SecureAuth IdP for Mobile

egyptiannorweiganInternet και Εφαρμογές Web

31 Οκτ 2013 (πριν από 4 χρόνια και 9 μέρες)

118 εμφανίσεις

© 2012 SecureAuth. All rights reserved.

SecureAuth IdP for Mobile

Securing Enterprise Mobile Apps


The Mobile Problem for the Enterprise


SecureAuth IdP for Mobile


Tie Identity to Enterprise Data Stores


Conduct Relevant/Configurable Authentication


Log the Authentication


SSO into other apps (mobile and web)



Demo



FishNet

Security


Deployment


Q.&.A.






AGENDA

Issue Enterprises
have with Mobile
Apps

4

Secure Mobile Apps

The User View Point:



First:


Employees


Partners


Customers



Want mobile apps



Like the ease of use


The one touch to data


The portability


The BYOD nature


E.G. Users select/use what they like


5

Secure Mobile Apps

The Enterprise Security View Point

Mobile Apps are the “no man zone” for enterprises



Enterprises:


Have Full
-
scale SSO/Security system around
:


Web content:


SharePoint,
WebLogic
,
WebSphere


SiteMinder, Oracle Access Manager,
TAMeb


Etc.


VPN/Gateways systems:


Juniper, F5, Cisco, Cisco



But now they have to deploy:

-
1
-
Touch mobile apps

-
Not tied in with their:


WAM


Web Access management systems


Network Systems



Do they have to deploy a whole MDM system?


To deploy a few mobile apps??

6

Secure Mobile Apps

The Enterprise Security View Point

Enterprises Need to
Rollout Mobile Apps:



To divergent user groups:


B2E (Employees)


B2B (Partners, Suppliers)


B2C (Customers)



Connect the identities to existing systems:



AD, LDAP, SQL, ODBC



Conduct relevant authentication


PCI DSS, NCUA, FFIEC, HI TECH


All require 2
-
Factor for data



What kind of 2
-
Factor?


SMS, Telephony, X.509, KBA…



Log the Access


And… would like to provide:



SSO into other mobile/web apps





SecureAuth IdP for
Mobile

Secure Enterprise Mobile
Apps

Key Features:


1.
Tie Identity to Enterprise Data Store

2.
Conduct Relevant/Configurable Authentication

3.
Log the Authentication

4.
SSO into other apps (mobile and web)






SecureAuth IdP for Mobile

1.
Tie Identity to identity Stores

SecureAuth IdP for Mobile

User Native
Directory:


AD, LDAP,
SQL,
etc


ID


Password


Profile Info


Groups

2. Configurable Authentication

SecureAuth IdP for Mobile

Configurable
Authentication:


X.509 Cert


SMS


Telephony


E
-
mail OTP


KBA/KBQ


PIN


Password

3. Log the Authentication

SecureAuth IdP for Mobile

Log the
Auth
:


Local SIEM


Syslog


Reporting


(full GUI)


Auditing


Text,
Syslog

4a. SSO to Other Mobile Apps

SecureAuth IdP for Mobile

SSO to other
mobile apps:


Identity token
consume by
SA


Can provide
SSO


Or Step
-
up
Authentication


No thick client

4b. SSO to Browser Apps (Web/SaaS)

SecureAuth IdP for Mobile

SSO to other
Browser Apps:


Identity token
consume by
SA


SSO to:


Web Apps


Browser
Apps


Revocable


Step
-
Up
Authentication


1.
Consume Identity


From varied resources, devices


Desktop, Mobile, Web SSO, AD SSO


2.
Map
Identity


From varied resources


Map to relevant data store


3.
Authenticate


2
-
Factor Authentication


SMS, Tele, X.509, PIN,
Yubikey




KBA, E
-
mail, Help Desk


4.
Assert Identity


X.509


Web Identity


VPN, Web,
SaaS
, Mobile


5.
Log the event


Text, Syslog


14

HOW DOES

SECUREAUTH
I
d
P

WORK?

Demo

SecureAuth IdP for Mobile




<new>
Define a URL coding Scheme for you mobile
app (
iOS
, Android)


<new>
Code for invoking/directing “native browser”
to SA for authentication




SecureAuth IdP 2
-
Factor Authentication


SMS, Telephony, e
-
mail, KBA, Help Desk, x509


Implant UBC after authentication


SecureAuth IdP Browser SSO (UBC)


Read UBC before conducting
auth



<new>
SecureAuth IdP directs identity token back to
Native Mobile App


SecureAuth IdP for Mobile

Workflow/Secret Sauce:


Define Coding URL Scheme for Native App

Android:


<activity
android:name=".LoginActivity
"
android:launchMode="singleTask
">



<intent
-
filter>

<action
android:name="android.intent.action.VIEW
" />

<category
android:name="android.intent.category.DEFAULT
" />

<category
android:name="android.intent.category.BROWSABLE
" />

<data
android:scheme="foo
" />

</intent
-
filter>

…</activity>


iOS:



1
7

Launch an External Browser

Android:


@Overrideprotected void onCreate(Bundle savedInstanceState) {
{super.onCreate(savedInstanceState);






Button button = (Button)
findViewById(R.id.login_button);

button.setOnClickListener(new OnClickListener()
{

@Override



public void onClick(View v) {



Intent i = new Intent(Intent.ACTION_VIEW,
"
https://secureauth.mycompany.com/SecureAuth1/
");

startActivity(i);


}

});

…}


iOS:


-

(IBAction) startLogin: (id)sender

{


NSURL *url = [NSURL
URLWithString:@"https://secureauth.mycompany.com/SecureAuth1/"];


[[UIApplication sharedApplication] openURL:url];

}




18

Return Identity Token back to App

Android:


@Override

protected void onNewIntent(Intent intent) {


Uri data = intent.getData();


if (data != null) {


String accessToken = data.getQueryParameter("UserID");


// Use the accessToken.


}

}


iOS:

-

(BOOL)application:(UIApplication *)application handleOpenURL:(NSURL *)url

{


for (NSString *param in [[url query] componentsSeparatedByString:@"&"])


{


NSArray *parts = [param componentsSeparatedByString:@"="];

1
9

Thank you!

Who

Title

E
-
mail

Phone

Jeff Lo

Director of
Software

jlo@gosecureauth.com

+1.949.777.6950

Garret Grajek

CTO/COO

ggrajek@gosecureauth.com

+1.949.777.6970

SecureAuth

Sales

sales@gosecureauth.com

+1.949.777.6959

SecureAuth Contacts


http://www.GoSecureAuth.com


Contacts

Additional Slides

Secure IdP Construction

Item

Home
Grown

SecureAuth

Build
WebServer

(
IdP
)

(Hardened Server,
WebServer
, Forms)

Manual

Automated

Identity

Authentication (AD SSO)

Manual

Automated

SAML Assertion


Manual

Automated

SAML Attributes

Manual

Automated

X.509
Storage/Signed
with Cert

Manual

Automated

SSO Portal (
SaaS
, Web)

Manual

Automated

Federate ID Mapping

Manual

Automated

2
-
Factor Integration

Manual

Automated

IdM

tools (PWD reset,

Help Desk,
etc
)

Manual

Automated

Log Authentication

Manual

Automated

22

Current Environment

© 2012 SecureAuth.
All rights reserved.

23

SecureAuth IdP


2F/SSO for
Cloud/Enterprise

24

SecureAuth
Delivers:


1.
Multi
-
Factor
Authentication

2.
IdP (SSO to
cloud, web,
gateways)

3.
IdM

(Identity
Management)

© 2012 SecureAuth. All rights reserved.

25

WHAT IS AN
I
d
P

?

Definition:



A system that creates, maintains, and
manages identity information.



Provides principal authentication to
other service providers (applications)
within a federation or distributed
network.



The IdP sends an attribute assertion
containing trusted information
about the user to the Service
Provider (SP).

Source: MIT Knowledge Base

An IdP (Identity Provider) establishes a circle of trust
between the User and the Service Provider i.e. Applications

1.
User directed to IdP

2.
IdP authenticates user

3.
User redirected to SP with token

1

2

3

Enterprise

Identity
Provider

(IdP)

Service

Provider


(SP)

User

1.
Consume Identity


From varied resources, devices


Desktop, Mobile, Web SSO, AD SSO


2.
Map
Identity


From varied resources


Map to relevant data store


3.
Authenticate


2
-
Factor Authentication


SMS, Tele, X.509, PIN,
Yubikey




KBA, E
-
mail, Help Desk


4.
Assert Identity


X.509


Web Identity


VPN, Web,
SaaS
, Mobile


5.
Log the event


Text, Syslog


26

HOW DOES

SECUREAUTH
I
d
P

WORK?

SecureAuth IdP for Mobile

SecureAuth IdP for Mobile

© 2012 SecureAuth. All rights reserved.

29

Mobile Application Security and SSO

© 2012 SecureAuth. All rights reserved.

30

Mobile Application Security

Including SSO and 2
-
Factor Authen

Separated At Birth?

31

Our esteemed
Tommy Wu

IPS Co., Ltd
Booth Staff @
MobileCon

Tommy’s Older brother
performing his YouTube
Hit Gangnam style!