13. Mobile SSO - Enterprise
Sascha Preibisch, Layer7
Similar Talk
http://www.slideshare.net/rnewton/xapp-sso-flascellescsa2013
Concept
Store ID Token in “Shared Keychain”
Only for iOS apps
Generate RSA key pair on client side (OPTIONAL)
During white-listed apps by admin
“msso” scope for SSO-enabled ID Token
14. A1 A2
Local Keychain Local KeychainShared Keychain
Access
Token
Access
Token
ID Token
ID Token
+
Access Token
ID Token
Access
Token1
2 2 3
4
5
16. Mobile SSO - Device to Browser
George Fletcher, AOL
Similar Talk
http://lists.openid.net/pipermail/openid-specs-ab/Week-of-
Mon-20121231/002768.html
Concept
“websso” scope
Down scope via token refresh
Pass an ID Token in native app to browser & skip login
17. Auth @ Google - Next 5 Years
Eric Sachs, Google
Reference
https://docs.google.com/document/d/1r9qnZUehCbtkQR86Wp-
sJR2Zu6sHx47queuqmegW2PY
Summary
20. Bad News
OpenID Migration is hard
Usability
Account linking issues
https://docs.google.com/document/pub?
id=1O7jyQLb7dW6EnJrFsWZDyh0Yq0aFJU5UJ4i5QzYlTjU
Account Recovery is their achilles heel
21. Next 5 years
Setup, not Sign-in
Reduce Bearer Tokens
Smarter Hardware
Beyond Bootstrapping
Advanced Combination
25. Reduce Bearer Tokens
CookieID
Self-signed Cookie (probably, like self-issued IdP’s ID Token?)
http://tools.ietf.org/html/dra8-balfanz-tls-channelid
Already available on Chrome
31. Smarter Hardware
U2F (Universal Second Factor)
Open ecosystem of small robust “keychain devices”
FIDO Alliance
http://www.fidoalliance.org
32. OAuth & JOSE @ BlueButton+
Justin Richer, MITRE
Actual title was “Blue Button and Patient Health Records using OAuth , JOSE”
Reference
http://blue-button.github.io/blue-button-plus-pull/
Concept
OAuth 2.0 Dynamic Client Registration use-case
“Trusted Registration”
33. BlueButton
ref) http://www.healthit.gov/patients-families/blue-button/about-blue-button
“Blue Button” is a way for you to get easy, secure online
access to your health information.
...
America’s health care system is rapidly going digital, and
health care providers, insurance companies and others are
starting to give patients and consumers access to their
health information electronically through “Blue Button”.
34. BlueButton+ Pull API
OAuth2 API for RESTful access to patient
data and bootstrapping DIRECT-based
information exchange
ref) http://blue-button.github.io/blue-button-plus-pull/
36. Client “class” and “instance”
“class” is registered to the registry
Registration method is out of scope (e.g. manual)
Establish “registration_jwt” as a JWT Bearer token
“instance” is dynamically registered to the authorization server
OAuth 2.0 Dynamic Client Registration
“registration_jwt” token for “Trusted Registration”
38. Discovery
Registry Discovery @ Registry
Get Registry Endpoints, Public Keys etc.
Providers Discovery @ Registry
Get Trusted Providers List
Provider Discovery @ Provider
Get Single Provider Metadata
Apps Discovery @ Registry
Get Trusted Apps List