CIS14: Mobilize Your Workforce with Secure Identity Services
-
Upload
cloudidsummit -
Category
Technology
-
view
135 -
download
2
description
Transcript of CIS14: Mobilize Your Workforce with Secure Identity Services
© 2004-‐2012. Centrify Corporation. All Rights Reserved.
Secure Identity Services for Cloud and Mobile apps
2 © 2004-‐2012. Centrify Corporation. All Rights Reserved.
| Identify. Unify. Centrify.
Authentication Nirvana (Mobilized Enterprise) • One identity and credential for Enterprise Users
• Protection of identity by Active Directory inside Firewall
• User gets SSO to all enterprise applications (Native and Web)
• App Developer only needs to ask the platform for authentication and security token for backend
• IT controls app authentication and authorization
3 © 2004-‐2012. Centrify Corporation. All Rights Reserved.
| Identify. Unify. Centrify.
Bring Your Own Device drives BYOApps • Organizations are increasingly allowing employees to bring their own devices
4 © 2004-‐2012. Centrify Corporation. All Rights Reserved.
| Identify. Unify. Centrify.
Bring Your Own Challenge #1 Mobility is here to stay
• BYOD means cloud apps and data is being accessed and stored on devices that are easily lost or stolen
app app app
5 © 2004-‐2012. Centrify Corporation. All Rights Reserved.
| Identify. Unify. Centrify.
Bring Your Own Challenge #2 Multiple Passwords = Frustrated Users
• Helpdesk ticket volume is increasing, and IT satisfaction is decreasing, as password frustration builds
• Example: Passwords are used everywhere cached and replayed on these devices
• Periodic password change at desktop typically lock the user’s account
• Device upgrade/migration requires reentry of all passwords
ID
ID
ID ID ID
ID
6 © 2004-‐2012. Centrify Corporation. All Rights Reserved.
| Identify. Unify. Centrify.
Business Data is at High Risk
• Multiplying business apps lead to password sharing and reuse, exposing corporate data to attacks
• Example: Users have bad password practices on mobile due to data entry difficulty
• Users choose simple passwords using their email address as identity
• They use it everywhere (Google, corp email, Linkedin, Evernote, Adobe, etc…)
• A password breach on any one Service grants access to other services
• Password are used in public places increasing risk of eavesdropping
• Example: high resolution cameras on the mobile devices of the guy behind you can easily capture
Bring Your Own Challenge #3
7 © 2004-‐2012. Centrify Corporation. All Rights Reserved.
| Identify. Unify. Centrify.
Solutions
8 © 2004-‐2012. Centrify Corporation. All Rights Reserved.
| Identify. Unify. Centrify.
Provide SSO by Leveraging Federated Identity
• Don’t create separate Identity in your service, accept Federated Identity • Design mobile interfaces to seamlessly integrate with the Enterprise services
Containerize the environment to separate work from personal
• Protect work applications and data from data leakage
• Provide the laptop experience on mobile, unlock and access all business apps
Extend Identity Services to Mobile Platforms
9 © 2004-‐2012. Centrify Corporation. All Rights Reserved.
| Identify. Unify. Centrify.
Solution: Enterprise Integration
10 © 2004-‐2012. Centrify Corporation. All Rights Reserved.
| Identify. Unify. Centrify.
Enterprise Identity for Mobile Users Where users have one login ID and password And IT has one Identity Infrastructure to manage
Laptops
Smartphones and Tablets
End Users
ID
Active Directory
11 © 2004-‐2012. Centrify Corporation. All Rights Reserved.
| Identify. Unify. Centrify.
• Federated Identity ensures that users only need to use their AD userid/password
• Only one password to remember
• Password is protected by the Enterprise in AD
• AD-‐based federation provides several advantages for IT
• Leverages existing account and password policies – simplifying management
• Ensures that IT controls access eliminating risk of orphaned accounts
Strengthen Security with Federated Identity
Federation Trust
Cloud Proxy Server
IDP as a Service
Firewall
ID
ID
12 © 2004-‐2012. Centrify Corporation. All Rights Reserved.
| Identify. Unify. Centrify.
Solution: Containerization for Enterprise Mobile Apps
13 © 2004-‐2012. Centrify Corporation. All Rights Reserved.
| Identify. Unify. Centrify.
Mobile Platforms are Increasingly Secure • Mobile device manufacturers are improving security since they tightly
control the mobile platform OS and Device
• Device Integrity is constantly improving – iOS 7 & 8, Samsung KNOX
• Per App VPN is now included
• On device data encryption built-‐in to protect data at rest
• Containerization is provided to protect Corporate Accounts, Applications and Data
• iOS 7 & 8 provides “Managed Open In” as a virtual container for Managed Accounts and Managed Apps (installed by MDM)
• Samsung KNOX provides an isolated environment to separate work from play
• MDM apis are improving for Enterprise use cases
• Enterprise SSO is provided to simplify user access to Enterprise Services as well as Enterprise applications
• Centrify SSO on Samsung KNOX as well as Kerberos
• Kerberos on iOS 7, cert-‐based Kerberos on iOS 8
14 © 2004-‐2012. Centrify Corporation. All Rights Reserved.
| Identify. Unify. Centrify.
• Dual persona enables usage of the same app with different personalities
• Personal Mail on the device, Business Mail in the container
• Personal Box account on the device, Business Box account in the container
Samsung KNOX: Dual-‐Persona via Container
Office 365: [email protected] Box: [email protected]
Mail: [email protected] Gmail: [email protected]
Dropbox: [email protected]
15 © 2004-‐2012. Centrify Corporation. All Rights Reserved.
| Identify. Unify. Centrify.
iOS 7: Offers Virtual Containerization • Offers containerization via Managed
Accounts and Managed Apps (Configured and installed by MDM)
• Managed Account profiles can be pushed as a policy to device
• Managed Apps can be silently installed
• Managed “Open In” can be defined
• “Single Sign On” configuration can be configured via MDM
16 © 2004-‐2012. Centrify Corporation. All Rights Reserved.
| Identify. Unify. Centrify.
• Built-‐in data protection with disk encryption, trusted boot, secure credential storage, app isolation and containerization
• Fingerprint sensors on iPhone 5S and Galaxy S5 configurable for device and container unlock
• Fingerprint unlocks access to strong credentials such as PKI certs
Mobile Platforms are Driving Higher Security
17 © 2004-‐2012. Centrify Corporation. All Rights Reserved.
| Identify. Unify. Centrify.
Mobile Enterprise SSO Best Practices and Examples
18 © 2004-‐2012. Centrify Corporation. All Rights Reserved.
| Identify. Unify. Centrify.
• Keep it simple. Today’s approach of Federated authentication is too cumbersome
1) App launches
2) Displays a login screen and additional link for ”Are you a Single Sign-‐On user?"
3) User clicks on it and is presented form for entering email address
4) App then connects to backend, redirects to Enterprise IDP and opens browser to present the IDP login screen
5) IDP displays the login screen asking for userid and password
6) IDP authenticates and generate token, provides the token back
7) App will receive the token and closes the browser window, then provide access to the service.
Current Federation Authentication Experience
19 © 2004-‐2012. Centrify Corporation. All Rights Reserved.
| Identify. Unify. Centrify.
Federated Auth for Mobile is too hard
20 © 2004-‐2012. Centrify Corporation. All Rights Reserved.
| Identify. Unify. Centrify.
• Multi-‐application SSO installed into Container (by IDP/MDM) • One SSO Registration for the
Container • Whitelisted apps can use the
Enterprise SSO Service
• The container provides Enterprise SSO as a Service • Identifies the authenticated user to
the apps • Provides AD attributes of the user
such as group memberships • Grants security tokens upon
request for authorized web app/service
Use Enterprise SSO Service within Container
Cloud Proxy Server
IDP as a Service
Firewall
Samsung SE Android
Step 2 One time user authentication
& Container registration
Step 1 Web Application Registration
Step 4 Token based Authentication
ID
KNOX Container
Mobile App 2 Mobile Auth SDK
Enterprise SSO
Mobile App 1
Mobile Auth SDK Personal
App Step 3 Token Generation
Web Application
21 © 2004-‐2012. Centrify Corporation. All Rights Reserved.
| Identify. Unify. Centrify.
• Demo
• Walk through of Code to use Enterprise Authentication Services built into the Samsung KNOX
Android login Changes
22 © 2004-‐2012. Centrify Corporation. All Rights Reserved.
| Identify. Unify. Centrify.
• iOS • For Non-‐SAML apps, in the login call, all that’s needed is:
-‐ (IBAction)getUserInformation:(id )sender [EnterpriseAuthentication getUserInformation:^(CentrifySDKResult *result) { [self getUserInformationHandler:result]; }];
}
• For SAML apps, the following API can be used with Centrify App installed on device: -‐ (IBAction)getAccessToken:(id) sender self.accessToken = nil; [EnterpriseAuthentication getSecurityTokenForTarget:@“<Target>" alwaysUseFreshToken:NO completionHandler:^(CentrifySDKResult *result) { [self getSecurityTokenHandler:result]; }]; }
iOS login Changes
23 © 2004-‐2012. Centrify Corporation. All Rights Reserved.
| Identify. Unify. Centrify.
• Pre-‐requisites: KDC should be reachable, Backend Services should have support for Kerberos
• SSO Profile: <?xml version="1.0" encoding="UTF-‐8"?>
<!DOCTYPE plist PUBLIC "-‐//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-‐1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
……
<key>Kerberos</key>
<dict>
<key>Realm</key>
<string>CENTRIFY.COM</string>
<key>URLPrefixMatches</key>
<array>
<string>https://bugzilla.centrify.com/</string>
iOS & Android Kerberos SSO
24 © 2004-‐2012. Centrify Corporation. All Rights Reserved.
| Identify. Unify. Centrify.
SSO Developer APIs
SSO IdP Interface
App1 App2 App3
IdP Provider API
Provider
IdP
Config plists
Provided by Mobile OS Provider Provided by IdP aka Centrify
Ideal Solution
25 © 2004-‐2012. Centrify Corporation. All Rights Reserved.
| Identify. Unify. Centrify.
App Developer • Standard API (SSO Developer API in Diagram
from Slide 5)
• Get User Information who is logged into the device
• Get Security Token for the intended Service
• Get Additional Attributes for User from IdP
• Token transport to the Service is handled by the application
25
Note: Listed on the RHS are the APIs provided today in Centrify SDK for iOS. Listed it here for ref.
26 © 2004-‐2012. Centrify Corporation. All Rights Reserved.
| Identify. Unify. Centrify.
• IdP vendor provides plugin to SSO layer
• Defined API is the IdP specific implementation of the developer SSO API
• Implementation is up to IdP vendor
IdP Provider API
26
27 © 2004-‐2012. Centrify Corporation. All Rights Reserved.
| Identify. Unify. Centrify.
• Identity Provider config supplied by SSO profiles (OTA or USB)
• Can be pushed to device via MDM or other mechanisms
• Most admin visibility is via IdP backend
• Not specified by SSO, up to IdP implementer (either provider module or service)
Enterprise Admin
27
28 © 2004-‐2012. Centrify Corporation. All Rights Reserved.
| Identify. Unify. Centrify.
• SSO Developer API implementation
• Interface layer that calls the configured IdP provider
• How IdP provider plug-‐ins get into system? OS provides dynamic way of loading IdP plug-‐in ( configured in SSO profile)
• Providers need a way to share state across apps that call them and provider UI
• SSO implies that user identity and other low level stuff is shared
• Big barrier to nice iOS implementation today
• Providers need access to app signatures
• So that they can safely whitelist apps
Mobile OS Platform
28
29 © 2004-‐2012. Centrify Corporation. All Rights Reserved.
| Identify. Unify. Centrify.
• We are working on this standard!
• If interested in contributing, reach out to: [email protected] or [email protected]
Interested?
30 © 2004-‐2012. Centrify Corporation. All Rights Reserved.
| Identify. Unify. Centrify.
• Offer Federated Authentication Support in your application
• Do it the right way with User Experience in mind
• Work with us on the Standard to drive Mobile OS vendors to provide token agnostic and IDP agnostic solutions
Key takeaways
© 2004-‐2012. Centrify Corporation. All Rights Reserved.
Thank You
David McNeely dav id.mcneely@centr i fy .com
Sumana Annam
sumana.annam@centr i fy .com
h t tp : / /deve lopers . cent r i fy . com ht tp : / /www.cent r i fy . com