Mobile single sign-on proposal before OpenID group

Mobile single sign-on proposal before OpenID group

Summary: Working group's goal would be to simplify application access controls for mobile devices


The OpenID Foundation is considering a proposal that would provide single sign-on technology to applications installed on mobile devices.

The proposed Native SSO working group would look at establishing a standard agent that allows a mobile device user to authenticate once on the device and gain access to all of their installed applications. Today, end-users log-in for each individual, password-protected application.

"For all their advantages, the current state-of-the-art of standard protocols for authentication and authorization do not support mobile SSO," said Paul Madsen, senior technical architect in the CTO's office at Ping Identity. Madsen unveiled the Native SSO proposal at Monday's OpenID Foundation meeting held during the first day of the annual Cloud Identity Summit in Napa, Calif.

The mobile piece is just the latest installment of a series of projects at the OpenID Foundation that include a standard user log-in interface and a message bus that allows applications on a Web page to share identity and other data.

For the past few years, the OpenID Foundation has been collecting strategic technologies, vetting them, and providing open-source code.

The Native SSO proposal is under review, but likely will be accepted, according to Don Thibeau, the executive director of the OpenID Foundation. "You can't have an identity strategy without a mobile strategy," he said.  

The GSMA, which represents the interests of mobile operators worldwide and is an OpenID Foundation member, is keeping a sharp eye on the proposal. GSMA, which produces the Mobile World Congress conference, is home to nearly 800 of the world’s mobile operators, and counts more than 230 companies in its broader mobile ecosystem.

"We have protocols that enable native individual apps, OAuth and OpenID Connect, but neither of those two, out-of-the-box, support SSO for native applications," said Madsen. "We are proposing this new working group to profile and extend OpenID Connect to meet that use case."

OpenID Connect, a simple JSON/REST-based protocol, is not yet finalized, but is a de-facto authentication standard designed to help decentralize identity and support scale to Internet proportions.

The proposed architecture centers on an authorization agent (AZA) installed on the device or found in the OS. The end-user logs into the AZA, which requests access tokens from an authorization server on behalf of the native applications on the device.

Mobile is the latest pursuit for the OpenID Foundation. So far, Google has donated the intellectual property for a user interface it developed called Account Chooser, a simple, open standard log-in interface for the Web.

Last July, the Foundation showcased its newest addition, a message bus technology called Backplane, which was developed by Janrain and Echo. The code has been open sourced and made publicly available at github.

"The assumption is that other authentication tools are needed that share the same characteristics with Backplane and Account Chooser," said Thibeau. "Lightweight, agile and with broad existing support. AZA fits that profile. "

(Disclosure: My employer is the lead sponsor of the Cloud Identity Summit).



Topics: Mobile OS, Networking


John Fontana is a journalist focusing on authentication, identity, privacy and security issues. Currently, he is the Identity Evangelist for strong authentication vendor Yubico, where he also blogs about industry issues and standards work, including the FIDO Alliance.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • I do not get it

    Why does anyone think there is a need for OpenID???

    It's not that complicated.

    At checkout I generate a random 3 digit number for a customer to Text. The page with the 3 digit number says "Text this number to xxx-xxx-xxxx then click here.

    Typically it takes less than 5 seconds to receive the text, and a few milliseconds to update the online database. If it's an existing customer, transaction is complete. If a new customer then they are prompted for any additional info that may be needed.

    I have a simple GPRS modem to receive the Text.
  • The Enterprise

    It seems like these solutions are fine for retail or consumer apps. But Enterprise applications with very high security credentialing requirements seem to be left on their own. I'm not so sure the NSA or IRS would be fine just accepting out of the box AZA or most of these other solutions.