GARTNER SAS DAY - SecureAuth

knapsackyarnΚινητά – Ασύρματες Τεχνολογίες

14 Δεκ 2013 (πριν από 3 χρόνια και 7 μήνες)

157 εμφανίσεις

© 2012 SecureAuth. All rights reserved.

SecureAuth IdP for Android

SecureAuth Corp

Dec 06, 2012

www.gosecureuath.com


2

Welcome to the SecureAuth

Android DevCon IV Preso

Chris Hayes, SecureAuth Corporation




Sr. Sales Engineer

Garret Grajek, SecureAuth Corporation





CTO/COO

http://www.gosecureauth.com


1. SecureAuth IdP for Android


Securing Existing Apps


Web,
SaaS
, Mobile


Portal

2. SecureAuth
Idp

for Mobile (Android)


Securing NEW “Native” Mobile Apps


Native App


IdP, Integration


Q. & A.





AGENDA

Securing SaaS,
Web, VPN resources
on the Android
Platform

5


Web Apps

Gateway

Directory

“Cloud”


Apps

SecureAuth
& Android: Access to the Enterprise

SIEMs

(Logging)

End User
(Desktop or
Mobile)

6

What is Special about the

Android App Platform


Android is Linux based


Code is Java Based


Most importantly:


Has own Java Virtual Machine (Dalvik)


Supports Interprocess Communication


Supports embedded browsers


Support Communication to External Browsers





7

Why this is relevant?


The Android OS is very conducive for
supporting apps the way desktop computers
have been deployed



Apps have a fully available virtual machine


With advanced libraries


Including crypto libraries


Code is in Java, then compiled to .DEX Files




SecureAuth Takes advantage of Android


SecureAuth has a unique


2
-
Factor SSO Solution


Based on:


Target/Redirect WC3
WorkFlow


Works for Web, VPN,
SaaS


Can conduct a 2
-
Factor Authentication based
on


X.509, SMS, Tele, E
-
mail, KBA,
HelpDesk


Then Redirect to Target Application


8

SecureAuth Takes advantage of Android

9

All processes run in
the Dalvik Virtual
Machine

SecureAuth Takes Advantage of Android

With One Special Android Advantage:


Coverts your pre
-
existing Web/
SaaS

app


To a One
-
Touch Android App


Downloadable APK


Can be pre
-
configured with Destination
Url


User just clicks SecureAuth App


To start configurable authentication


One
-
Touch


no URL to configure


Completely Server Side configurable Authentication


10

Lastly… SecureAuth Provides Bilateral
Authentication




Bilateral Authentication (PKI)


Server validates User


User validates Server



What Technology Conducts User/Server Authentication?


Public Key Infrastructure


Private/Public keys


utilizing X.509 v3 Certificates



SecureAuth has advantage on Android



User does not need to understand PKI



User is not burdened with Pop
-
ups



Enterprise does not have to deal w/ Revocation Technology


11

Who are you?

Who are you?


Turns Existing Web/
SaaS

App


To a 1
-
Touch Android App


Supports:


Android 2.2, 2.3, 3.0, 3.1,
3.2, 4.0, 4.1, 4.2


Secure


Configurable Authentication (X.509, SMS, Telephony)


Unique Bilateral Authentication


PKI Based, Bilateral, Revocable


Utilizing Existing Infrastructure


Current Web Applications


Current Data Stores


12

Demo

13

Securing Native
Android Apps

Key Features:


1.
Tie Identity to Enterprise Data Store

2.
Conduct Relevant/Configurable Authentication

3.
Log the Authentication

4.
SSO into other apps (mobile and web)






SecureAuth IdP for Mobile

1.
Tie Identity to identity Stores

SecureAuth IdP for Mobile

User Native
Directory:


AD, LDAP,
SQL,
etc


ID


Password


Profile Info


Groups

2. Configurable Authentication

SecureAuth IdP for Mobile

Configurable
Authentication:


X.509 Cert


SMS


Telephony


E
-
mail OTP


KBA/KBQ


PIN


Password

3. Log the Authentication

SecureAuth IdP for Mobile

Log the
Auth
:


Local SIEM


Syslog


Reporting


(full GUI)


Auditing


Text,
Syslog

4a. SSO to Other Mobile Apps

SecureAuth IdP for Mobile

SSO to other
mobile apps:


Identity token
consume by
SA


Can provide
SSO


Or Step
-
up
Authentication


No thick client

4b. SSO to Browser Apps (Web/SaaS)

SecureAuth IdP for Mobile

SSO to other
Browser Apps:


Identity token
consume by
SA


SSO to:


Web Apps


Browser
Apps


Revocable


Step
-
Up
Authentication


Demo

SecureAuth IdP for Mobile




<new>
Define a URL coding Scheme for you mobile
app (
iOS
, Android)


<new>
Code for invoking/directing “native browser”
to SA for authentication




SecureAuth IdP 2
-
Factor Authentication


SMS, Telephony, e
-
mail, KBA, Help Desk, x509


Implant UBC after authentication


SecureAuth IdP Browser SSO (UBC)


Read UBC before conducting
auth



<new>
SecureAuth IdP directs identity token back to
Native Mobile App


SecureAuth IdP for Mobile

Workflow/Secret Sauce:


Define Coding URL Scheme for Native App

Android:


<activity
android:name=".LoginActivity
"
android:launchMode="singleTask
">



<intent
-
filter>

<action
android:name="android.intent.action.VIEW
" />

<category
android:name="android.intent.category.DEFAULT
" />

<category
android:name="android.intent.category.BROWSABLE
" />

<data
android:scheme="foo
" />

</intent
-
filter>

…</activity>


iOS:



2
3

Launch an External Browser

Android:


@Overrideprotected void onCreate(Bundle savedInstanceState) {
{super.onCreate(savedInstanceState);






Button button = (Button)
findViewById(R.id.login_button);

button.setOnClickListener(new OnClickListener()
{

@Override



public void onClick(View v) {



Intent i = new Intent(Intent.ACTION_VIEW,
"
https://secureauth.mycompany.com/SecureAuth1/
");

startActivity(i);


}

});

…}


iOS:


-

(IBAction) startLogin: (id)sender

{


NSURL *url = [NSURL
URLWithString:@"https://secureauth.mycompany.com/SecureAuth1/"];


[[UIApplication sharedApplication] openURL:url];

}




24

Return Identity Token back to App

Android:


@Override

protected void onNewIntent(Intent intent) {


Uri data = intent.getData();


if (data != null) {


String accessToken = data.getQueryParameter("UserID");


// Use the accessToken.


}

}


iOS:

-

(BOOL)application:(UIApplication *)application handleOpenURL:(NSURL *)url

{


for (NSString *param in [[url query] componentsSeparatedByString:@"&"])


{


NSArray *parts = [param componentsSeparatedByString:@"="];

2
5

Thank you!

Who

Title

E
-
mail

Phone

Chris

Hayes

Sr. Sales

Enginee

chayes@gosecureauth.com

+1.860.383.5907

Garret Grajek

CTO/COO

ggrajek@gosecureauth.com

+1.949.777.6970

John Kolesar

V.P of Sales

jk@gosecureauth.com


+1.248.760.4040

SecureAuth

Sales

sales@gosecureauth.com

+1.949.777.6959

SecureAuth Contacts


http://www.GoSecureAuth.com


Contacts

Additional Slides

1.
Consume Identity


From varied resources, devices


Desktop, Mobile, Web SSO, AD SSO


2.
Map
Identity


From varied resources


Map to relevant data store


3.
Authenticate


2
-
Factor Authentication


SMS, Tele, X.509, PIN,
Yubikey




KBA, E
-
mail, Help Desk


4.
Assert Identity


X.509


Web Identity


VPN, Web,
SaaS
, Mobile


5.
Log the event


Text, Syslog


28

HOW DOES

SECUREAUTH
I
d
P

WORK?

Passwords Solved: SecureAuth/Google Integration

SecureAuth integrates into the Identity Provider
-

to work directly
into the SAML 2.0 infrastructure.

SecureAuth
protected site

SecureAuth
2
-
Factor
authenticates
user

SecureAuth
creates SAML
token

SecureAuth
returns
encoded SAML
response to
browser

Browser redirects
to enterprise
-
hosted
SecureAuth URL

SecureAuth

Enterprise
Directory

(AD, LDAP, etc)

http://code.google.com/apis/apps/sso/saml_reference_implementation.html

Secure IdP Construction

Item

Home
Grown

SecureAuth

Build
WebServer

(
IdP
)

(Hardened Server,
WebServer
, Forms)

Manual

Automated

Identity

Authentication (AD SSO)

Manual

Automated

SAML Assertion


Manual

Automated

SAML Attributes

Manual

Automated

X.509
Storage/Signed
with Cert

Manual

Automated

SSO Portal (
SaaS
, Web)

Manual

Automated

Federate ID Mapping

Manual

Automated

2
-
Factor Integration

Manual

Automated

IdM

tools (PWD reset,

Help Desk,
etc
)

Manual

Automated

Log Authentication

Manual

Automated

30

Current Environment

© 2012 SecureAuth. All rights reserved.

31

SecureAuth IdP


Authentication “Volume Control”

© 2012 SecureAuth. All rights reserved.

32

P

KBA

SecureAuth Delivers:


1.
Multi
-
Factor
Authentication

2.
IdP (SSO to cloud,
web, gateways, mobile)

3.
IdM

(Identity
Management
)

SecureAuth IdP



2F/SSO for Cloud/Enterprise/Mobile

Solve You Cloud SSO w/ SecureAuth
IdP

34

Your Current Environment

With SecureAuth IdP