In the past Enterprise Mobility Management (EMM) has focused primarily on MDM, MAM and MCM. Recently there has been a lot of focus on the fourth pillar of EMM - Mobile Identity Management (MIM). This session will cover the primary use cases and discuss current solutions available for managed/un-managed, internal/public and mobile/web apps for iOS/Android devices.
2. What we will cover in this Session ?
2
1 Why is this important ?
2 What’s the current experience?
3 What’s the desired experience ?
What are my options ?
What’s the challenge ?
Q & A
4
5
6
10. Mobile App
• Click on Mobile App
• Enter server and user information. Tenant
discovery happens.
• Click login. Get redirected to login screen
(AD or else)
• Enter AD credentials (or local/MFA)
• You have access
Web App
• Open Mobile Safari
• Enter web url – e.g. https://
www.salesforce.com
• Click login. Get redirected to login screen
(AD or else)
• Enter AD credentials (or local/MFA)
• You have access.
10
11. Mobile App
• Start VPN app
• Start SecurID App.
• Enter SecurID pin.
• Enter SecurID passcode on VPN app
• Click on Mobile App
• Enter server and user information. Tenant
discovery happens.
• Click login. Get redirected to login screen
(AD or else)
• Enter AD credentials (or local/MFA)
• You have access
Web App
• Start VPN app
• Start SecurID App.
• Enter SecurID pin.
• Enter SecurID passcode on VPN app
• Open Mobile Safari
• Enter web url – e.g. https://
www.salesforce.com
• Click login. Get redirected to login screen
(AD or else)
• Enter AD credentials (or local/MFA)
• You have access.
11
16. Mobile SSO flow
1. User access Mobile App
2. App connects to server
3. Redirects to IdP
4. IdP authenticates via AD
5. IdP sends SAML back to App Server
6. App Server sends AT back to App
7. App uses AT to access
1
Mobile
App
Web
View
2
3
4
5
IdP
AD
6
7
App
Server
OAuth
AS
SAML
OAuth
17. Mobile SSO flow
1. User access Mobile App
2. App connects to server
3. Redirects to IdP
4. IdP authenticates via AD
5. IdP sends SAML back to App Server
6. App Server sends AT back to App
7. App uses AT to access
Mobile
App
Web
View
2
3
4
5
IdP
AD
6
7
Mobile
App
OAuth
AS
App
ServerSAML
OAuth
1
18. Mobile SSO flow
1. User access Mobile App
2. App connects to server
3. Redirects to IdP
4. IdP authenticates via AD
5. IdP sends SAML back to App Server
6. App Server sends AT back to App
7. App uses AT to access
Mobile
App
Web
View
2
3
4
5
IdP
AD
6
7
Mobile
App
OAuth
AS
App
Server
Challenges
• Authentication per mobile app
• No validation of access token
• No clean up of cached / offline data
OAuth
SAML
1
22. 1. User access Mobile App
2. App connects to server
3. Redirects to IdP
4. IdP sends 401 negotiate
5. iOS intercepts
6. On-demand VPN session
7. Sends Cert to KDC to get a ticket
8. IdP validates Kerb ticket
9. IdP sends SAML to App server
10. App server sends OAuth AT to App
Mobile
App
Web
View
2
3
4
5
IdP
Kerb
Adapter
AD
KDC
67
8
9
10
App
Server
OAuth
AS
Enroll your device
1
23. 1. User access Mobile App
2. App connects to server
3. Redirects to IdP
4. IdP caches the request
5. IdP connects with its agent
6. User authenticates
7. Sends token back to IdP
8. IdP sends SAML to App server
9. App server sends OAuth AT to App
1
Mobile
App
Web
View
2
3
4
5
IdP
6
7
8
App
Server
OAuth
AS
IdP
Agent
9
JavaScript trickery
24. 1. User access Mobile App
2. App RequestTokenAsync to Web
Account Manager (WAM)
3. WAM request token from registered
Web Account Provider (WAP)
4. WAP redirects to IdP
5. User Authenticates
6. IdP sends the token back to WAP
7. WAP sends the token to WAM
8. WAM returns RequestResult to App
9. App can access the resource 1
Mobile
App
23
4
5
IdP
6
7 8
App
Server
OAuth
AS
WAP
9
WAM
Web
View
Windows 10
25. 1
Mobile
App
2
4
5
IdP
AD
6
7
App
Server
OAuth
AS
NAPPS
Token
Agent
1. User access Mobile App
2. Mobile App requests ACDC token
3. TA gets its own AT/RT
4. IdP authenticates via AD
5. TA uses AT to get ACDC for Mobile App
6. TA passes ACDC to Mobile App
7. Mobile App uses ACDC to get its AT
8. App uses AT to access
OAuth
AS
3
8
28. Use System browser
Enroll your device
JavaScript trickery
Windows 10
NAPPS
Use Vendor SDK
Minimal code change. Can be implemented now.
No code change. Best experience. Requires MDM.
Cross platform. Open Standard. Still in spec stage.
No code change. Limited App support.
Only works for enterprise apps.
Platform specific. Not available now.