5 Ways to Implement SSO with Mobile Applications

An average enterprise user accesses 6 to 8 password-protected systems every day. Identity management solutions like single sign-on (SSO) and multi-factor authentication (MFA) keep users protected on any of their mobile applications. In this blog post, I’ll explain what those solutions are and provide five options to consider when implementing SSO across integrated and standalone mobile applications.

The simple combination of a user ID and password that is the foundation of many organizations’ user authentication is no longer good enough to prevent data loss or exposure. In 2017 OWASP published the Top 10 Web Application Security Risks; number two on that list was Broken Authentication. In short, Broken Authentication allows bad people to compromise user credentials to gain access to an organization’s most vulnerable data.

As I’m sure most of you that are reading this article are aware; an agile and reliable security framework that considers the needs of the organization and the employee while removing user friction for simple tasks has become more necessary in response to the current world events that have shifted a large number of corporate resources to a remote office. Enter single sign-on (SSO) and multi-factor authentication (MFA).

SSO has been around for several years now. There are several standard tools and techniques for implementing SSO in web-based systems. Based on our interactions with customers over the past couple of years, I noticed that there is lot of confusion around the options available for implementing a SSO solution for mobile applications.

View our Oracle Partnership
View our Okta Partnership

In this article, we will explain exactly what SSO and MFA are and can offer as well as show you 5 ways you can implement SSO with mobile applications.

Individually or coupled, SSO and MFA can be considered pieces of your organization’s Identity and Access Management (IAM) framework that manages digital identities and user access to data, systems, and resources within an organization.

Single Sign-On (SSO)

  • What is SSO?

    An identification technology that offers users the ability to log in a single time, with a single set of credentials that grants them access to all applications, data, and websites that user object is configured for.

  • How is it used?

    Single sign-on relies on federated identity—the sharing of identity attributes across systems that are trusted, but otherwise autonomous. So, when you’re trusted by one system, you’re allowed access to all other systems that have a trusted relationship with that particular one. This removes the need for shuffling passwords between systems.

  • Why is it important?

    SSO eliminates password fatigue, removes user friction by simplifying user authentication management, improves identity protection, increases speed to access, reduces help desk workload, reduces security risks for customers, vendors & partner entities.

Multi-Factor Authentication (MFA)

  • What is MFA?

    Enhanced security that verifies the user’s identity before granting them access and is most often presented as a combination of what you know, what you have, and what you are.

  • How is it used?

    Implemented so users authenticate into both SaaS apps and on-prem legacy apps, VPNs, etc. to safeguard credentials and protect your users against social engineering and brute force attacks such as phishing and spear phishing, password spray, and credential stuffing.

  • Why is it important?

    MFA proactively neutralizes risk associated with compromised passwords and is a proven way to lessen the likelihood of a data breach. According to studies published by Google in May of 2019, MFA helped prevent helped 100% of automated bots, 96% of bulk phishing attacks, and 76% of targeted attacks on their systems.

Now that we’ve gotten a better understanding of what these solutions are and why they are important, let’s dive into five different options for implementing one of these solutions, single sign-on, into your mobile applications.

SSO Options for Integrated Mobile Applications

Several mobile applications integrate with back-end enterprise systems. Simply put, these mobile applications read, write, and modify the data in the back-end enterprise system. The access to the back-end system and data is controlled by the level of access the user has to the back-end system functionality and data. The mobile application has to use the same user security model to access the back-end system.

In this scenario, the recommended approach for SSO implementation is to rely on a back-end system such as JD Edwards for user authentication. The mobile application securely passes user credentials to a Web API exposed by the back-end system, which then takes the responsibility of authenticating the user against a user repository such as Active Directory. In addition to authenticating the user, the back-end system would also authorize the user against its security model before returning role-based permissions back to the calling mobile application. The complexity of user security administration is abstracted from the mobile application in this scenario.

Here are the two most common implementation options specific to JD Edwards.

Option 1:  

  • Enable LDAP support in JD Edwards EnterpriseOne
  • Configure the mobile application to access JD Edwards via AIS Server
  • Securely pass user credentials to AIS server, which authenticates the user against LDAP server

The following graphic illustrates this option at a very high level:

Single Sign On Mobile Applications

Option 2: Implement JD Edwards SSO using an Enterprise-wide or JD Edwards specific SSO platform

Configure the mobile application to access JD Edwards via the SSO system, which authenticates the user.

The following graphic illustrates this option. Mobile application implementation via this option is very similar to Option 1. However, the back-end server in this case depends on a dedicated identity provider for SSO implementation.

Single Sign On Mobile Applications

SSO Options for Standalone Mobile Applications

Not all mobile applications have a back-end enterprise system that controls user security. Several mobile applications will be responsible for implementing their own user security model. Consider, for example, a complaint reporting application of a services company that stores all complaints reported to an on-premise database without directly interfacing with an enterprise system.

For standalone applications, there are a variety of SSO implementation options available. The following 3 are the most common options:

Option 3:  Custom Integration with an enterprise identity provider

If your company uses enterprise-wide identity providers (IDP) such as Okta, mobile SSO can be implemented using SAML protocol. This can be achieved by using an embedded browser (web view) within the application for implementing authentication logic.

The following graphic illustrates this option. In this case, Okta is integrated with the mobile application via SAML protocol. Once the user is successfully authenticated, the application would use an access token access the Web API on behalf of the user. In this scenario, user authorization & role permission logic must be implemented within the mobile application and/or custom Web API.

Single Sign On Mobile Applications

Option 4: Leverage built-in integrations with Enterprise Identity Provider

Some enterprise identity providers, such as Okta, provide a common mobile application that can be downloaded to mobile devices. The user is authenticated once by the common mobile app and then will be allowed to launch other integrated applications without additional authentication. This works well for standard mobile applications such as Salesforce that are available on app stores because they have pre-established integrations with IDPs.

Option 5:  Leverage an EMM solution

Enterprise mobility management (EMM) solutions such as MobileIron, IBM MaaS360, and AirWatch secure mobile devices in multiple ways. Each EMM provider has a unique way of implementing user authentication and SSO for mobile applications as long as the EMM software is installed on the device.

This blog post is intended to familiarize readers with a few popular SSO options available for different implementation scenarios. You are not limited to these 5 options by any means. Depending on the tools and platforms available at your disposal, you can come up with a variety of other options. For example, if you have multiple standalone applications, you can use a mobile back-end service such as Oracle Mobile Cloud Services (MCS) or implement Azure’s common user authentication logic for all of your mobile applications, rather than implementing an SSO solution for each mobile application.

Looking for more on systems modernization?

Explore more insights and expertise at smartbridge.com/modernization

There’s more to explore at Smartbridge.com!

Sign up to be notified when we publish articles, news, videos and more!