Upload
wso2
View
629
Download
1
Embed Size (px)
DESCRIPTION
Citation preview
Patterns & Practices in Mobile SSO
Prabath Siriwardena, Director of Security, WSO2
About WSO2
๏ Global enterprise, founded in 2005 by acknowledged leaders in XML, web services technologies, standards and open source
๏ Provides only open source pla:orm-‐as-‐a-‐service for private, public and hybrid cloud deployments
๏ All WSO2 products are 100% open source and released under the Apache License Version 2.0.
๏ Is an AcIve Member of OASIS, Cloud Security Alliance, OSGi Alliance, AMQP Working Group, OpenID FoundaIon and W3C.
๏ Driven by InnovaIon
๏ Launched first open source API Management soluIon in 2012
๏ Launched App Factory in 2Q 2013
๏ Launched Enterprise Store and first open source Mobile soluIon in 4Q 2013
What WSO2 Deliver
Within the first decade of the 21st century – internet worldwide increased from 350
million to more than 2 billion.
Mobile phone subscribers increased from
750 million to 5 billion
Today it’s around 6 billion
Only 30% of mobile users, password protect their mobile devices
Many SaaS providers ignore multifactor authentication for mobile applications
113 cell phones are lost or stolen every minute in the U.S and $7 million worth
of smartphones are lost daily
62% of mobile workers currently use their personal smartphones
for work
http://www.websense.com/assets/reports/websense-2013-threat-report.pdf
Mobile Device Management systems need to be an integral part of the corporate
Identity Management
Cloud service providers are becoming mobile friendly with REST/JSON APIs
OAuth 2.0 dominates Mobile and API security
Avoid using Resource Owner Password OAuth grant type
Mobile applications secured with OAuth can be vulnerable to phishing
Your Facebook or Twitter account credentials can be quite easily phished
through your mobile phone - than from a laptop computer
The need to bake-in client key and the secret key into the mobile app itself is an
issue yet to solve
OAuth has given a better failover capability to mobile applications in case
of an attack
It takes an average of 20 seconds for a user to log into a resource
Single Sign On increases user productivity
Browser based Single Sign On
Native App Native Web Browser
Authorization Server (IdP)
Mobile Device
Native Single Sign On
Native App Native IdP App
Mobile Device
OpenID Foundation is working on standardizing Native Single Sign On based on
OpenID Connect
Federated Single Sign On
Native App Native Web Browser
Authorization Server (IdP)
Mobile Device
SAML2 IdP
SAML2 IdP
Federated Single Sign On with heterogeneous Authorization Servers
Native App Native Web Browser
Authorization Server (IdP)
Mobile Device
Federation Hub
Authorization Server (IdP)
1 Native IdP Proxy App
2 Native IdP App
3 Native IdP App
4 Native IdP App
5 Native IdP App
Contact us !