CIS14: Mobilize Your Workforce with Secure Identity Services

© 2004-‐2012. Centrify Corporation. All Rights Reserved.

Secure Identity Services for Cloud and Mobile apps

2 © 2004-‐2012. Centrify Corporation. All Rights Reserved.

| Identify. Unify. Centrify.

Authentication Nirvana (Mobilized Enterprise) •  One identity and credential for Enterprise Users

•  Protection of identity by Active Directory inside Firewall

•  User gets SSO to all enterprise applications (Native and Web)

•  App Developer only needs to ask the platform for authentication and security token for backend

•  IT controls app authentication and authorization



Bring Your Own Device drives BYOApps •  Organizations are increasingly allowing employees to bring their own devices



Bring Your Own Challenge #1 Mobility is here to stay

• BYOD means cloud apps and data is being accessed and stored on devices that are easily lost or stolen

app app app



Bring Your Own Challenge #2 Multiple Passwords = Frustrated Users

•  Helpdesk ticket volume is increasing, and IT satisfaction is decreasing, as password frustration builds

•  Example: Passwords are used everywhere cached and replayed on these devices

•  Periodic password change at desktop typically lock the user’s account

•  Device upgrade/migration requires reentry of all passwords

ID

ID

ID ID ID

ID



Business Data is at High Risk

•  Multiplying business apps lead to password sharing and reuse, exposing corporate data to attacks

•  Example: Users have bad password practices on mobile due to data entry difficulty

•  Users choose simple passwords using their email address as identity

•  They use it everywhere (Google, corp email, Linkedin, Evernote, Adobe, etc…)

•  A password breach on any one Service grants access to other services

•  Password are used in public places increasing risk of eavesdropping

•  Example: high resolution cameras on the mobile devices of the guy behind you can easily capture

Bring Your Own Challenge #3



Solutions



Provide SSO by Leveraging Federated Identity

•  Don’t create separate Identity in your service, accept Federated Identity •  Design mobile interfaces to seamlessly integrate with the Enterprise services

Containerize the environment to separate work from personal

•  Protect work applications and data from data leakage

•  Provide the laptop experience on mobile, unlock and access all business apps

Extend Identity Services to Mobile Platforms



Solution: Enterprise Integration



Enterprise Identity for Mobile Users Where users have one login ID and password And IT has one Identity Infrastructure to manage

Laptops

Smartphones and Tablets

End Users

ID

Active Directory



•  Federated Identity ensures that users only need to use their AD userid/password

•  Only one password to remember

•  Password is protected by the Enterprise in AD

•  AD-‐based federation provides several advantages for IT

•  Leverages existing account and password policies – simplifying management

•  Ensures that IT controls access eliminating risk of orphaned accounts

Strengthen Security with Federated Identity

Federation Trust

Cloud Proxy Server

IDP as a Service

Firewall

ID

ID



Solution: Containerization for Enterprise Mobile Apps



Mobile Platforms are Increasingly Secure •  Mobile device manufacturers are improving security since they tightly

control the mobile platform OS and Device

•  Device Integrity is constantly improving – iOS 7 & 8, Samsung KNOX

•  Per App VPN is now included

•  On device data encryption built-‐in to protect data at rest

•  Containerization is provided to protect Corporate Accounts, Applications and Data

•  iOS 7 & 8 provides “Managed Open In” as a virtual container for Managed Accounts and Managed Apps (installed by MDM)

•  Samsung KNOX provides an isolated environment to separate work from play

•  MDM apis are improving for Enterprise use cases

•  Enterprise SSO is provided to simplify user access to Enterprise Services as well as Enterprise applications

•  Centrify SSO on Samsung KNOX as well as Kerberos

•  Kerberos on iOS 7, cert-‐based Kerberos on iOS 8



•  Dual persona enables usage of the same app with different personalities

•  Personal Mail on the device, Business Mail in the container

•  Personal Box account on the device, Business Box account in the container

Samsung KNOX: Dual-‐Persona via Container

Office 365: [email protected] Box: [email protected]

Mail: [email protected] Gmail: [email protected]

Dropbox: [email protected]



iOS 7: Offers Virtual Containerization •  Offers containerization via Managed

Accounts and Managed Apps (Configured and installed by MDM)

•  Managed Account profiles can be pushed as a policy to device

•  Managed Apps can be silently installed

•  Managed “Open In” can be defined

•  “Single Sign On” configuration can be configured via MDM



•  Built-‐in data protection with disk encryption, trusted boot, secure credential storage, app isolation and containerization

•  Fingerprint sensors on iPhone 5S and Galaxy S5 configurable for device and container unlock

•  Fingerprint unlocks access to strong credentials such as PKI certs

Mobile Platforms are Driving Higher Security



Mobile Enterprise SSO Best Practices and Examples



•  Keep it simple. Today’s approach of Federated authentication is too cumbersome

1)  App launches

2)  Displays a login screen and additional link for ”Are you a Single Sign-‐On user?"

3)  User clicks on it and is presented form for entering email address

4)  App then connects to backend, redirects to Enterprise IDP and opens browser to present the IDP login screen

5)  IDP displays the login screen asking for userid and password

6)  IDP authenticates and generate token, provides the token back

7)  App will receive the token and closes the browser window, then provide access to the service.

Current Federation Authentication Experience



Federated Auth for Mobile is too hard



•  Multi-‐application SSO installed into Container (by IDP/MDM) •  One SSO Registration for the

Container •  Whitelisted apps can use the

Enterprise SSO Service

•  The container provides Enterprise SSO as a Service •  Identifies the authenticated user to

the apps •  Provides AD attributes of the user

such as group memberships •  Grants security tokens upon

request for authorized web app/service

Use Enterprise SSO Service within Container

Cloud Proxy Server

IDP as a Service

Firewall

Samsung SE Android

Step 2 One time user authentication

& Container registration

Step 1 Web Application Registration

Step 4 Token based Authentication

ID

KNOX Container

Mobile App 2 Mobile Auth SDK

Enterprise SSO

Mobile App 1

Mobile Auth SDK Personal

App Step 3 Token Generation

Web Application



•  Demo

•  Walk through of Code to use Enterprise Authentication Services built into the Samsung KNOX

Android login Changes



•  iOS •  For Non-‐SAML apps, in the login call, all that’s needed is:

-‐  (IBAction)getUserInformation:(id )sender [EnterpriseAuthentication getUserInformation:^(CentrifySDKResult *result) { [self getUserInformationHandler:result]; }];

}

•  For SAML apps, the following API can be used with Centrify App installed on device: -‐  (IBAction)getAccessToken:(id) sender self.accessToken = nil; [EnterpriseAuthentication getSecurityTokenForTarget:@“<Target>" alwaysUseFreshToken:NO completionHandler:^(CentrifySDKResult *result) { [self getSecurityTokenHandler:result]; }]; }

iOS login Changes



•  Pre-‐requisites: KDC should be reachable, Backend Services should have support for Kerberos

•  SSO Profile: <?xml version="1.0" encoding="UTF-‐8"?>

<!DOCTYPE plist PUBLIC "-‐//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-‐1.0.dtd">

<plist version="1.0">

<dict>

<key>PayloadContent</key>

<array>

<dict>

……

<key>Kerberos</key>

<dict>

<key>Realm</key>

<string>CENTRIFY.COM</string>

<key>URLPrefixMatches</key>

<array>

<string>https://bugzilla.centrify.com/</string>

iOS & Android Kerberos SSO



SSO Developer APIs

SSO IdP Interface

App1 App2 App3

IdP Provider API

Provider

IdP

Config plists

Provided by Mobile OS Provider Provided by IdP aka Centrify

Ideal Solution



App Developer •  Standard API (SSO Developer API in Diagram

from Slide 5)

•  Get User Information who is logged into the device

•  Get Security Token for the intended Service

•  Get Additional Attributes for User from IdP

•  Token transport to the Service is handled by the application

25

Note: Listed on the RHS are the APIs provided today in Centrify SDK for iOS. Listed it here for ref.



•  IdP vendor provides plugin to SSO layer

•  Defined API is the IdP specific implementation of the developer SSO API

•  Implementation is up to IdP vendor

IdP Provider API

26



•  Identity Provider config supplied by SSO profiles (OTA or USB)

•  Can be pushed to device via MDM or other mechanisms

•  Most admin visibility is via IdP backend

•  Not specified by SSO, up to IdP implementer (either provider module or service)

Enterprise Admin

27



•  SSO Developer API implementation

•  Interface layer that calls the configured IdP provider

•  How IdP provider plug-‐ins get into system? OS provides dynamic way of loading IdP plug-‐in ( configured in SSO profile)

•  Providers need a way to share state across apps that call them and provider UI

•  SSO implies that user identity and other low level stuff is shared

•  Big barrier to nice iOS implementation today

•  Providers need access to app signatures

•  So that they can safely whitelist apps

Mobile OS Platform

28



•  We are working on this standard!

•  If interested in contributing, reach out to: [email protected] or [email protected]

Interested?



•  Offer Federated Authentication Support in your application

•  Do it the right way with User Experience in mind

•  Work with us on the Standard to drive Mobile OS vendors to provide token agnostic and IDP agnostic solutions

Key takeaways

© 2004-‐2012. Centrify Corporation. All Rights Reserved.

Thank You

David McNeely dav id.mcneely@centr i fy .com

Sumana Annam

sumana.annam@centr i fy .com

h t tp : / /deve lopers . cent r i fy . com ht tp : / /www.cent r i fy . com

CIS14: Mobilize Your Workforce with Secure Identity Services

Technology

Transcript of CIS14: Mobilize Your Workforce with Secure Identity Services