CIS13: Gateway to the Enterprise: Supporting SSO in Mobile Apps
1 like1,334 views
This document discusses enabling single sign-on (SSO) for mobile business users. It describes the needs of users who want easy access and IT who needs security and manageability. The challenges of mobility are outlined as enabling productivity while addressing security and making management easy. Solutions presented include SSO using iOS WebViews, Samsung Knox with Centrify for containerization separating work and personal activities, and integrated mobile and application administration.
CIS13: Gateway to the Enterprise: Supporting SSO in Mobile Apps
- 1. 1 Michael Smith Mobile Product Manager, Box Enterprise enabling your app with SSO
- 2. 2 We Live In A Whole New World The Cloud Consumer Devices
- 3. 3 Mobile Business Users Sales Reps Field Engineers Mobile Workers
- 4. 4 User Wants IT Needs ü Easy to use ü Accessible anywhere ü Social CollaboraLon ü Enterprise grade security ü Simple to deploy and maintain ü Lower TCO The Challenge
- 5. 5 GePng Mobility Right Enable Employee ProducLvity Address security and compliance requirements Make it easy for IT to manage mobility 1 2 3
- 6. 6 Single Sign On: Today on iOS
- 7. 7 User Provisioning Benefits of SSO Access control No password exchange 1 2 3
- 8. 8 8
- 9. 9 User Name Password OAuth SAML SSO API Resource Access Granted AuthenLcaLon Required
- 10. 10 Fun Facts SP-‐ini8ated SSO TargetResource used to redirect to the right API Auth page Uses iOS WebView to embed a browser
- 11. 11 More on WebViews NaLve ApplicaLon Code Sets Webview URLs Returns Redirect Informa8on
- 12. 12 Road Blocks Minimize Taps Prompted for email address twice Webview security func8onality limited
- 13. 13 Single Sign On: Samsung Knox + Centrify
- 14. 14 Benefits of Samsung Knox + Centrify Mobilize app and service access ContainerizaLon to separate work from personal Integrate mobile and applicaLon administraLon 1 2 3
- 15. 15 • Leveraging your exisLng centralized idenLty infrastructure – typically AD • Use PKI authenLcaLon for SSO to Exchange, Wi-‐Fi and VPN • Enable SSO for Web apps leveraging federaLon where possible • Integrate Mobile AuthenLcaLon SDK to enables SSO for custom applicaLons Mobilize App and Service Access
- 16. 16 Mobilize Apps with Zero Sign-‐On Cloud Proxy Server IDP as a Service Firewall Move to federated app authenLcaLon Ensure Device Security Integrate Mobile App AuthenLcaLon Works great for one mobile app, but what about mul8ple apps on the device? Web Application Mobile OS Mobile App Mobile Auth SDK MDM Step 2 One time user authentication & device registration Step 1 Web Application Registration Step 4 Token based Authentication Step 3 Token Generation ID
- 17. 17 • Secure Container built on a Secure OS for both security and usability • Provides dual persona usage of popular mobile applicaLons • SSO for all apps in container -‐ enabling the laptop experience on a mobile device ContainerizaLon Separates Work From Personal
- 18. 18 • MulL-‐applicaLon SSO is built into the Knox Container • The container idenLfies the user to the apps • The container can get AD abributes for the apps • Apps can request security tokens for their web app/ service ContainerizaLon with MulL-‐App SSO Cloud Proxy Server IDP as a Service Firewall Web Application SE Android Step 2 One time user authentication & Container registration Step 1 Web Application Registration Step 4 Token based Authentication ID Knox Container Mobile App 2 Mobile Auth SDK Enterprise SSO Mobile App 1 Mobile Auth SDKPersonal App Step 3 Token Generation
- 19. 19 • Dual persona enables usage of the same app with different personaliLes – Personal Mail on the device, Business Mail in the container – Personal Box account on the device, Business Box account in the container ContainerizaLon for Personal and Work Use Office 365: david.mcneely@centrify.com Box: david.mcneely@centrify.com Mail: david@mcneely.com Gmail: dfmcneely@gmail.com Box: david@mcneely.com
- 20. 20 • Enabling IT to manage security policies for Mobile, WorkstaLons and Servers • Unifying ApplicaLon management into one interface for Mobile, Web and SaaS ApplicaLons • Leveraging automated lifecycle management through AD Integrated Mobile and App AdministraLon
- 21. 21 • Mobile device security policies follow the user’s account lifecycle automaLcally • Policy changes automaLcally apply to devices the user enrolled: Integrated AdministraLon Follows User Lifecycle User enrolls their own devices Update device security settings or new group de-provision device Lock account and full device wipe Delete or disable account and de-provision device Active Directory
- 22. 22 GePng Mobility Right Enable Employee ProducLvity Address security and compliance requirements Make it easy for IT to manage mobility 1 2 3
- 23. 23 23