Header Image

Mobile Single Sign-On

The Opportunity: Maximizing Productivity Through Enterprise Apps

 

The ubiquity of smartphones and mobile devices in the workplace has presented enterprises with incredible opportunities for maximizing productivity. By creating mobile apps that allow access to backend systems, enterprises can empower their employees to leverage mission-critical application functionality and data anywhere, at any time, from any device. 

 

The Challenge: Building Security into Mobile Apps

 

With these opportunities come security risks, particularly in BYOD (“bring-your-own-device”) scenarios. Enterprises need to deploy identity and access management (IAM) systems able to ensure their apps are only being used by authorized personnel and that these individuals are receiving appropriate levels of access to sensitive on-premise resources.

There are many enterprise-level IAM technologies already on the market but few of them cater to the specific security requirements of mobile apps and BYOD. Enterprise mobile deployments have a number of unique risks associated with them that can only be addressed through a specifically mobile-centric approach to IAM:

  • Conventional username-and-password approaches are unsuitable, as typing passwords on mobile devices is cumbersome and – in-effect – less secure
  • The risk of devices being lost or stolen is much greater with smartphones and tablets than it is with desktop computers or even laptops
  • Mobile devices are used in an unusually wide range of different contexts and enterprise systems may require a different level of trust for each of these contexts

 

The Solution: SSO with Client Libraries & a Mobile Access Gateway

 

These risks can be addressed by deploying an enterprise-grade solution for mobile Single Sign-On (SSO). The ideal solution for enterprise mobile SSO should simultaneously simplify and secure the process through which apps require users to sign in to the enterprise, by leveraging the strong authentication capabilities inherent to mobile operating systems. 

Layer 7 offers a complete, standards-based and proven solution for simplifying enterprise-level mobile security through SSO. This mobile SSO solution uses OAuth 2.0, OpenID Connect and PKI standards to leverage existing enterprise IAM investments. Communication is secured through Layer 7’s Mobile Access Gateway, via client-side libraries.

 

 

The Mobile Access Gateway is lightweight, low-latency mobile middleware that solves critical, mobile-specific identity and security challenges. The Gateway now ships with a Mobile SDK, which makes it simple for enterprise app developers to implement mobile SSO for iOS and Android devices.

SSO is implemented via Layer 7’s Management API, which simplifies the development process by abstracting the complex OAuth/OpenID Connect protocol flow between mobile device and Gateway. For maximum security, communication is secured through the Gateway via mutual SSL configuration.

 

The Layer 7 Value: End-to-End Security for Mobile Apps

 

Mobile SDK

  • Client-side libraries, code examples and documentation to help developers simplify implementation of SSO
  • Ability to leverage device OS security to create a secure SSO container
  • Standards-based security flows based on OAuth 2.0, OpenID Connect and PKI
  • Single API call to leverage cryptographic security (mutual SSL)
  • PKI provisioning with secure transfer, storage and pinning of certificates, adding additional trust to authentication verification
 

Multi-Layer Security

  • Optional configuration of manual step in registration flow for added identity verification
  • Policy configured per app, user or device to tailor use cases 
 

Validation of User, App & Device Identity

  • OAuth access token granted for each app
  • OpenID Connect user token granted for user and basis of SSO session
  • PKI provisioning for certificate‐based validation of device
 

Lost Device Tracking & Blockage

  • Track device activity (failed/successful) authentications
  • Track device location through GPS data or network services
  • Revoke access to user, device and apps from admin view
 

Integration with Existing Backend Identity Management Systems

  • Extend CA SiteMinder directory service to mobile clients
  • Integrate into Microsoft-based security through Active Directory, ADFS and Claims
  • Integrate with Oracle Access Management
  • Leverage LDAP directory services for client without custom client
 

Best-of-Breed User Experience

  • Minimal password typing
  • Consistent UI for all enterprise apps across devices 
  • Transparent view of authorizations
  • Self-service portal for managing devices and apps

  

Solution Brief

Data Sheet

Single Sign-On for Mobile

Read the solution brief >>

Mobile Access Gateway

Download the data sheet >>