Mobile computing has grown at an unprecedented rate in recent years while innovations in identity and Single Sign-On (SSO) on mobile have lagged behind. We'll look at the state of mobile application SSO including applicable standards such as OAuth 2.0, OpenID Connect, etc., some best and worst practices in use today, and the availability of relatively new features in the major mobile operating systems that stand to improve the situation for developers and users alike. Bad jokes and gratuitous photographs will be liberally interspersed with actual content. About the presenter: As a Distinguished Engineer for Ping Identity, Brian Campbell aspires to one day know what a Distinguished Engineer actually does for a living. In the meantime, he's tried to make himself useful with little things like designing and building much of PingFederate, the product that put Ping Identity on the map. When not making himself useful, he contributes to various identity and security standards including a two-year stint as co-chair of the OASIS Security Services Technical Committee (SAML) and contributions to OAuth, JOSE and COSE in the IETF as well as OpenID Connect. He holds a B.A., magna cum laude, in Computer Science from Amherst College in Massachusetts. Despite spending four years in the state, he has to look up how to spell "Massachusetts" every time he writes it.

1. Mobile Single
Sign-On
Are we there yet?
BRIAN CAMPBELL
@__b_c

2. @__b_c
Copyright © 2015 Brian Campbell. All rights reserved. 2
Formalities, Introductions, etc.
• No way this will take 90 minutes
• There should be food and beer
• Slides will be available
– at http://www.slideshare.net/briandavidcampbell
– & via https://twitter.com/__b_c
• 2 underscores +
• b +
• 1 underscore +
• c

3. @__b_c
Copyright © 2015 Brian Campbell. All rights reserved. 3
Formalities, Introductions, etc.
• I’ve worked @ Ping Identity for over a decade
• Ping is a Denver based ‘startup’ solving
complex identity challenges
Tel Aviv

4. @__b_c
Copyright © 2015 Brian Campbell. All rights reserved. 4
I should mention that…

5. @__b_c
Copyright © 2015 Brian Campbell. All rights reserved. 5

6. @__b_c
Copyright © 2015 Brian Campbell. All rights reserved. 6
• Disclaimers
– Views or opinions presented herein are solely my own
and do not necessarily represent those of the my
employer
– Wholly unqualified to talk about mobile
– Primarily do server side development
– And not even very much of that anymore
• So, um… WTF?
– Ping sponsored Denver Startup Week
– And I do use a mobile phone…
My ‘Safe Harbor’ Slide

7. @__b_c
Copyright © 2015 Brian Campbell. All rights reserved. 7
Though not very well

8. @__b_c
Copyright © 2015 Brian Campbell. All rights reserved. 8
But Sometimes…
An outsider’s perspective can help see where things just aren’t quite right

9. @__b_c
Copyright © 2015 Brian Campbell. All rights reserved. 9
as demonstrated by a semi-contrived little story about me and my phone
Premise:
Single Sign-On just isn’t quite right
on mobile

10. @__b_c
Copyright © 2015 Brian Campbell. All rights reserved. 10
I’m very busy and important
As you can
see by my
opulent travel
budget.

11. @__b_c
Copyright © 2015 Brian Campbell. All rights reserved. 11
So, while I am one of those luddites who
still prefers a real computer for work,
sometimes I have to use my phone…

12. @__b_c
Copyright © 2015 Brian Campbell. All rights reserved. 12
Just trying to join a meeting
while out on the road.

13. @__b_c
Copyright © 2015 Brian Campbell. All rights reserved. 13

14. @__b_c
Copyright © 2015 Brian Campbell. All rights reserved. 14

15. @__b_c
Copyright © 2015 Brian Campbell. All rights reserved. 15

16. @__b_c
Copyright © 2015 Brian Campbell. All rights reserved. 16

17. @__b_c
Copyright © 2015 Brian Campbell. All rights reserved. 17

18. @__b_c
Copyright © 2015 Brian Campbell. All rights reserved. 18

19. @__b_c
Copyright © 2015 Brian Campbell. All rights reserved. 19

20. @__b_c
Copyright © 2015 Brian Campbell. All rights reserved. 20

21. @__b_c
Copyright © 2015 Brian Campbell. All rights reserved. 21

22. @__b_c
Copyright © 2015 Brian Campbell. All rights reserved. 22

23. @__b_c
Copyright © 2015 Brian Campbell. All rights reserved. 23

24. @__b_c
Copyright © 2015 Brian Campbell. All rights reserved. 24

25. @__b_c
Copyright © 2015 Brian Campbell. All rights reserved. 25

26. @__b_c
Copyright © 2015 Brian Campbell. All rights reserved. 26

27. @__b_c
Copyright © 2015 Brian Campbell. All rights reserved. 27

28. @__b_c
Copyright © 2015 Brian Campbell. All rights reserved. 28
Please excuse any
intermittent time travel.
I had some technical
difficulties with
something called “focus”
and had to reshoot a few
images.

29. @__b_c
Copyright © 2015 Brian Campbell. All rights reserved. 29

30. @__b_c
Copyright © 2015 Brian Campbell. All rights reserved. 30

31. @__b_c
Copyright © 2015 Brian Campbell. All rights reserved. 31
There’s my meeting!

32. @__b_c
Copyright © 2015 Brian Campbell. All rights reserved. 32

33. @__b_c
Copyright © 2015 Brian Campbell. All rights reserved. 33
(This happened on first use a
long time ago)

34. @__b_c
Copyright © 2015 Brian Campbell. All rights reserved. 34

35. @__b_c
Copyright © 2015 Brian Campbell. All rights reserved. 35

36. @__b_c
Copyright © 2015 Brian Campbell. All rights reserved. 36

37. @__b_c
Copyright © 2015 Brian Campbell. All rights reserved. 37

38. @__b_c
Copyright © 2015 Brian Campbell. All rights reserved. 38

39. @__b_c
Copyright © 2015 Brian Campbell. All rights reserved. 39

40. @__b_c
Copyright © 2015 Brian Campbell. All rights reserved. 40

41. @__b_c
Copyright © 2015 Brian Campbell. All rights reserved. 41

42. @__b_c
Copyright © 2015 Brian Campbell. All rights reserved. 42

43. @__b_c
Copyright © 2015 Brian Campbell. All rights reserved. 43

44. @__b_c
Copyright © 2015 Brian Campbell. All rights reserved. 44

45. @__b_c
Copyright © 2015 Brian Campbell. All rights reserved. 45

46. @__b_c
Copyright © 2015 Brian Campbell. All rights reserved. 46

47. @__b_c
Copyright © 2015 Brian Campbell. All rights reserved. 47

48. @__b_c
Copyright © 2015 Brian Campbell. All rights reserved. 48
So…
What went wrong there?

49. @__b_c
Copyright © 2015 Brian Campbell. All rights reserved. 49
What we want to happen
1. Be able to login to the
SaaS native applications
with existing Ping
credentials and not some
new login unique to each
SaaS

50. @__b_c
Copyright © 2015 Brian Campbell. All rights reserved. 50
What we want to happen
1. Be able to login to the
SaaS native applications
with existing Ping
credentials and not some
new login unique to each
SaaS
2. Be able to access
multiple SaaS native
applications throughout
the day after only a single
authentication to Ping

51. @__b_c
Copyright © 2015 Brian Campbell. All rights reserved. 51
What we want to happen
1. Be able to login to the
SaaS native applications
with existing Ping
credentials and not some
new login unique to each
SaaS
2. Be able to access
multiple SaaS native
applications throughout
the day after only a single
authentication to Ping
By combining
SAML & OAuth
protocols

52. @__b_c
Copyright © 2015 Brian Campbell. All rights reserved. 52
What we want to happen
1. Be able to login to the
SaaS native applications
with existing Ping
credentials and not some
new login unique to each
SaaS
2. Be able to access
multiple SaaS native
applications throughout
the day after only a single
authentication to Ping
By combining
SAML & OAuth
protocols
Concur effectively
forgot that that I
had already
logged in

53. @__b_c
Copyright © 2015 Brian Campbell. All rights reserved. 53
How did Concur forget?
1. When first logged in to Ping as part of accessing
the Webex app, a cookie was set in the browser
I was using.
2. That cookie acts as a record of the login. When
next seen by the authentication system, it won’t
prompt again for an explicit login (unless
expired)
3. When Concur needed me authenticated by
Ping, it used a different sort of browser, a
webview
4. Cookies aren’t shared across these two different
browser types
5. The cookie that was set earlier in the first
browser wasn’t available, so I was prompted
again to login

54. @__b_c
Copyright © 2015 Brian Campbell. All rights reserved. 54
That’s what went wrong
Concur used a ‘webview’

55. @__b_c
Copyright © 2015 Brian Campbell. All rights reserved. 55
Why Concur? Why?
• Until recently mobile app developers had only two choices for
displaying web content (such as login pages)
• The external system browser (e.g. Safari or Chrome) or a
webview, in which the web content appears as part of the
app’s own user interface
• System browser
– better security characteristics
– cookie sharing (and so SSO across apps)
• Webview
– better UX

56. @__b_c
Copyright © 2015 Brian Campbell. All rights reserved. 56
• Behind the Scenes
– Web Single Sign-On
– OAuth 2.0 (ish)

57. @__b_c
Copyright © 2015 Brian Campbell. All rights reserved. 57
Web Single Sign-On in one Slide
• Typically
– SAML 2.0
– OpenID Connect
• But also
– SAML 1.1/1.0
– OpenID 2.0
– WS-Federation
• And maybe
– Facebook Connect/Login
– Whatever Twitter does
– Various other non-standard
approaches
Identity
Provider
(IDP)
Service
Provider
(SP)
Web Single Sign-On
(SSO)

58. @__b_c
Copyright © 2015 Brian Campbell. All rights reserved. 58
OAuth 2.0 in one slide
• client: An application obtaining
authorization and making
protected resource requests.
– Native app on mobile device
• resource server (RS): A server
capable of accepting and
responding to protected resource
requests (typically APIs).
• authorization server (AS): A
server capable of issuing tokens
after successfully authenticating
the resource owner and
obtaining authorization.
A few other OAuth terms
• Access token (AT) – Presented by client when accessed protected
resources at the RS
• Refresh token (RT) - Allows clients to obtain a fresh access token
without re-obtaining authorization
• Scope – A permission (or set of permissions) defined by the AS/RS
• Authorization endpoint – used by the client to obtain authorization
from the resource owner via user-agent redirection
• Token endpoint – used for direct client to AS communication
• Authorization Code – One time code issued by an AS to be
exchanged for an AT.
Client
Resource
Server
Authorization
Server

59. @__b_c
Copyright © 2015 Brian Campbell. All rights reserved. 59
Web SSO + OAuth = Mobile SSO
Device
Native
App
System Browser
1
https:// Home Service
1
2
3
Authorization
Endpoint
Token
Endpoint
3
45
Enterprise or
Social Identity
Provider

60. @__b_c
Copyright © 2015 Brian Campbell. All rights reserved. 60
(1) Request Authorization
• When user first needs to access some
protected resource (not logged in), the app
launches the system browser with an
authorization request
• ‘IDP Discovery’ can be done in the native
application
Device
Native
App
System Browser
1
https:// Home Service
1
Authorization
Endpoint
Token
Endpoint
Enterprise or
Social Identity
Provider
https://as.example.com/as/authz.oauth2?client_id=org.example.myapp&response_type=code
&scope=update_status&idp=pingidentity.com&code_challenge=7gEsCAcCLtCTbDl2fml2z
A quick
note about
Apple…

61. @__b_c
Copyright © 2015 Brian Campbell. All rights reserved. 61
(1a) PKCE
https://as.example.com/as/authz.oauth2?client_id=org.example.myapp&response_type=code
&scope=update_status&idp=pingidentity.com&code_challenge=7gEsCAcCLtCTbDl2fml2z
• Proof Key for Code Exchange by
OAuth Public Clients
– PKCE, pronounced "pixy"
– Binds the code exchange to the authorization
request
– Newly minted RFC 7636

62. @__b_c
Copyright © 2015 Brian Campbell. All rights reserved. 62
(2) Authenticate and Approve
• Redirect to IDP for SSO & Service Provider
is the SP
Device
Native
App
System Browser
https:// Home Service
2
Authorization
Endpoint
Token
Endpoint
Enterprise or
Social Identity
Provider
• User approves the
requested access
– (don’t skip this)

63. @__b_c
Copyright © 2015 Brian Campbell. All rights reserved. 63
(3) Handle Callback
• Authorization server returns control to the
app using HTTP redirection and includes an
authorization code
– URI with a custom scheme registered to the app
• Reversed domain name as redirect_uri
scheme
– Resistant to accidental collisions
– Proof of domain ownership provides better recourse
against malicious collisions
Device
Native
App
System Browser
https:// Home Service
3
Authorization
Endpoint
Token
Endpoint
3
Enterprise or
Social Identity
Provider
HTTP/1.1 302 Found
Location: org.example.myapp://oauth.cb?code=n0esc3NRze7LTCu7iYzS6a5acc3f0ogp4

64. @__b_c
Copyright © 2015 Brian Campbell. All rights reserved. 64
(4) Trade Code for Token(s)
Device
Native
App
System Browser
https:// Home Service
Authorization
Endpoint
Token
Endpoint
4
Enterprise or
Social Identity
Provider
POST /as/token.oauth2 HTTP/1.1
Host: as.example.com
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
client_id=org.example.myapp&
grant_type=authorization_code&
code=n0esc3NRze7LTCu7iYzS6a5acc3f0ogp4&
code_verifier=7gEsCAcCLtCTbDl2fml2z
token endpoint request

65. @__b_c
Copyright © 2015 Brian Campbell. All rights reserved. 65
(4a) PKCE Again
POST /as/token.oauth2 HTTP/1.1
Host: as.example.com
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
client_id=org.example.myapp&
grant_type=authorization_code&
code=n0esc3NRze7LTCu7iYzS6a5acc3f0ogp4&
code_verifier=7gEsCAcCLtCTbDl2fml2z
token endpoint request

66. @__b_c
Copyright © 2015 Brian Campbell. All rights reserved. 66
(4b) Trade Code for Token(s)
Device
Native
App
System Browser
https:// Home Service
Authorization
Endpoint
Token
Endpoint
4
Enterprise or
Social Identity
Provider
POST /as/token.oauth2 HTTP/1.1
Host: as.example.com
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
client_id=org.example.myapp&
grant_type=authorization_code&
code=n0esc3NRze7LTCu7iYzS6a5acc3f0ogp4&
code_verifier=7gEsCAcCLtCTbDl2fml2z
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
{
"token_type":"Bearer",
"expires_in":3600,
"access_token":"PeRTSD9RltacecQriuFfsxV41”,
"refresh_token":"uyAVrtaccLZ2qPzI8rQ5ltckCdGJsz8XE58esc”
}
token endpoint request
token endpoint response

67. @__b_c
Copyright © 2015 Brian Campbell. All rights reserved. 67
(5) Use Access Token
Authenticate/authorize calls to the
protected APIs by including AT in the
HTTP Authorization header
Device
Native
App
System Browser
https:// Home Service
Authorization
Endpoint
Token
Endpoint
5
Enterprise or
Social Identity
Provider
POST /api/update-status HTTP/1.1
Host: rs.example.org
Authorization: Bearer PeRTSD9RltacecQriuFfsxV41
Content-Type: application/json
{"status" :
"almost done with this presentation"}

68. @__b_c
Copyright © 2015 Brian Campbell. All rights reserved. 68
Rinse and Repeat
• If All Goes well,
• And if not, HTTP 401
• Use the refresh token to get a new access token
• And if that doesn’t work or you don’t have a
refresh token, initiate the authorization request
flow again
HTTP/1.1 200 OK

69. @__b_c
Copyright © 2015 Brian Campbell. All rights reserved. 69
Some Folks Like to …
Device
Native
App
System Browser
1
https:// Home Service
1
2
3
Authorization
Endpoint
Token
Endpoint
3
45
Enterprise or
Social Identity
Provider

70. @__b_c
Copyright © 2015 Brian Campbell. All rights reserved. 70
… Use a Web-View
Device
Native
App
1
https:// Home Service
1
2
3
Authorization
Endpoint
Token
Endpoint
3
45
Web-View
Enterprise or
Social Identity
Provider
but…

71. @__b_c
Copyright © 2015 Brian Campbell. All rights reserved. 71
The Web-View Anti-Pattern
• Usability Issues
– No shared context (cookie)
– Requires sign-in once per app even when web SSO is possible
• Security Issues
– Web-view typically isn’t sandboxed from invoking app so
credentials and authentication cookies can be stolen
– Requires/encourages users to enter credentials without the
address bar and associated visual cues of site authenticity
(HTTPS)
• Missing Features
– Some web-views unable to access to client certificates
– Generally unable to use password managers, etc.

72. @__b_c
Copyright © 2015 Brian Campbell. All rights reserved. 72
Hope Springs Mobile
• Latest versions of iOS & Android add a
third option for displaying web content
– iOS 9 Safari View Controllers
– Android Chrome 45 Chrome Custom Tabs
• Both provide new browser window with security
advantages and shared context of the system
browser but UX comparable to webviews

73. @__b_c
Copyright © 2015 Brian Campbell. All rights reserved. 73
Wait, what about OpenID Connect?
• A simple[sic] single sign-on
and identity layer on top
of OAuth 2.0
• Adds an ID Token (JWT)
for user authentication to
the client
• And a bunch of other
stuff

74. @__b_c
Copyright © 2015 Brian Campbell. All rights reserved. 74
What about OpenID Connect?
• Great for the
web SSO part
• Can be layered
on the OAuth
part
Device
Native
App
System Browser
1
https:// Home Service
1
2
3
Authorization
Endpoint
Token
Endpoint
3
45
Enterprise or
Social Identity
Provider

75. @__b_c
Copyright © 2015 Brian Campbell. All rights reserved. 75
Near Term Recommendations
• Use OAuth 2.0 + PKCE
– & maybe OpenID Connect
• Use Web SSO
• Prompt for user consent (every time)
• Use new View Controllers & Custom Tabs
– Fallback to using the System Browser
• Use a reversed Internet domain name in the
custom scheme for the callback URI

76. @__b_c
Copyright © 2015 Brian Campbell. All rights reserved. 76
Useful Links (1997 Style)
• Mobile SSO Developers Guide
– https://developer.pingidentity.com/en/resources/napps-native-app-sso.html
• OAuth 2.0 for Native Apps
– https://tools.ietf.org/html/draft-wdenniss-oauth-native-apps
• JWT Library for Java/Android
– https://bitbucket.org/b_c/jose4j/
• An old blog post
– https://www.pingidentity.com/en/blog/2015/07/06/mobile_sso_are_we_there_yet.html

77. BRIAN CAMPBELL
@__b_c