAPPS](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c264614a795967748b4595/html5/thumbnails/7.jpg)
App 1
App 2 App 3
App 4
![Page 8: Mobile SSO using NAPPS](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c264614a795967748b4595/html5/thumbnails/8.jpg)
App 1 App 2 App 3
AD
![Page 9: Mobile SSO using NAPPS](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c264614a795967748b4595/html5/thumbnails/9.jpg)
App 1 App 3
AD
Policy Server
App 2
![Page 10: Mobile SSO using NAPPS](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c264614a795967748b4595/html5/thumbnails/10.jpg)
App 1
AD
Policy Server
App 2
App 3 App 1
AD
Policy Server
App 2
App 3
![Page 11: Mobile SSO using NAPPS](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c264614a795967748b4595/html5/thumbnails/11.jpg)
App 1
AD
Policy Server
App 2
App 3 App 1
AD
Policy Server
App 2
App 3
![Page 12: Mobile SSO using NAPPS](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c264614a795967748b4595/html5/thumbnails/12.jpg)
App 1
AD
SAMLIdP
App 2
App 3 App 1
AD
App 2
App 3
Policy Server
SAMLRP
Policy Server
SAML
![Page 13: Mobile SSO using NAPPS](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c264614a795967748b4595/html5/thumbnails/13.jpg)
App 1
AD
SAMLIdP
App 2
App 3 App 1
AD
App 2
App 3
Policy Server
SAMLRP
Policy Server
SAML
![Page 14: Mobile SSO using NAPPS](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c264614a795967748b4595/html5/thumbnails/14.jpg)
App 1
AD
SAMLIdP
App 2
App 3
App 1
AD
App 2
App 3
Policy Server
SAMLRP
Policy Server
SAML
![Page 15: Mobile SSO using NAPPS](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c264614a795967748b4595/html5/thumbnails/15.jpg)
App 1
AD
SAMLIdP
App 2
App 1
AD
App 2
App 3
Policy Server
SAMLRP
Policy Server
SAML
App 3SAML RP
![Page 16: Mobile SSO using NAPPS](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c264614a795967748b4595/html5/thumbnails/16.jpg)
App 1
AD
SAMLIdP
App 2
App 1
AD
App 2
App 3
Policy Server
SAMLRP
Policy Server
SAML
iOS App
App 3SAML RP
![Page 17: Mobile SSO using NAPPS](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c264614a795967748b4595/html5/thumbnails/17.jpg)
App 1
AD
SAMLIdP
App 2
App 1
AD
App 2
App 3
Policy Server
SAMLRP
Policy Server
SAML
iOS App
App 3SAML RP
![Page 18: Mobile SSO using NAPPS](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c264614a795967748b4595/html5/thumbnails/18.jpg)
App 1
AD
SAMLIdP
App 2
App 1
AD
App 2
App 3
Policy Server
SAMLRP
Policy Server
SAML
OAuth AS
iOS App
App 3SAML RP
![Page 19: Mobile SSO using NAPPS](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c264614a795967748b4595/html5/thumbnails/19.jpg)
App 1
AD
SAMLIdP
App 2
App 1
AD
App 2
App 3
Policy Server
SAMLRP
Policy Server
SAML
iOS AppiOS App
OAuth ASApp 3SAML RP
![Page 20: Mobile SSO using NAPPS](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c264614a795967748b4595/html5/thumbnails/20.jpg)
App 1
AD
SAMLIdP
App 2
App 1
AD
App 2
App 3
Policy Server
SAMLRP
Policy Server
SAML
iOS AppiOS App
OAuth ASApp 3SAML RP
![Page 21: Mobile SSO using NAPPS](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c264614a795967748b4595/html5/thumbnails/21.jpg)
App 1
AD
SAMLIdP
App 2
App 1
AD
App 2
App 3
Policy Server
SAMLRP
Policy Server
SAML
iOS AppiOS App
OAuthAS
OAuth ASApp 3SAML RP
![Page 22: Mobile SSO using NAPPS](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c264614a795967748b4595/html5/thumbnails/22.jpg)
App 1
AD
SAMLIdP
App 2
App 1
AD
App 2
App 3
Policy Server
SAMLRP
Policy Server
SAML
iOS AppiOS App
OAuthAS
OpenIDConnect
OpenID Connect
OAuth ASApp 3SAML RP
![Page 23: Mobile SSO using NAPPS](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c264614a795967748b4595/html5/thumbnails/23.jpg)
App 1
AD
SAMLIdP
App 2
App 1
AD
App 2
App 3
Policy Server
SAMLRP
Policy Server
SAML
iOS AppiOS App
OAuthAS
OpenIDConnect
OpenID Connect
OAuth ASApp 3SAML RP
TA
![Page 24: Mobile SSO using NAPPS](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c264614a795967748b4595/html5/thumbnails/24.jpg)
Web SSO Flow
1
2
3
4
SAML
IdP RP
AD
![Page 25: Mobile SSO using NAPPS](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c264614a795967748b4595/html5/thumbnails/25.jpg)
Mobile App Auth Flow
1
2
4
3
SAML
IdP RP / RS
AD
Mobile App
AS
5
6
7
OAuth
![Page 26: Mobile SSO using NAPPS](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c264614a795967748b4595/html5/thumbnails/26.jpg)
Mobile App
Mobile App(s) Auth Flow
1
2
4
3
SAML
IdP RP / RS
AD
Mobile App
AS
5
6
7
OAuth
![Page 27: Mobile SSO using NAPPS](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c264614a795967748b4595/html5/thumbnails/27.jpg)
Mobile App Auth Flow
![Page 28: Mobile SSO using NAPPS](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c264614a795967748b4595/html5/thumbnails/28.jpg)
IdP Discovery
![Page 29: Mobile SSO using NAPPS](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c264614a795967748b4595/html5/thumbnails/29.jpg)
IdP Discovery
![Page 30: Mobile SSO using NAPPS](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c264614a795967748b4595/html5/thumbnails/30.jpg)
IdP Login
![Page 31: Mobile SSO using NAPPS](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c264614a795967748b4595/html5/thumbnails/31.jpg)
Access to App
![Page 32: Mobile SSO using NAPPS](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c264614a795967748b4595/html5/thumbnails/32.jpg)
Mobile App Auth Flow
![Page 33: Mobile SSO using NAPPS](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c264614a795967748b4595/html5/thumbnails/33.jpg)
IdP Discovery
![Page 34: Mobile SSO using NAPPS](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c264614a795967748b4595/html5/thumbnails/34.jpg)
IdP Discovery
![Page 35: Mobile SSO using NAPPS](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c264614a795967748b4595/html5/thumbnails/35.jpg)
IdP Login
![Page 36: Mobile SSO using NAPPS](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c264614a795967748b4595/html5/thumbnails/36.jpg)
App Access
![Page 37: Mobile SSO using NAPPS](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c264614a795967748b4595/html5/thumbnails/37.jpg)
App Access
![Page 38: Mobile SSO using NAPPS](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c264614a795967748b4595/html5/thumbnails/38.jpg)
Mobile App
Mobile App(s) Auth Flow
1
2
4
3
SAML
IdP RP / RS
AD
Mobile App
AS
5
6
7
OAuth
Issues Authentication per Mobile App. No invalidation of access token No clean up of offline/cached data on device
![Page 39: Mobile SSO using NAPPS](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c264614a795967748b4595/html5/thumbnails/39.jpg)
Mobile App SSO – SP Init
![Page 40: Mobile SSO using NAPPS](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c264614a795967748b4595/html5/thumbnails/40.jpg)
Mobile App SSO – IdP Init
![Page 41: Mobile SSO using NAPPS](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c264614a795967748b4595/html5/thumbnails/41.jpg)
Mobile App SSO
![Page 42: Mobile SSO using NAPPS](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c264614a795967748b4595/html5/thumbnails/42.jpg)
Mobile App SSO
![Page 43: Mobile SSO using NAPPS](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c264614a795967748b4595/html5/thumbnails/43.jpg)
Where are we today ?
• Layer 7
• Centrify
• Samsung Knox
• Google Auth
![Page 44: Mobile SSO using NAPPS](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c264614a795967748b4595/html5/thumbnails/44.jpg)
App 1 App 3
AD
Policy Server
App 2
![Page 45: Mobile SSO using NAPPS](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c264614a795967748b4595/html5/thumbnails/45.jpg)
Deployment Models
• Enterprise in-house native apps
• Native App for a SaaS provider
• Multiple native apps for a single SaaS provider
![Page 46: Mobile SSO using NAPPS](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c264614a795967748b4595/html5/thumbnails/46.jpg)
NAPPS
• OIDF working group
• Profile of OpenIDConnect
• Participants include (VMware, AirWatch, Ping
Identity, Mobile Iron, Okta, OneLogin…)
![Page 47: Mobile SSO using NAPPS](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c264614a795967748b4595/html5/thumbnails/47.jpg)
NAPPS Terminology
• Token Agent: Native app that obtains access tokens on behalf of
other native apps
• AppInfo Endpoint: Endpoint to obtain metadata about apps
• Primary Token: OAuth token obtained by TA for its own use
• Secondary Token: OAuth token obtained by TA on behalf of other
native app
![Page 48: Mobile SSO using NAPPS](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c264614a795967748b4595/html5/thumbnails/48.jpg)
Mobile App SSO
1
23
SAMLIdP RP / RS
AD
Mobile App
AS
5
9OAuth
TokenAgent
3
PT
6
ST
4
5 7
8
![Page 49: Mobile SSO using NAPPS](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c264614a795967748b4595/html5/thumbnails/49.jpg)
Mobile App SSO
![Page 50: Mobile SSO using NAPPS](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c264614a795967748b4595/html5/thumbnails/50.jpg)
Thank You!