securing the new digital experience · harnessing sun’s opensso authentication and authorization....
TRANSCRIPT
Steffo Weber, Oracle & Max Liesegang, esentri Tuesday, 21-May-2013 Latest Entries
Write secure code, don’t write security code.Read more
Tuning the industry’s most trusted directory server. Read more
Harnessing Sun’s OpenSSO Authentication and Authorization.
Read moreHands-On SOA and Web Security.
Read more
Fine-grained authorization and XACML.Read more
THE NEW DIGITALEXPERIENCE
SECURING
[email protected]@esentri.com
Protecting IDPs from malformed SAML requests Read moreMobile & Social Apps
Wednesday, November 6, 13
ExperienceMotivation Foundation
‣ What for?‣ UI vs UX vs Security‣ Channels
‣ How long?‣ How complicated?‣ Alternatives
‣ OAuth‣ XCode
Overview
Wednesday, November 6, 13
M MotivationImportance of mobile access management
Wednesday, November 6, 13
Evolution of UXMotivation
Information &Data Design
Graphical UI
Pro
Pros
umer
Cons
umer
User Experienced Design
Wednesday, November 6, 13
Why UX is not UIMotivation
‣ Touchscreen with GUI‣ Application (MVC)‣ Background Services (REST)
Wednesday, November 6, 13
Some findings (hypothesis first)Motivation
13.6 million tablets shipped to enterprises (2011)
96.3 million tablets shipped to enterprises (2016)
http://www.mobilestatistics.com/mobile-news/the-rise-of-the-enterprise-tablet.aspxMobile Apps. What Consumers really want (Compuware)
Wednesday, November 6, 13
Some findings (hypothesis first)Motivation
85% prefer mobile apps over mobile websites
79% will not retry an app if the failed once or twice
48% will delete an app if it is too slow
http://www.mobilestatistics.com/mobile-news/the-rise-of-the-enterprise-tablet.aspxMobile Apps. What Consumers really want (Compuware)
Wednesday, November 6, 13
Consumer
Don't make me think.
Wednesday, November 6, 13
Buying process
1.Problem/NeedRecognition 2.Information
Search 3.Evaluation ofAlternatives 4.Purchase
Decision 5.Post-purchaseBehaviour
Social ID Social IDWeb Trail
Social IDWeb TrailAddressBilling Rel
Social IDWeb TrailAddressBilling RelCustomer ID
?
and corresponding identity.
This is where real identity comes into play.
Wednesday, November 6, 13
Customer Loyalty
UX Security
CRM
Wednesday, November 6, 13
Customer Loyalty
mobile sites, mobile apps, traditional channels.
Cookies, web SSO
Cookies, web SSO
Multiple apps…
Advice: all channels are equal.
Wednesday, November 6, 13
Customer Loyalty Advice: all channels are equal.
WebSSO Access Management (WAM)
Mobile Access Management
iOS built-in Kerberos
Wednesday, November 6, 13
Customer Loyalty Advice: all channels are equal.
Unified Access Management
Wednesday, November 6, 13
Φ FoundationHow to achieve SSO for multiple apps?
Wednesday, November 6, 13
Foundation
Wednesday, November 6, 13
Foundation
Business/ServicesLayer
PresentationLayer
DataLayer
Wednesday, November 6, 13
Foundation
In a browser world, we don’taccess services layers directly.
Business/ServicesLayer
PresentationLayer
DataLayer
Wednesday, November 6, 13
Foundation
In a browser world, we don’taccess services layers directly.
Business/ServicesLayer
PresentationLayer
DataLayer
Wednesday, November 6, 13
Foundation
In a browser world, we don’taccess services layers directly.
Business/ServicesLayer
PresentationLayer
DataLayer
Wednesday, November 6, 13
Foundation
Accessing the serviceslayer from untrusted devicesexposes new risks.
In a browser world, we don’taccess services layers directly.
iPhone is the new presention layer
Business/ServicesLayer
PresentationLayer
DataLayer
Wednesday, November 6, 13
Foundation
Accessing the serviceslayer from untrusted devicesexposes new risks.
In a browser world, we don’taccess services layers directly.
iPhone is the new presention layer
Business/ServicesLayer
PresentationLayer
DataLayer
No trust between ext DMZ and service zone.
Wednesday, November 6, 13
Foundation
one user tokenvs.
multiple access tokens
OAuth concepts
Wednesday, November 6, 13
Foundation
iOS/Andoid App SSO Agent Mobile & Social
User starts App
BA
REST WebService
Who is the SSO Agent on this iPhone?
agent://<get access token>C
Issue access token
F
D1
Make REST call using libIDMMobileSDK. Access token is inserted automatically by SDK
You can reach it via URL scheme agent://
If user has not been authN, present login dialog and request user token.
D2
If user token is present, get access token for app/service.
Forward access tokenE1
E2
Wednesday, November 6, 13
Foundation
HTTP Call (intercepted)‣ check for cookies‣ check for JWT
Service REST, SOAP, etc
Oracle Access ManagerMobile & Social
Wednesday, November 6, 13
Foundation
Oracle Access Management Services
Access Manager
Adaptive Access Manager
Entitlements Server (OpenAZ, XACML)
Directory Services (LDAP)
Mob
ile &
Soc
ial
libMobileREST/JSON/JWT/OAuth
Objective C Java
RESTful Identity Services (CRUD, AuthN/Z, Token
Services)
OWSM (WS-Sec) SOAP-WS
Legacy Services
XACML/OpenAZ
WebGateClassical WebSSO
Oracle Service Bus
API Gateway w
Wednesday, November 6, 13
Import libIDMMobileSDK.aFoundation
Wednesday, November 6, 13
Register a URL schemeFoundation
Wednesday, November 6, 13
SSO relevant code in iOS appFoundation#import "IDMMobileSDK.h"/* we have @property (nonatomic,retain) OMMobileSecurityService *mobileServices; from header */
- (void)connectToOICServerAndSetup { …… OMMobileSecurityService *mss = [[OMMobileSecurityService alloc] initWithURL:self.oicURL // e.g. http://token.net:14100/ appName:self.applicationName // e.g. SampleApp or Art domain:self.oicServiceDomainName // e.g. MagServiceDomain delegate:self]; self.mobileServices = mss; …… UIBarButtonItem *rightButton = [[UIBarButtonItem alloc] initWithTitle:@"Login" style:UIBarButtonItemStyleBordered target:self action:@selector(doLogin:)]; }
- (IBAction)doLogin:(id)object { ….. NSError *error = nil; error = [self.mobileServices startAuthenticationProcess:nil presenterViewController:self];}
- (void)didFinishAuthentication:(OMAuthenticationContext *)context error:(NSError *)error{ .... username = context.userName;}
Initialize app & load profile from central server
Login button & event config
Event handler
Wednesday, November 6, 13
Σ ExperienceHow long?How complex?
Wednesday, November 6, 13
How long did it take?Experience
‣ Good• Easy iOS integration (SSO is transparent to the developer)• Complete service protection• No hazzle with Apple app store
‣ Suggested enhancements• Currently uses old app delegate pattern
Wednesday, November 6, 13
How long did it take?Experience
1 day
Oracle Access ManagerMobile & Social
0.5 - 1 day0.5 - 1 day
2 – 4 days
Wednesday, November 6, 13
What about iOS 7 native SSOExperience
Mobile & Social iOS Enterprise SSO
Requires Configuration Profile No Yes, only acceptable with MDM use cases
Application Can Control Authentication Flow
Yes No
Customizable Authentication Experience and UI
Yes No
Protocol OAuth, REST Kerberos only
Adaptive Access Support Yes No
Device Registration Yes MDM type registration with Configuration Profile
Resources Definition Dynamic through Admin console
Need to redistribute Configuration Profile to add new URLs
Apps Definition Dynamic through Admin console
Need to redistribute Configuration Profile to add new App Bundle Id, need to confirm whether wild card could cause security issue.
Wednesday, November 6, 13
Mobile is the new black
Will TV be the new mobile?
http://flip.it/caxRaIdentity Culture
Wednesday, November 6, 13