January 1, 2016

Improved Single Sign-On (SSO) in Samsung Knox

Samsung Knox News

With the proliferation of personal and enterprise apps on smartphones, remembering multiple username and passwords, and entering them every time you use those apps, becomes cumbersome. Knox solves this problem by providing Single Sign-On (SSO) capabilities, which make it possible to enter a single username and password, for accessing multiple applications. The new Knox 2.0 has enhanced SSO features. It comes with a lot better Single Sign-On experience, not only for the users but also for developers and IT admins. So, what’s new with SSO? Let’s check it out. 

SSO solutions

Knox 2.0 comes with two SSO solutions:
  • Samsung Knox - Centrify  SSO Solution
This supports integration with native apps for cloud-based application and SaaS.  Powered by Centrify and already present since Knox 1.0, it has been incorporated in Knox 2.0 as well. 
  • Samsung Knox - Samsung SSO Solution
This supports SAML 2.0 and HTTP Negotiate Authentication using MIT Kerberos V5. It is a significant addition to the list of new features in Knox 2.0. In this blog post, we will focus on this addition. 
 

What is in the Samsung SSO Solution?

The majority of mobile SSO solutions have been developed for the cloud-based apps using standards such as Security Assertion Markup Language (SAML) or other similar protocols for authentication with an enterprise Active Directory. 
However, in the Active Directory infrastructure, the well-known Integrated Windows Authentication with Negotiate (Kerberos) is widely used and is enabled by default. Many applications (especially, Intranet apps) were not portable into mobile phone apps because the Integrated Windows Authentication method (that may use Kerberos or NTLM) was missing on the mobile device framework. And developers refrained from using other weaker authentication protocols. 
 
  • SAML 2.0
  • HTTP Negotiate using Kerberos

 

 
 

Better experience for users

  • Users can now enjoy SSO, not only for SaaS and cloud-based apps but also for web-based intranet apps. 
  • This enhanced capability brings SSO on Knox-enabled mobile phones closer to a desktop PC experience. Imagine, employees securely accessing a company’s intranet homepage on their mobile phones, checking email, accessing enterprise’s cloud and sharing data – all with just one log-in.
  • A user enters an AD username/password on the login screen once and gets smooth login sessions to all other allowlisted apps automatically. 
  • Until the login sessions expire or the user is asked to authenticate again remotely by IT admin, there is no need to enter username/password again.

 

Fewer calls to IT Admins

  • For SaaS, the solution uses the SAML 2.0 standard and requires the enterprise to host a SAML identity providing server. For enterprises using the AD infrastructure, deploying Active Directory Federation Services (ADFS) will serve the purpose.  This solution can also be deployed with any other SAML-based identity federation server and directory services using Kerberos.
  • IT admins can allowlist a set of apps installed on the device through an EMM system. Only these allowlisted apps can use SSO and no other app will be trusted by the on-device SSO client. 
  • Another important feature is that all Windows account and Kerberos policies, such as time synchronization, password expiry, account blocked, lifetime of tickets, etc., applicable to user accounts in AD will be applicable on mobile phone also.
  • There is no cloud component or any third-party server involved other than mobile device and AD infrastructure in the enterprise’s premises. 
  • The SSO can use the per-app VPNs provided by the Knox platform for securely connecting to an enterprise’s AD and ADFS.
  • Nowhere in the process is a password sent over the network or stored on a device.

 

Opportunity for developers

  • If you want seamless SSO for your intranet apps, you can use APIs provided in the Knox 2.0 SDK to integrate with the Samsung SSO solution. Imagine employees securely opening enterprise’s intranet services on the mobile devices with an experience very similar to that of desktop PCs. 
  • For cloud-based applications and SaaS such as Salesforce, Dropbox or Office 365, which offer SAML-based SSO, SAML 2.0 based APIs have been provided in the Knox SDK.
  • Developers can choose any one of the above two methods depending on the service provider.  
So, if you liked the blog post and you appreciate the efforts Samsung has put in improving Knox, then don’t forget to share this article.
 
 

More information 

Enterprises, EMM vendors, and application developers who are interested in adding SSO to their apps can find more resources on SEAP.