Mobile and Social Services connect applications running on client devices to the security services and products available in the Oracle Identity Access Management product suite.
In addition, User Profile Services is a Mobile and Social Services feature that connects client applications to many popular LDAP compliant directory servers.
The following sections contain more detailed information regarding the Mobile and Social Services portion of Mobile and Social.
Mobile and Social Services consists of a server component, server-side device store, and a Mobile and Social Services Client Software Development Kit.
The details of the components as follows:
A server component that interfaces with your backend Identity Services infrastructure. The server acts as an intermediary between supported client applications (and the users using those applications) and your backend Identity services. This arrangement decouples the client applications from the backend infrastructure so that you can modify your backend infrastructure without having to update your client programs. You can enable the Mobile and Social service to run by itself or in combination with the Access Manager service and/or the OAAM product as discussed in Introducing Mobile and Social.
A server-side device store that can store security material, such as security tokens and security information required by the OAAM Security Handler Plug-in. The server-side device store provides several benefits: It improves security because tokens managed by the server-side device store are not sent to the client application where they can be copied if the device or client app is compromised; it eliminates the need for mobile client applications to manage and synchronize security material; and finally it allows security material to be shared and synchronized among multiple client apps.
A Mobile and Social Services Client Software Development Kit (Client SDK) is available for Android and iOS devices and Java. It is used to build authentication, authorization, and directory-access functionality into applications that run on mobile and desktop devices. The Mobile and Social Services Client SDK can also be used to build a mobile single sign-on (SSO) agent application (for Android and iOS devices only). Mobile SSO is described in Understanding Single Sign-on (SSO) for Mobile and Social Services. The Mobile and Social Mobile and Social Services Client SDK is described in Introducing the Mobile and Social Services Client SDK.
Authentication and Authorization Services lets you extend an existing authentication and authorization infrastructure to include mobile and non-mobile applications.
Mobile and Social Services supports the following common token types:
A User Token grants the token bearer with the permissions associated with the person who has been authenticated.
An Access Token grants access to a specific protected resource, such as a web resource or a URL.
A Client Token grants access to a non-mobile hardware device, such as a web application or server application.
A Client Registration Handle (similar to a Client Token) is also used by Mobile and Social Services. It represents a mobile client application running on a mobile device. Mobile and Social uses the Client Registration Handle to register mobile devices, whereas non-mobile Service Providers use Client Tokens to authenticate non-mobile devices.
A mobile device is a device that runs a mobile operating system, such as the Android mobile operating system from Google or the iOS mobile operating system from Apple, while a non-mobile device is a device that runs a non-mobile operating system, such as Mac OS X, Windows 7, and Lynx desktop. Because mobile devices and non-mobile devices present different security challenges, mobile authentication and non-mobile authentication are managed separately in Mobile and Social. New mobile devices come online much more frequently and therefore require greater scrutiny, including heightened fraud detection measures.
Note:
A non-mobile device can use either mobile services or non-mobile services as long as the correct input is provided.
Mobile and Social supports Oracle Access Manager tokens (if Access Manager is installed with Mobile and Social) and JWT (JSON Web Token) tokens. Each token type has a corresponding mobile and a non-mobile Service Provider. Mobile and Social provides six pre-configured Authentication Service Providers:
OAM Authentication
Mobile OAM Authentication
JWT Authentication
Mobile JWT Authentication
JWT-OAM Authentication
Mobile JWT-OAM Authentication
Table 48-2 describes the Authentication Service Providers.
Table 48-2 Mobile and Non-Mobile Authentication Service Providers in Mobile and Social Services
| Authentication Service Provider | Description |
|---|---|
|
OAMAuthentication |
Lets users running a web application from a desktop device authenticate using Access Manager. |
|
MobileOAMAuthentication |
Lets users using mobile devices authenticate using Access Manager |
|
JWTAuthentication |
Lets users running a web application from a desktop device authenticate using the JSON Web Token format. JSON Web Token is a compact token format that is suitable for space-constrained environments such as HTTP Authorization headers. |
|
MobileJWTAuthentication |
Lets users using mobile devices authenticate using the JSON Web Token format. |
|
JWTOAMAuthentication |
Allows lightweight, long-duration JWT tokens to be exchanged for OAM tokens. OAM tokens provide SSO and OAM resource access to clients. This provider allows users using non-mobile applications to get a new OAM token without having to provide credentials if they have a valid, long-duration JWT token. |
|
MobileJWTOAMAuthentication |
Allows lightweight, long-duration JWT tokens to be exchanged for OAM tokens. OAM tokens provide SSO and OAM resource access to clients. This provider allows users using mobile applications to get a new OAM token without having to provide credentials if they have a valid, long-duration JWT token. |
The Mobile and Social Services authorization flow is used if the client application implements mobile security using the Mobile and Social Client SDKs for Android, iOS, or Java, or if the client app goes through a Mobile SSO Agent app (covered later) to establish mobile security.
In this flow the client app (or the Mobile SSO Agent) collects user inputs and maintains the user session on the mobile device.
Diagrams depicting the Mobile and Social Services authorization flow appear in:
Mobile Single Sign-on (Mobile SSO) lets a user run multiple mobile applications on the same device without having to provide credentials for each one.
Both native and browser-based applications can participate in Mobile SSO.
Note:
Mobile and Social Services apps and Mobile OAuth apps require separate SSO implementations. For information about single sign-on for Mobile OAuth applications, see Understanding Mobile OAuth Services Server-Side Single Sign-on.
Understanding the Mobile SSO Agent App
A special app installed on a mobile device can be designated as a Mobile SSO Agent. This app serves as a proxy between the remote Mobile and Social server and the other apps on the device that need to authenticate with the back-end Identity services. The Agent can either be a dedicated agent (that is, an app that serves no other purpose), or a business (client) app that also provides agent functionality.
Note:
Before an app can use the Mobile SSO agent app to authenticate with the Mobile and Social server, you must configure the app as either a Mobile SSO Agent or Client on the server. For more information about configuring Mobile and Social Services security for Mobile SSO, see Defining Service Domains.
The Mobile SSO Agent handles device registration and advanced authentication schemes (including multi-factor authentication and one time password authentication), so this functionality does not have to be built into each mobile application. When the Mobile SSO Agent is present, user credentials are never exposed to the mobile business applications. The Mobile SSO Agent and SSO Client interact as follows:
The SSO Client app sends the device registration request, the application registration request, and the User Token request to the SSO Agent.
The SSO Agent makes the necessary acquisitions on behalf of the SSO Client.
The SSO Client app then requests any Access Tokens it needs using the registration handle and User Token.
The SSO Agent app stores tokens and security material on behalf of the mobile SSO Client, similar to the server-side device store.
A browser-based business app can also be configured to use a Mobile SSO Agent for authentication. If that is the case, launching a browser-based business app invokes the Mobile SSO Agent and causes the agent to collect a user name and password, and send them to the Mobile and Social server. If the business app and the agent are authorized for SSO, the Mobile and Social server authorizes access. The agent then requests an Access Token for the resource (on behalf of the business app) and redirects the browser to the URL of the business app with the Access Token included in the headers.
From the user's perspective, native and browser-based apps open on the device without asking the user to provide credentials. If the agent is not installed on the mobile device, or if the business app is not approved for Mobile SSO, the user will have to directly and independently send his or her credentials to the Mobile and Social server with each and every app that is launched.
The Mobile SSO Agent can time-out idle sessions, manage global logout for all apps, and assist in device selective wipe outs. Furthermore, it supports basic offline authentication. The agent one-way encrypts user passwords for local storage. During offline authentication, the agent validates the user name and password with the locally stored version. The agent then enforces all session idle time-outs and local password expiration policies.
When using a mobile SSO agent, apps open on the device without asking the user to provide credentials. If the agent is not installed on the mobile device, or if the business app is not approved for Mobile SSO, the user will have to directly and independently send his or her credentials to the Mobile and Social server with each and every app that is launched.
Oracle does not provide a pre-built Mobile SSO Agent, however, documentation is provided so that you can build a Mobile SSO Agent app using the Mobile and Social Services Client SDK for Android or iOS. For more information about creating a Mobile SSO Agent app, refer to either the Android or the iOS Mobile and Social Services SDK documentation in the Oracle Fusion Middleware Developer's Guide for Oracle Access Management.
Note:
The Mobile SSO Agent is only supported on Android and iOS devices.
The Mobile and Social Services Client SDK contains individual SDKs for Android and iOS devices, and for Java Virtual Machines (JVMs).
Table 48-3 documents each Mobile and Social Services Client SDK feature and the software on which it works.
Table 48-3 Android, iOS, and Java Features of the Mobile and Social Services Client SDK
| Feature | Android | iOS | Java |
|---|---|---|---|
|
Build a mobile application that can acquire Client Registration Handle, User, and Access Tokens through a Mobile and Social Server |
4 |
4 |
|
|
Build a desktop application that can acquire Client, User, and Access Tokens through a Mobile and Social Server |
4 |
||
|
Interact with a Directory server and implement User Profile Services |
4 |
4 |
4 |
|
Create a mobile single sign-on (SSO) application |
4 |
4 |
User Profile Services makes it possible to build an application that lets a user in your organization access the User Profile Services from mobile devices.
User Profile Services allows Web, mobile, and desktop applications to perform a variety of LDAP compliant directory server tasks including:
Create, read, update, and delete functionality for users and groups
Search functionality
Org (organization) chart reporting functionality
Towards this end, the Mobile and Social server can interface with many popular LDAP compliant directory servers including:
Microsoft Active Directory
Novell eDirectory
Oracle Directory Server Enterprise Edition
Oracle Internet Directory
Oracle Unified Directory
Oracle Virtual Directory
Open LDAP
WebLogic Server Embedded LDAP
Refer to the Oracle Fusion Middleware Developer's Guide for Oracle Access Management for sample code that demonstrates how to use the SDK for User Profile Services.
Note:
Any device capable of HTTP communication can use User Profile Services by sending REST calls to the Mobile and Social server. See "Sending Mobile and Social REST Calls With cURL" in the Oracle Fusion Middleware Developer's Guide for Oracle Access Management.