Flavors of Mobile Security/SSO for Mobile Web Apps, Native/Hybrid Apps, MAM & MDM

I recently came across quite a few customer use cases which require mobile security/Single-Sign-On (SSO). While it may sound generic, there's a lot more to it.

This post intends to provide some clarity around the various security use cases for mobile apps possible & the high level solution approach using Oracle IDM -

1) Security for Mobile Web Applications (Invoked from a mobile browser)

This is no different from invoking a web application on a desktop or a laptop. Would use Oracle Access Manager(OAM) based SSO alongwith OHS+Webgate.

2) Security for Native/Hybrid mobile applications on personal devices 

(Leveraging existing IDM Platform)

This can be achieved using OAM Mobile & Social Services (OAMMS) which has support for Android and iOS platforms. For other platforms (like Windows) OAM Mobile OAuth Services (along with REST calls) within OAM can be leveraged. Mobile applications implemented using REST and supporting OAuth  makes mobile app security technology agnostic (similar to what SAML does to federation).

Image Courtesy : Oracle PM Team Blog

3) Security for Native/Hybrid mobile applications on corporate owned devices 

(MDM or Mobile Device Management)

This feature is currently not available in the Oracle IDM World, but would be available in Oracle Mobile Security Suite (OMSS) in the upcoming 11gR2 PS3 (11.1.2.3).

4) Security for Native/Hybrid mobile applications on personal devices (BYOD concept) 

(MAM or Mobile Application Management)

This can be implemented using OMSS. The concept uses a Secure Mobile Workspace within the personal device which silos all corporate communications using an App Tunnel. The concept is explained in detailed at my blog on OMSS here.

Image Courtesy : Oracle Document

OAM 11gR2 / 11.1.2.2 : Redirection to favicon.ico screen after authentication to a Portal

Scenario - After login to the Portal using OAM 11gR2PS2 login to access a protected resource for the first time (page not cached in browser), the end user is redirected to the favicon.ico url instead of the resource url. The browser needs to be refreshed with the Portal URL to get this to navigate to the Portal home page as expected.

Also if the favicon.ico is not present in the OHS /htdocs folder a 404 may also appear.

It was initially tricky to figure out that this issue was related to permissions in OAM. But if we remove the webgate entry from httpd.conf (i.e. Security layer is bypassed), we can confirm that this issue doesnot occur which means OAM is playing up here.

Cause -
This is caused by the favicon.ico being protected by OAM. 
If it's not in the browser cache, the client browser will fetch the favicon.ico resource on the server. It will get the favicon before the page, setting incorrectly the end_url parameter, redirecting to the favicon url instead of the resource url.

Solution -
Make sure that favicon.ico is created in <OHS_INSTANCE>/config/OHS/ohs1/htdocs/  folder so that there is no 404 ever. This is the icon which shows besides the website address.

Then, create a resource definition in OAM as documented in http://docs.oracle.com/cd/E27559_01/admin.1112/e27239/app_domn.htm#CACJJGCA 
1) set type as HTTP
2) define resource URL to /favicon.ico
3) set protection level to "excluded"  (More about excluded resources here )

Reference - Oracle Support Document