IdPMobile
Versión 1 (Emilio Penna, Lunes, 5 de Febrero de 2018 17:53:39 -0300)
| 1 | 1 | h1. IdPMobile |
|
|---|---|---|---|
| 2 | 1 | ||
| 3 | 1 | ||
| 4 | 1 | h3. Referencias: |
|
| 5 | 1 | ||
| 6 | 1 | * http://shibboleth.1660669.n2.nabble.com/Android-Application-Question-td7630558.html (ver fragmentos en adjunto) |
|
| 7 | 1 | * https://www.mutuallyhuman.com/blog/2013/05/09/choosing-an-sso-strategy-saml-vs-oauth2/ |
|
| 8 | 1 | * https://www.pingidentity.com/developer/en/resources/napps-native-app-sso.html |
|
| 9 | 1 | ||
| 10 | 1 | h3. Linking a una aplicación movil: |
|
| 11 | 1 | ||
| 12 | 1 | * https://xamarinhelp.com/launching-mobile-app-via-uri-scheme/ |
|
| 13 | 1 | * https://xamarinhelp.com/uri-scheme/ |
|
| 14 | 1 | * https://developers.tune.com/sdk/deep-linking-to-your-mobile-app-from-your-website/ |
|
| 15 | 1 | ||
| 16 | 1 | Ejemplos de uris que linkean a una aplicacion movil: |
|
| 17 | 1 | ||
| 18 | 1 | * twitter://timeline |
|
| 19 | 1 | * mobiledeeplinkingprojectdemo://product/123 |
|
| 20 | 1 | ||
| 21 | 1 | h3. Diagrama con posible interacción: |
|
| 22 | 1 | ||
| 23 | 1 | ||
| 24 | 1 | !mobile-idp1.png! |
|
| 25 | 1 | ||
| 26 | 1 | ||
| 27 | 1 | *IDEA DE FLUJO:* |
|
| 28 | 1 | ||
| 29 | 1 | # app request protected (sp) page (open system browser) |
|
| 30 | 1 | # authn request to idp |
|
| 31 | 1 | # login page |
|
| 32 | 1 | # redirecct to protected page |
|
| 33 | 1 | # redirect to mobile app con token de aplicacion |
|
| 34 | 1 | ||
| 35 | 1 | ||
| 36 | 1 | *Login handler* |
|
| 37 | 1 | ||
| 38 | 1 | # recibe pedido GET en /login, con variables de entorno ya cargadas por SP shib |
|
| 39 | 1 | # genera parametros, encripta/hmac en <token>. Ejemplo encode(ci+hmac) |
|
| 40 | 1 | # redirige a app mobil, a myapp://init/<token> |
|
| 41 | 1 | ||
| 42 | 1 | Luego, app mobil recibe parametros, verifica y genera sesion. |
|
| 43 | 1 | (Si solo usa documento, podria no ser necesario get user info) |
|
| 44 | 1 | ||
| 45 | 1 | Ideas para proteger el request: |
|
| 46 | 1 | https://s3.amazonaws.com/doc/s3-developer-guide/RESTAuthentication.html |
|
| 47 | 1 | ||
| 48 | 1 | <pre> |
|
| 49 | 1 | h = hmac.new("OtxrzxIsfpFjA7SwPzILwy8Bw21TLhquhboDYROV", |
|
| 50 | 1 | "GET\n\n\n1141889120\n/quotes/nelson", |
|
| 51 | 1 | sha) |
|
| 52 | 1 | urllib.quote_plus(base64.encodestring(h.digest()).strip()) |
|
| 53 | 1 | Note that we also url-encoded the result this time. This is because the output from the base64 algorithm is not suitable for use as a query string parameter, so we add an additional layer of armor to make it acceptable. |
|
| 54 | 1 | </pre> |