You are here

Top 4 ways to add single sign-on to enterprise mobile apps

public://pictures/Matthew-David-Senior-Manager-Kimberly-Clarke.jpg
Matthew David, Senior Manager of Mobility Center of Excellence, Kimberly-Clarke

Single sign-on is not a new concept. Enterprises have been leveraging different technologies to deliver the promise of single sign-on, or SSO, for more than a decade. The fundamental approach to SSO today is to leverage Security Assertion Markup Language (SAML), an XML-based, open standard data package that authenticates a user between an identity provider and a service provider. SAML and first-generation SSO solutions work well for desktop computer authentication between websites, but mobile technologies add a layer of complexity that requires new SSO technologies.

The big step enterprises need to take is to move identity management from within the enterprise firewall and out to the cloud. The good news: Cloud services such as Microsoft’s Azure, Google Apps, and Amazon Web Services now support open standards such as OAuth 2.0, OpenID, and NAPPS. But there are also other interim options. This post rounds up the top four options for adding SSO to mobile today.

Understanding the problem with SSO on mobile

SAML and SSO providers in the early 2000s developed solutions primarily for Windows platforms (Active Directory federated services) that do not exist for iOS and Android. The problem for mobile is that the two leading technologies from Apple and Google do not have the same proprietary technologies. Mobile apps are not websites. Rather, each app on a mobile device is a package that sits outside of the web, meaning SAML authentication does not work effectively.

The quick solution is a virtual private network. VPNs are easy for administrators to implement for iOS, but Android is a little more difficult and requires VPN vendor support. Activating VPN forces a user ID and password prompt when accessing services behind a company firewall. The challenge, however, is that each site and service requires authentication. The result is a solution that is cumbersome for end users to use.

Leveraging MDM and EMM providers

An existing alternative to VPNs is mobile device management (MDM) and enterprise mobile management (EMM) services such as MobileIron, AirWatch, and MaaS360. The tools have been around for some years with a particular focus on securing mobile devices. The MDM provider routinely checks in with a device, tying each test to a given ADFS/LDAP account managed by the MDM software.

The MDM provider can grant certificates to the smartphone or tablet, and the result provides an authentication passthrough for solutions such as email, calendar, and contacts. Can a similar authentication method be used for all apps on a device? To a certain degree. The challenge is that certificates need to be generated and managed by all sites, mobile apps, and services. Also, the phone must have the MDM software installed. Contractors, partners, and anyone who is not an employee must also have the MDM software.

But providing certificates of every service can be difficult, costly, or even impossible to do (a third party may already use their MDM software, and a device cannot have two or more MDM providers).

[ Get up to speed on quality-driven development with TechBeacon's new guide. Plus: Download the World Quality Report 2019-20 for lessons from leading organizations. ]

The top four options for delivering SSO to mobile devices

1. Work with OAuth 2.0

Twitter, Google, Facebook, and Microsoft are among the companies that use OAuth 2.0 and the following authentication services to make it easy to switch between apps on a mobile device. The authentication is accomplished through an authentication server that issues a token from a known resource. The token can then be used to provide secure access to protected data/objects on an HTTP server. The solution works very well for cloud and public domain services, as it has broad support from leading suppliers.

OAuth 2.0 was designed primarily to provide a smooth flow of resource authentication between websites and PC solutions. The restriction is that only one site at a time can effectively use OAuth.

2. Use OpenID

OpenID is a way to resolve the single-site restriction imposed by OAuth 2.0. As with OAuth, OpenID is supported by all leading authentication providers, such as Microsoft, Google, Facebook, and Twitter. OpenID allows one set of user credentials to access multiple sites. For instance, a Google ID and password can be used to access all of Google’s services. Similarly, a company can use OpenID with OAuth 2.0 to connect a user account from the web, desktop, or mobile to all services using the same authentication. This can include custom solutions, APIs, Office 365, and other third-party, off-the-shelf-solutions. Additional information is available on the OpenID site.

[ Get up to speed with TechBeacon's Guide to Software Test Automation. Plus: Get the Buyer’s Guide for Selecting Software Test Automation Tools ]

3. Apply token-based authentication with OpenID Connect and NAPPS

Another step needed to make seamless SSO for mobile is to add OpenID Connect and NAPPS. OAuth 2.0 and OpenID enable authentication of an account but do not provide profile information on that account. OpenID Connect is an additional layer that compiles profile information into a valid JSON packet. The final step is to implement Native Application Profile (NAPPS), considered a game-changer that makes it much easier to provide true SSO to mobile devices. OpenID manages NAPPS as an open source project.

4. Extend beyond SSO 

Authentication is becoming more complex and easier at the same time. The increasing number of cloud service and mobile devices adds complexity to our digital lives, with each new technology providing an opportunity to steal an ID. But SSO is becoming easier with authentication technologies such as Apple’s TouchID. TouchID is built into iOS for the iPhone 5S and later devices. TouchID is essentially a thumb/fingerprint. Apple has released TouchID as a framework that developers can now incorporate into their applications. In this way, SSO can be set up to require only a thumbprint. Easy for customers and extremely secure for solutions.

SSO no longer a 'nice to have'

The value of implementing SSO for mobile cannot be understated. The solutions discussed here build on each other to provide a more comprehensive set of tools that accurately identifies users as they log onto a solution. Today, mobile is a term used for phones and tablets, and it's also the foundation for emerging technologies such as smart TVs (Android TV, Web OS 3.0, and TVos), wearables (Android Wear, Tizen, and WatchOS), and IoT (Brillo, HomeKit, and Windows). Phone, tablet, TV, and all IoT solutions will require secure authentication that is easy to implement.

[ Learn how to apply DevOps principles to succeed with your SAP modernization in TechBeacon's new guide. Plus: Get the SAP HANA migration white paper. ]