AAI for Apps Using AAI with your Smartphone Daniel Latzer Zürich, April 2013

Slides:



Advertisements
Similar presentations
Suchin Rengan Principal Technical Architect Salesforce.com
Advertisements

Using EBSCOs Search Box Builder Tool Tutorial. Would you like to promote your EBSCOhost resources by adding an easy-to-use search box to your website?
Lousy Introduction into SWITCHaai
12 October 2011 Andrew Brown IMu Technology EMu Global Users Group 12 October 2011 IMu Technology.
REST and the Exchange Network 5/30/ REST REST stands for Representational State Transfer 2.
Developing downloadable mobile apps using HTML5 and PhoneGap Apache Callback Ron Perry, CTO, Worklight Inc.
Office 365 Identity June 2013 Microsoft Office365 4/2/2017
2006 © SWITCH Group Management Tool Lukas Haemmerle
OAuth 2.0 By “PJ” (JP on meetup.com) iOS and PHP developer, and occasional lawyer Contact me via:
SFDC Integration Basics Gerry Winning. Integrating Your Progress App with SFDC Ovid Back Office App is Fully Integrated with SFDC (about two and a half.
1 Wolfgang Lierz Staff IT-Services / Network & Security Admin ETH-Bibliothek Zurich Integration Primo-Aleph-PDS-SSO- AAI Wolfgang Lierz / IGeLU 2012 Zurich.
Using Evernote and Google Docs in your web or mobile application (and potentially Dropbox and Skydrive) By Peter Messenger Senior Developer – Triple Point.
Power BI Sites and Mobile BI. What You Will Learn Sharing and Collaboration Introducing Power BI Exploring Power BI Features and Services Partner Opportunities.
Dispatcher Conditional Expression Static Request Filter Attribute Filter Portal , DNS Hello User Sample (Gateway)
Smartphone Apps Development Team Weiqing Li Lijun Zhu Man Li.
FIspace Security Components FIspace Security Components NetFutures 2015 FIspace project Javier Romero Negrín Javier Hitado Simarro ATOS Serdar Arslan KoçSistem.
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
The Design and Implementation of an OpenID-Enabled PKI Kevin Bauer University of Colorado Supervisor: Dhiva Muruganantham.
Hannes Tschofenig MIT CFP Privacy & Security Working Group Feb. 2 nd 2011.
Infrastructure for Multi-Professional Education and Training Using Shibboleth.
Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.
User signs in to WindowsUser is signed in to your app 12.
BY ALEXANDER STEPHENS RYAN PIERCY EmCare Mobile Scheduling Application.
Shibboleth 2.0 : An Overview for Developers Scott Cantor The Ohio State University / Internet2 Scott Cantor The Ohio.
Kay Herzam Herzam IT Consulting What‘s new in ASP.NET MS TechTalk.
CAEL 5012 Rich Internet Applications. What you need For this part of the course you will need access to a server with PHP and MYSQL which will be supplied.
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control Maarten
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Shibboleth and uApprove at University of Michigan Luke Tracy – Ken Hammer –
M i SMob i S Mob i Store - Mobile i nternet File Storage Platform Chetna Kaur.
Integrating with UCSF’s Shibboleth system
Key Management with the Voltage Data Protection Server Luther Martin IEEE P May 7, 2007.
FIspace SPT Seyhun Futaci. Technology behind FIspace Authentication and Authorization IDM service of Fispace provides SSO solution for web apps, mobile.
2004 © SWITCH 1 Shibboleth in Switzerland Internet2 Spring Meeting 2004 Thomas Lenggenhager Overview SWITCH & SWITCHaai Project.
AAI-enabled VO Platform “VO without Tears” Christoph Witzig EGI TF, Amsterdam, Sept 15, 2010.
SSO Case Study Suchin Rengan Principal Technical Architect Salesforce.com.
CD Collection Hector Urtubia Fall Summary Motivation and Objective Technologies Used Project Design Database Design and Integration Demo.
DataFlow Diagram – Level 0
Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)
February, TRANSCEND SHIRO-CAS INTEGRATION ANALYSIS.
Dispatching Java agents to user for data extraction from third party web sites Alex Roque F.I.U. HPDRC.
The basics of knowing the difference CLIENT VS. SERVER.
How Web Database Architectures Work CPS181s April 8, 2003.
WELCOME TO OSCON 2014 Srikanth Adiga, Lead - OpenSpecimen Krishagni Solutions (India)
Using PIV Cards with NIH Login Chris Leggett NIH Login Technical Lead CIT/NIH.
Secure Mobile Development with NetIQ Access Manager
Networks ∙ Services ∙ People Mandeep Saini TNC15, Porto, Portugal Virtual organisation Authorisation Management Practices in Research and.
#SummitNow Consuming OAuth Services in Alfresco Share Alfresco Summit 2013 Will Abson
Copyright Office Material Copyright Request System.
Web and mobile access to digital repositories Mario Torrisi National Institute of Nuclear Physics – Division of
IT Services Shibboleth Single Sign-On overview. Overview What/where/why? The UK-Federation/Registration Terminology Configuration Protecting Content Benefits.
October 2014 HYBRIS ARCHITECTURE & TECHNOLOGY 01 OVERVIEW.
Web SSO with Cloud Resources using AD Federation Services
Single Sign-On Led by Terrice McClain, Jen Paulin, & Leighton Wingerd
Federation made simple
Understanding SOAP and REST calls The types of web service requests
Grid accounting system
Node.js Express Web Services
Fast App Creation with APEX Blueprints
Z Formula Electric Vehicle ECE Spring 2017 VSCADA/CELL
BY: SHIVI AGRAWAL ( ) CSE-(6)C
IOS SDK v1.0 with NAM 4.2.
The main cause for that are the famous phishing attacks, in which the attacker directs users to a fake web page identical to another one and steals the.
Chapter 3 – part2.
VuFind APIs - A practical approach
Office 365 Development.
Shibboleth and uApprove at University of Michigan
TechEd /22/2019 9:22 PM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks.
Client-Server Model: Requesting a Web Page
Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.
Presentation transcript:

AAI for Apps Using AAI with your Smartphone Daniel Latzer Zürich, April 2013

© 2011 SWITCH Smartphone apps got very popular Universities want to develop their own apps No easy way to authenticate users in apps using AAI –Either user has to log in on every app start –Or the app stores the user credentials –App emulates browser and performs login The Problem 2

© 2011 SWITCH OAuth2 authentication server Mobile Proxy requests one initial AAI Login per app –Creates OAuth2 Access token Access token is used to –Authenticate with Mobile Proxy –Retrieve up-to-date AAI attributes from Mobile Proxy –Retrieve arbitrary protected resources from third party resource server Access token is valid for an extended period of time –No need to log in every time you use the app –May be revoked using a separate web interface The Solution: Mobile Proxy 3

© 2011 SWITCH Framework to log in to a service using third-party credentials Exchanges user credentials for access tokens –Credentials do not need to be stored –Access tokens permissions can be limited to the necessary OAuth2 4

© 2011 SWITCH Architecture 5 AAI Login Access Token Protected Data Resource Server Mobile ProxyAAI IdP Verify Login AAI Attributes Access Token AAI Attributes

© 2011 SWITCH Login Flow 6

© 2011 SWITCH After the AAI login is complete, the IdP redirects back to the Mobile Proxy The Mobile Proxy then displays a Page with a refresh header, pointing to a custom URL scheme: –uniapp://{app-name}/{access_token} –e.g. uniapp://demo/4yCjmdDlCtb8eWNNnmdrVKH1Kq1To0dVMLvu The mobile app is designed to react to this URL scheme and is opened. The access token is read out of the URL and stored in the app Login complete Redirection from Browser To App 7

© 2011 SWITCH Desktop Login Flow 8

© 2011 SWITCH All SWITCHaai IdPs support stored persistentIDs –PersistentID stored in database with mapping to user's attributes –Allows getting attributes for a user identified by persistentID –Attribute Query can be performed by SP without user interaction –Query can only succeed if user has accessed service at least once How to make Attribute Queries –resolvertest binary can be used to make attribute queries bundled with Shibboleth but slow –AttributeQuery Plugin for Shibboleth 2.5 Created by NII (GakuNin federation, JP) Provides a handler to make fast Attribute Queries via web /Shibboleth.sso/AttributeQuery?nameID=....&entityID=.... AAI Attribute Query 9

© 2011 SWITCH Attribute Retrieval 10

© 2011 SWITCH Features –Lightweight OAuth2 Server to map an AAI Persistent-ID to an access token –Provides REST/JSON interface –Web interface for revoking access to specific tokens –Supports multiple Apps with different attribute requirements Requirements –PHP 5.3 –MySQL –Shibboleth 2.5 Mobile Proxy Overview 11

© 2011 SWITCH Sample application that can be used as basis for own App Features –2 login methods Via integrated mobile phone web browser Via a PC to support alternative login mechanisms like X.509 Requires user to type a URL and a code or use QR code –Retrieves up-to-date attributes from IdP via Mobile Proxy –Retrieves application-specific data from a resource server Requirements –Android 2.2+ Example App Overview 12

© 2011 SWITCH Mobile Proxy and App were created as proof-of-concept BSD License Webpage and additional information Availability 13