Android - SecureAuth
Android - SecureAuth
Android - SecureAuth
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>SecureAuth</strong> Corp<br />
Dec 06, 2012<br />
www.gosecureuath.com<br />
<strong>SecureAuth</strong> IdP for <strong>Android</strong><br />
© 2012 <strong>SecureAuth</strong>. All rights reserved.
Welcome to the <strong>SecureAuth</strong><br />
<strong>Android</strong> DevCon IV Preso<br />
Chris Hayes, <strong>SecureAuth</strong> Corporation<br />
Sr. Sales Engineer<br />
Garret Grajek, <strong>SecureAuth</strong> Corporation<br />
CTO/COO<br />
http://www.gosecureauth.com<br />
2
AGENDA<br />
1. <strong>SecureAuth</strong> IdP for <strong>Android</strong><br />
• Securing Existing Apps<br />
• Web, SaaS, Mobile<br />
• Portal<br />
2. <strong>SecureAuth</strong> Idp for Mobile (<strong>Android</strong>)<br />
• Securing NEW “Native” Mobile Apps<br />
• Native App – IdP, Integration<br />
• Q. & A.
Securing SaaS,<br />
Web, VPN resources<br />
on the <strong>Android</strong><br />
Platform
<strong>SecureAuth</strong> & <strong>Android</strong>: Access to the Enterprise<br />
SIEMs<br />
(Logging)<br />
Directory<br />
Web<br />
Apps<br />
Gateway<br />
“Cloud”<br />
Apps<br />
End User<br />
(Desktop or<br />
Mobile)<br />
5
What is Special about the<br />
<strong>Android</strong> App Platform<br />
• <strong>Android</strong> is Linux based<br />
• Code is Java Based<br />
• Most importantly:<br />
– Has own Java Virtual Machine (Dalvik)<br />
– Supports Interprocess Communication<br />
– Supports embedded browsers<br />
– Support Communication to External Browsers<br />
6
Why this is relevant<br />
• The <strong>Android</strong> OS is very conducive for<br />
supporting apps the way desktop computers<br />
have been deployed<br />
• Apps have a fully available virtual machine<br />
• With advanced libraries<br />
• Including crypto libraries<br />
• Code is in Java, then compiled to .DEX Files<br />
7
<strong>SecureAuth</strong> Takes advantage of <strong>Android</strong><br />
• <strong>SecureAuth</strong> has a unique<br />
– 2-Factor SSO Solution<br />
• Based on:<br />
– Target/Redirect WC3 WorkFlow<br />
– Works for Web, VPN, SaaS<br />
• Can conduct a 2-Factor Authentication based<br />
on<br />
– X.509, SMS, Tele, E-mail, KBA, HelpDesk<br />
• Then Redirect to Target Application<br />
8
<strong>SecureAuth</strong> Takes advantage of <strong>Android</strong><br />
All processes run in<br />
the Dalvik Virtual<br />
Machine<br />
9
<strong>SecureAuth</strong> Takes Advantage of <strong>Android</strong><br />
With One Special <strong>Android</strong> Advantage:<br />
– Coverts your pre-existing Web/SaaS app<br />
• To a One-Touch <strong>Android</strong> App<br />
– Downloadable APK<br />
• Can be pre-configured with Destination Url<br />
– User just clicks <strong>SecureAuth</strong> App<br />
• To start configurable authentication<br />
• One-Touch – no URL to configure<br />
• Completely Server Side configurable Authentication<br />
10
Lastly… <strong>SecureAuth</strong> Provides Bilateral<br />
Authentication<br />
• Bilateral Authentication (PKI)<br />
– Server validates User<br />
– User validates Server<br />
Who are you<br />
Who are you<br />
• What Technology Conducts User/Server Authentication<br />
– Public Key Infrastructure<br />
– Private/Public keys – utilizing X.509 v3 Certificates<br />
• <strong>SecureAuth</strong> has advantage on <strong>Android</strong><br />
– User does not need to understand PKI<br />
– User is not burdened with Pop-ups<br />
– Enterprise does not have to deal w/ Revocation Technology<br />
11
• Turns Existing Web/SaaS App<br />
– To a 1-Touch <strong>Android</strong> App<br />
• Supports:<br />
– <strong>Android</strong> 2.2, 2.3, 3.0, 3.1, 3.2, 4.0, 4.1, 4.2<br />
• Secure<br />
– Configurable Authentication (X.509, SMS, Telephony)<br />
– Unique Bilateral Authentication<br />
• PKI Based, Bilateral, Revocable<br />
• Utilizing Existing Infrastructure<br />
– Current Web Applications<br />
– Current Data Stores<br />
12
13<br />
Demo
Securing Native<br />
<strong>Android</strong> Apps
<strong>SecureAuth</strong> IdP for Mobile<br />
Key Features:<br />
1. Tie Identity to Enterprise Data Store<br />
2. Conduct Relevant/Configurable Authentication<br />
3. Log the Authentication<br />
4. SSO into other apps (mobile and web)
<strong>SecureAuth</strong> IdP for Mobile<br />
1. Tie Identity to identity Stores<br />
User Native<br />
Directory:<br />
• AD, LDAP,<br />
SQL, etc<br />
• ID<br />
• Password<br />
• Profile Info<br />
• Groups
<strong>SecureAuth</strong> IdP for Mobile<br />
2. Configurable Authentication<br />
Configurable<br />
Authentication:<br />
• X.509 Cert<br />
• SMS<br />
• Telephony<br />
• E-mail OTP<br />
• KBA/KBQ<br />
• PIN<br />
• Password
<strong>SecureAuth</strong> IdP for Mobile<br />
3. Log the Authentication<br />
Log the Auth:<br />
• Local SIEM<br />
• Syslog<br />
• Reporting<br />
• (full GUI)<br />
• Auditing<br />
• Text,<br />
Syslog
<strong>SecureAuth</strong> IdP for Mobile<br />
4a. SSO to Other Mobile Apps<br />
SSO to other<br />
mobile apps:<br />
• Identity token<br />
consume by<br />
SA<br />
• Can provide<br />
SSO<br />
• Or Step-up<br />
Authentication<br />
• No thick client
<strong>SecureAuth</strong> IdP for Mobile<br />
4b. SSO to Browser Apps (Web/SaaS)<br />
SSO to other<br />
Browser Apps:<br />
• Identity token<br />
consume by<br />
SA<br />
• SSO to:<br />
• Web Apps<br />
• Browser<br />
Apps<br />
• Revocable<br />
• Step-Up<br />
Authentication
Demo<br />
<strong>SecureAuth</strong> IdP for Mobile
<strong>SecureAuth</strong> IdP for Mobile<br />
Workflow/Secret Sauce:<br />
• Define a URL coding Scheme for you mobile<br />
app (iOS, <strong>Android</strong>)<br />
• Code for invoking/directing “native browser”<br />
to SA for authentication<br />
• <strong>SecureAuth</strong> IdP 2-Factor Authentication<br />
• SMS, Telephony, e-mail, KBA, Help Desk, x509<br />
• Implant UBC after authentication<br />
• <strong>SecureAuth</strong> IdP Browser SSO (UBC)<br />
• Read UBC before conducting auth<br />
• <strong>SecureAuth</strong> IdP directs identity token back to<br />
Native Mobile App
Define Coding URL Scheme for Native App<br />
<strong>Android</strong>:<br />
… …<br />
iOS:<br />
2
Launch an External Browser<br />
<strong>Android</strong>:<br />
@Overrideprotected void onCreate(Bundle savedInstanceState) {<br />
{super.onCreate(savedInstanceState);<br />
…<br />
Button button = (Button)<br />
findViewById(R.id.login_button); button.setOnClickListener(new OnClickListener()<br />
{ @Override<br />
public void onClick(View v) {<br />
Intent i = new Intent(Intent.ACTION_VIEW,<br />
"https://secureauth.mycompany.com/<strong>SecureAuth</strong>1/");<br />
} }); …}<br />
startActivity(i);<br />
iOS:<br />
24<br />
- (IBAction) startLogin: (id)sender<br />
{<br />
}<br />
NSURL *url = [NSURL<br />
URLWithString:@"https://secureauth.mycompany.com/<strong>SecureAuth</strong>1/"];<br />
[[UIApplication sharedApplication] openURL:url];
Return Identity Token back to App<br />
<strong>Android</strong>:<br />
@Override<br />
protected void onNewIntent(Intent intent) {<br />
Uri data = intent.getData();<br />
if (data != null) {<br />
String accessToken = data.getQueryParameter("UserID");<br />
// Use the accessToken.<br />
}<br />
}<br />
iOS:<br />
- (BOOL)application:(UIApplication *)application handleOpenURL:(NSURL *)url<br />
{<br />
for (NSString *param in [[url query] componentsSeparatedByString:@"&"])<br />
{<br />
NSArray *parts = [param componentsSeparatedByString:@"="];<br />
2
<strong>SecureAuth</strong> Contacts<br />
Contacts<br />
Who Title E-mail Phone<br />
Chris Hayes<br />
Sr. Sales<br />
Enginee<br />
chayes@gosecureauth.com +1.860.383.5907<br />
Garret Grajek CTO/COO ggrajek@gosecureauth.com +1.949.777.6970<br />
John Kolesar V.P of Sales jk@gosecureauth.com +1.248.760.4040<br />
<strong>SecureAuth</strong> Sales sales@gosecureauth.com +1.949.777.6959<br />
http://www.Go<strong>SecureAuth</strong>.com<br />
Thank you!
Additional Slides
HOW DOES<br />
SECUREAUTH IdP<br />
WORK<br />
1. Consume Identity<br />
• From varied resources, devices<br />
• Desktop, Mobile, Web SSO, AD SSO<br />
2. Map Identity<br />
• From varied resources<br />
• Map to relevant data store<br />
3. Authenticate<br />
• 2-Factor Authentication<br />
• SMS, Tele, X.509, PIN, Yubikey<br />
KBA, E-mail, Help Desk<br />
4. Assert Identity<br />
• X.509<br />
• Web Identity<br />
• VPN, Web, SaaS, Mobile<br />
5. Log the event<br />
• Text, Syslog<br />
28
Passwords Solved: <strong>SecureAuth</strong>/Google Integration<br />
<strong>SecureAuth</strong><br />
<strong>SecureAuth</strong><br />
protected site<br />
Browser redirects<br />
to enterprisehosted<br />
<strong>SecureAuth</strong> URL<br />
<strong>SecureAuth</strong><br />
2-Factor<br />
authenticates<br />
user<br />
<strong>SecureAuth</strong><br />
creates SAML<br />
token<br />
<strong>SecureAuth</strong><br />
returns<br />
encoded SAML<br />
response to<br />
browser<br />
Enterprise<br />
Directory<br />
(AD, LDAP, etc)<br />
http://code.google.com/apis/apps/sso/saml_reference_implementation.html
Secure IdP Construction<br />
Item Home Grown <strong>SecureAuth</strong><br />
Build WebServer (IdP)<br />
(Hardened Server, WebServer, Forms)<br />
Manual<br />
Automated<br />
Identity Authentication (AD SSO) Manual Automated<br />
SAML Assertion Manual Automated<br />
SAML Attributes Manual Automated<br />
X.509 Storage/Signed with Cert Manual Automated<br />
SSO Portal (SaaS, Web) Manual Automated<br />
Federate ID Mapping Manual Automated<br />
2-Factor Integration Manual Automated<br />
IdM tools (PWD reset, Help Desk, etc) Manual Automated<br />
Log Authentication Manual Automated<br />
30
Current Environment<br />
© 31 2012 <strong>SecureAuth</strong>. All rights reserved.
<strong>SecureAuth</strong> IdP – Authentication “Volume Control”<br />
32<br />
© 2012 <strong>SecureAuth</strong>. All rights reserved.
<strong>SecureAuth</strong> IdP –<br />
2F/SSO for Cloud/Enterprise/Mobile<br />
<strong>SecureAuth</strong> Delivers:<br />
1. Multi-Factor<br />
Authentication<br />
2. IdP (SSO to cloud,<br />
web, gateways, mobile)<br />
3. IdM (Identity<br />
Management)<br />
KBA<br />
P
Solve You Cloud SSO w/ <strong>SecureAuth</strong><br />
IdP<br />
Your Current Environment<br />
With <strong>SecureAuth</strong> IdP<br />
34