Out-of-the-Box Single Sign-On for Enterprise Apps

Whether you are an employee or IT help desk, you are familiar with the message:

“Login failed! Your user name and/or password are incorrect. Please contact your administrator.”

The cost of resolving authentication issue is expensive for both employees and enterprise, as number of collaboration and productivity apps are growing in enterprise space. Many enterprises are implementing identity management solutions to manage their employee credentials efficiently and securely. As part of identity management solution, enterprises are adapting to the Enterprise Single Sign-On (SSO) model, replacing application specific credentials with Active Directory credentials. Investing time to understand the corporate authentication architecture is beneficial for the development of enterprise apps.

In this article, we will take a look at the basics of the Enterprise SSO (E-SSO) model and how to configure enterprise apps to use E-SSO by leveraging BlackBerry10 OS and BlackBerry Enterprise Service (BES).

Enterprise SSO Authentication via Kerberos/NTLM Protocol

In Active Directory (AD) environments, the default authentication protocol is Kerberos, with a fall back to NTLM. Kerberos is a secure authentication protocol supported by Active Directory. It is one of the highest security levels to the enterprise network as passwords are not transferred over the network during the authentication process and once authenticated, the authentication token can be shared with trusted domains granting access to multiple AD-joined services, enabling basis of the SSO access to users.  AD also supports NTML that provides a challenge-response authentication mechanism and leverages one or both of the two hashed password values stored on the authenticating server (or domain controller). The hashed values are password equivalent, which allows servers to authenticate users without knowing the actual password. Although Kerberos is considered more secure than NTML, NTML authentication is still widely used as a fallback when Kerberos is not available.

Enterprise SSO (E-SSO) enables users to login once with their corporate credentials and provide access to multiple resources and services without re-entering their credentials for a period of time providing security to enterprise and better user experience to users.

E-SSO authentication can be utilized by mobile applications that are connecting to enterprise network resources.  On BlackBerry10 platform, E-SSO is handled by Credential Manager service. One of the main benefits of the Credential Manager service is that it allows mobile enterprise applications to leverage E-SSO without being required to explicitly manage user credentials or implement support for enterprise grade authentication mechanisms .

E-SSO on BlackBerry 10 and BlackBerry Enterprise Service (BES)

If the organization supports SSO via Kerberos/NTML, providing access to their organization’s resources through desktop applications, then the same applies to the enterprise apps, deployed to the work perimeter on BlackBerry 10. Credential Manager service defines a trusted domain as a set of enterprise services that leverage the same identity system. Once a user completes a log in for any service in the trusted domain, the same credential is re-used for all other services in the same trusted domain.

A list of trusted domains can be specified as part of configuring E-SSO on BES.

The following login screen is an example of an SSO prompt managed by the Credential Manager service on BlackBerry10 for a trusted domain.

When a user is accessing a network resource that is not part of the trusted domain, a login dialog specific to the service gets prompted as below.

Attempting to access multiple enterprise services that are not configured as part of a trusted domain could result in separate login prompts for each service.

How to configure Enterprise SSO for Enterprise Apps via Credential Manager

In summary, enterprise apps can enable E-SSO with the following configurations:

• Kerberos and/or NTLM authentication is supported in Active Directory
• The organization’s Kerberos configuration is imported into BES
• Trusted domains are specified as SSO profile in BES

On BlackBerry 10, cURL and GSSAPI libraries have been extended to support authentication via Credential Manager. Any applications using those libraries can enable E-SSO in work perimeter.  On BlackBerry OS 10.3.1, WebView based applications deployed in work perimeter support E-SSO out-of-the-box. This includes WebWorks apps, as well as Apache Cordova apps and apps using Cascades WebView.

Native applications, deployed in work perimeter, can also leverage E-SSO via Credential Manager Library API on BlackBerry OS 10.3.1.

You can learn more about BlackBerry Enterprise Service 12 here.