Mobile single sign-on proposal before OpenID group

Working group's goal would be to simplify application access controls for mobile devices

The OpenID Foundation is considering a proposal that would provide single sign-on technology to applications installed on mobile devices.

The proposed Native SSO working group would look at establishing a standard agent that allows a mobile device user to authenticate once on the device and gain access to all of their installed applications. Today, end-users log-in for each individual, password-protected application.

"For all their advantages, the current state-of-the-art of standard protocols for authentication and authorization do not support mobile SSO," said Paul Madsen, senior technical architect in the CTO's office at Ping Identity. Madsen unveiled the Native SSO proposal at Monday's OpenID Foundation meeting held during the first day of the annual Cloud Identity Summit in Napa, Calif.

The mobile piece is just the latest installment of a series of projects at the OpenID Foundation that include a standard user log-in interface and a message bus that allows applications on a Web page to share identity and other data.

For the past few years, the OpenID Foundation has been collecting strategic technologies, vetting them, and providing open-source code.

The Native SSO proposal is under review, but likely will be accepted, according to Don Thibeau, the executive director of the OpenID Foundation. "You can't have an identity strategy without a mobile strategy," he said.  

The GSMA, which represents the interests of mobile operators worldwide and is an OpenID Foundation member, is keeping a sharp eye on the proposal. GSMA, which produces the Mobile World Congress conference, is home to nearly 800 of the world’s mobile operators, and counts more than 230 companies in its broader mobile ecosystem.

"We have protocols that enable native individual apps, OAuth and OpenID Connect, but neither of those two, out-of-the-box, support SSO for native applications," said Madsen. "We are proposing this new working group to profile and extend OpenID Connect to meet that use case."

OpenID Connect, a simple JSON/REST-based protocol, is not yet finalized, but is a de-facto authentication standard designed to help decentralize identity and support scale to Internet proportions.

The proposed architecture centers on an authorization agent (AZA) installed on the device or found in the OS. The end-user logs into the AZA, which requests access tokens from an authorization server on behalf of the native applications on the device.

Mobile is the latest pursuit for the OpenID Foundation. So far, Google has donated the intellectual property for a user interface it developed called Account Chooser, a simple, open standard log-in interface for the Web.

Last July, the Foundation showcased its newest addition, a message bus technology called Backplane, which was developed by Janrain and Echo. The code has been open sourced and made publicly available at github.

"The assumption is that other authentication tools are needed that share the same characteristics with Backplane and Account Chooser," said Thibeau. "Lightweight, agile and with broad existing support. AZA fits that profile. "

(Disclosure: My employer is the lead sponsor of the Cloud Identity Summit).