SSP for web and hybrid mobile app?
115 views
Skip to first unread message
Matt
Apr 6, 2016, 11:31:49 PM4/6/16
to SimpleSAMLphp
We have a hybrid mobile app built on the IONIC framework. The mobile app is deployed for both Android and iOS. Currently the mobile app authenticates users through a basic login form which communicates with our servers via rest api.
We're looking to integrate SSO utilizing SAML so that users can be authenticated agains multiple IDP's and created or updated via Just-in-Time Provisioning in both our web portal and our mobile app. I'm interested to know if anyone here has done something similar and/or has any pointers as we dive into this project. I know typically oauth is recommended over SAML for mobile apps, but I don't think JIT provisioning is possible. Also, since we have both mobile and web, I was hoping that I can have one solution that handles with both.
Peter Schober
Apr 7, 2016, 4:48:21 AM4/7/16
to SimpleSAMLphp
* Matt <matt.j...@gmail.com> [2016-04-07 05:31]:
Not that the thousands of institutions running SAML IDPs (and SPs)
wouldn't like to see something usable and secure.
While OSU.edu has created an ECP client for such devices (not
available as Free Software) unless all the IDPs you want to federate
with have X.509 client cert authN configured (and can provision client
certs to their communities' devices; unless you're in .gov space that
set will probably of size zero) ECP assumes HTTP Basic Auth on the
server, and last time I checked entering usernames and passwords
(every time the SSO session with the IDP expires) still sucked on
pocket calculator-style devices.
So usually if someone talks about authN for such devices people kind
of /assume/ (1) other session handling (more like long-term device
registration, with posible revocation later, if needed) and (2) other
authentification methods not involving repeated entering of passwords.
A common scheme seems to be to protect an OAuth2 endpoint of some kind
with SAML, and popping up a browser window of some kind (what Scott
Cantor rightfully called "the phisiest of all options") -- possibly
without even showing a location bar that would indicate where the
subject is sending their credentials to! -- and bootstrapping some
OAuth delegation stuff from that authenticated browser session.
(The sound you're hearing is me vomitting into a nearby trash can.)
There attempts at making this less worse, by adding
"recommendations". Cf. the Security Considerations from this draft:
https://tools.ietf.org/html/draft-ietf-oauth-native-apps#section-5.1
https://tools.ietf.org/html/draft-ietf-oauth-native-apps#section-5.3
Others have come up with more creative methods, e.g. UMA.es has stood
up a web-based registration website (protected with a SAML2 SP), to be
use with an "ordinary" computer/browser using Web Browser SSO
profile. AFAIU this works in a way that after login that web page
shows a QR code which you then scan using the pocket computer, thereby
registering the device and binding it to your authenticated web
session. (What's involved on the mobile device side I don't know.) On
that web site you can see the registered devices, when they were
registered, and can also revoke their access. (Not sure they're using
https://tiqr.org/ anywhere, or something else.)
-peter
> We're looking to integrate SSO utilizing SAML so that users can be
> authenticated agains multiple IDP's and created or updated via
> Just-in-Time Provisioning in both our web portal and our mobile
> app. I'm interested to know if anyone here has done something
> similar and/or has any pointers as we dive into this project. I know
> typically oauth is recommended over SAML for mobile apps, but I
> don't think JIT provisioning is possible. Also, since we have both
> mobile and web, I was hoping that I can have one solution that
> handles with both.
I don't think anything (or anything "good") exists in that space.
> authenticated agains multiple IDP's and created or updated via
> Just-in-Time Provisioning in both our web portal and our mobile
> app. I'm interested to know if anyone here has done something
> similar and/or has any pointers as we dive into this project. I know
> typically oauth is recommended over SAML for mobile apps, but I
> don't think JIT provisioning is possible. Also, since we have both
> mobile and web, I was hoping that I can have one solution that
> handles with both.
Not that the thousands of institutions running SAML IDPs (and SPs)
wouldn't like to see something usable and secure.
While OSU.edu has created an ECP client for such devices (not
available as Free Software) unless all the IDPs you want to federate
with have X.509 client cert authN configured (and can provision client
certs to their communities' devices; unless you're in .gov space that
set will probably of size zero) ECP assumes HTTP Basic Auth on the
server, and last time I checked entering usernames and passwords
(every time the SSO session with the IDP expires) still sucked on
pocket calculator-style devices.
So usually if someone talks about authN for such devices people kind
of /assume/ (1) other session handling (more like long-term device
registration, with posible revocation later, if needed) and (2) other
authentification methods not involving repeated entering of passwords.
A common scheme seems to be to protect an OAuth2 endpoint of some kind
with SAML, and popping up a browser window of some kind (what Scott
Cantor rightfully called "the phisiest of all options") -- possibly
without even showing a location bar that would indicate where the
subject is sending their credentials to! -- and bootstrapping some
OAuth delegation stuff from that authenticated browser session.
(The sound you're hearing is me vomitting into a nearby trash can.)
There attempts at making this less worse, by adding
"recommendations". Cf. the Security Considerations from this draft:
https://tools.ietf.org/html/draft-ietf-oauth-native-apps#section-5.1
https://tools.ietf.org/html/draft-ietf-oauth-native-apps#section-5.3
Others have come up with more creative methods, e.g. UMA.es has stood
up a web-based registration website (protected with a SAML2 SP), to be
use with an "ordinary" computer/browser using Web Browser SSO
profile. AFAIU this works in a way that after login that web page
shows a QR code which you then scan using the pocket computer, thereby
registering the device and binding it to your authenticated web
session. (What's involved on the mobile device side I don't know.) On
that web site you can see the registered devices, when they were
registered, and can also revoke their access. (Not sure they're using
https://tiqr.org/ anywhere, or something else.)
-peter
Matt
Apr 7, 2016, 11:08:56 AM4/7/16
to SimpleSAMLphp, peter....@univie.ac.at
Peter, thanks for your quick reply! I just came across this repo: https://github.com/auth0/auth0-ionic , it mentions SAML...but I'm not sure what it would take to tie in with SSP...
I asked one of the contributors and they mentioned: "Auth0 will handle the "translation" between SAML and whatever your app is using. So this means you can use the above sample with ANY kind of identity protocol including SAML."
Peter Schober
Apr 7, 2016, 12:18:56 PM4/7/16
to SimpleSAMLphp
* Matt <matt.j...@gmail.com> [2016-04-07 17:09]:
protected resource, with the Web Browser SSO Profile that's the SAML
SP, maybe running SimpleSAMLphp in a PHP-enabled web server (maybe
running a different SAML implementation).
What role your "app" plays here I couldn't say. If it's merely a
pimped/decorated web browser (or JS interpreter) and the resource is
still (on) a remote web server accepting SAML assertions in place of,
say, passwords, then SAML still only terminates at the SP. And with
encrypted SAML assertions no intermediate passing the message along
(such as a web browser or "app" acting in a comparable role) has even
access to the content of that assertion.
With ECP nothing changes here fundamentally, the ECP client merely
uses more stable (and appropriate, for programmatic handling) methods
to pass requests and responses between IDP and SP (using SOAP/PAOS
instead of HTTP redirects, etc.)
But as I said, I have no idea about "apps" or what it even means to
protect an "app" with a Web SSO prototocol, etc.
But neither from your the framework you're building your app with nor
from some hosted service that wants to play man in the middle with all
your subjects/users/customers I see any relation to SimpleSAMLphp.
-peter
> Peter, thanks for your quick reply! I just came across this repo:
> https://github.com/auth0/auth0-ionic , it mentions SAML...but I'm
> not sure what it would take to tie in with SSP...
Not sure that helps much. The SAML protocol "terminates" at the
> https://github.com/auth0/auth0-ionic , it mentions SAML...but I'm
> not sure what it would take to tie in with SSP...
protected resource, with the Web Browser SSO Profile that's the SAML
SP, maybe running SimpleSAMLphp in a PHP-enabled web server (maybe
running a different SAML implementation).
What role your "app" plays here I couldn't say. If it's merely a
pimped/decorated web browser (or JS interpreter) and the resource is
still (on) a remote web server accepting SAML assertions in place of,
say, passwords, then SAML still only terminates at the SP. And with
encrypted SAML assertions no intermediate passing the message along
(such as a web browser or "app" acting in a comparable role) has even
access to the content of that assertion.
With ECP nothing changes here fundamentally, the ECP client merely
uses more stable (and appropriate, for programmatic handling) methods
to pass requests and responses between IDP and SP (using SOAP/PAOS
instead of HTTP redirects, etc.)
But as I said, I have no idea about "apps" or what it even means to
protect an "app" with a Web SSO prototocol, etc.
But neither from your the framework you're building your app with nor
from some hosted service that wants to play man in the middle with all
your subjects/users/customers I see any relation to SimpleSAMLphp.
-peter
Reply all
Reply to author
Forward
0 new messages