Wednesday, March 14, 2007

Provisioning Mobile Applications with SAML

So earlier this month I described a method that would simplify provisioning a user's identity credentials to a mobile application. This method will work but requires the application provider (e.g. an Instant Messaging service) to be able to send a binary SMS message to the phone to configure the application with the necessary credentials.

A less invasive method would be for the mobile operator and the application provider to federate their identities such that when the user activated an application on the phone, the mobile operator could authenticate the user to the application provider via a SAML assertion. This is not complicated and already supported via the existing SAML protocols. A possible flow could be...

  1. User goes to application provider (Instant Messaging service) web page
  2. Web page asks the user if they want to activate their IM account on their phone
  3. User selects the link to start the process
  4. The web page asks the user to authenticate their Instant Messaging account (if not already authenticated)
  5. After authentication, the web site asks the user for their mobile operator and phone number
  6. One the information is received the web site sends a SMS message to the phone
  7. The user enters the SMS confirmation code to the web site
  8. The web site sends a SAML federation message to the mobile operator providing a pseudonymous identifier and phone number for the user
  9. The mobile operator receives the SAML message and maps the phone number to the user's account and stores the pseudonymous identifier for the IM service
Now when the user activates the IM application on the phone, the phone communicates it's identity to the mobile operator. The mobile operator sends a SAML assertion (containing the pseudonymous identifier) to the IM application to authenticate the user. The user is now authenticated and the IM application can send back any connection information required to complete the IM session.

This model keeps the interactions between the mobile operator host services and external application providers. It also makes it much easier for users to configure their applications because they don't have to enter their credentials into the phone itself. A win-win.

Tags: Identity, Mobile, SAML

Update: In my rush to post this entry I was remiss in pointing out that this solution was discussed over lunch at a Liberty Alliance interim TEG meeting. The other principals in the discussion were Fulup Ar Foll and Alvaro Armenteros.


Carolina said...

Interesting use case, however I am concerned about step #5:

"After authentication, the web site asks the user for their mobile operator and phone number"

It very frequently happens that users do not want to provide their phone number to just any web site (obvious reasons: anti-spam, privacy protection etc). Instead of this, why not using Liberty Messaging Profile (ID-CSM), which would allow the IM service provider to send a SMS to the user, without a need of knowing his/her real MSISDN?.

Maybe I am misunderstanding the use case, otherwise I believe that Liberty ID-CSM nicely fits here. I can further expand on usage, if required. Cheers, carolina

George Fletcher said...

Good point and a variation that we discussed as well. It should be possible to generate a "pre-federation" assertion and send the user back to their mobile operator to enter their phone number. However, this would require the mobile operator to inform the application provider of the federation if the user completes the process at the mobile operator web site.

I think that this flow could work just as well.

Sanjay Garde said...

What if the device is stolen?

Mobile Application Development said...

May be This is not complicated and already supported via the existing SAML protocols. but good information about Provisioning Mobile Applications with SAML