TNC16 Conference
GEANT logo
Announcements |   placeholder

10 - Federated login to native applications - the right way

Sebas Veeke (SURFnet)

SURFnet and many other NREN’s use web-based protocols such as SAML 2.0 for their authentication and authorisation infrastructure. Although this makes for a great and secure user experience on the web, it is difficult to apply this method to native non-web applications, e.g. due to the HTTP-redirects used by SAML. These native applications are typically designed for a specific operating system and often do not support federated login. Because there is no generic cross-operating system solution available, developers implement various workarounds such as embedded browsers and application-specific credentials. These methods are undesirable from a security standpoint or due to usability. Because of the abstinence of an address bar in these workarounds, users cannot verify if the website is secure and authentic. Moreover, when a Service Provider or developer uses application specific credentials, the Identity Provider credentials are often reused. The user’s credentials should never be reused or leave the Identity Provider so third parties won’t be able to intercept these. SURFnet and Egeniq have examined this topic in order find the best method available. We concluded that browser redirection (Windows, Android and OS X) and Safari View Controller (iOS) were the best methods to use. With this in mind, we build easy-to-use software development kits that enable developers to implement federated login in their applications. The first part of the presentation focuses on the findings in the examination and the different methods for using the system browser to login in native applications. The second part focuses on the considerations and choices we made and the software developments kits we created. We conclude the presentation with a demonstration of federated login to native applications on a mobile device (Android or iOS) and the opportunity to ask questions.

Download file