26

I am looking for a solution for - authenticating mobile-app users against SAML IDP, and have got some basic queries (I am new to SAML, OAuth :) ) In this scenario, the flow could be like the mobile user will be authenticated by IDP, the SAML response generated by IDP is sent to Service provider (via mobile browser - Webview). The Service provider will then create a token which will be used by the mobile app for subsequent calls. Is this understanding correct ?

Also, how will the mobile user authenticate at IDP, I mean, should the corresponding IDP should have support for mobile apps? IDP's login screen will be seen on the mobile during login?

In my application, currently, mobile (Rest APIs) user is authenticated against its application's credentials in database. But now the desktop app is incorporating SAML for authentication. So mobile users need to be authenticated against SAML IDP.

Thanks in advance!

nshweta
  • 499
  • 2
  • 7
  • 19
  • Please add references to back what you've found, in addition to any code you've created or found. – Lizz May 13 '14 at 05:56
  • 1
    Some references to back my above query are https://www.ibm.com/developerworks/community/blogs/mobileblog/entry/four_things_you_need_for_your_mobile_single_sign_on_solution?lang=en ..also, some queries on stackoverflow - http://stackoverflow.com/questions/11929158/saml-client-implementation-for-android – nshweta May 13 '14 at 06:54

1 Answers1

45

Yes, your understanding is correct. In order to use SAML IDP with mobile clients you need to go through the same process as on normal clients (AuthnRequest -> Response exchange between SP and IDP). The whole flow can look like this:

  • your mobile application opens WebView which accesses public URL of your SP
  • your SP starts authentication with IDP by sending redirect to the SAML IDP with AuthnRequest
  • user authenticates inside IDP's UI (which should be able to render properly for mobile clients as it's opened using a mobile client)
  • IDP redirects back to your SP with Response
  • your SP application processes Response and generates a token usable with your Rest APIs
  • SP communicates the token back to the mobile application (e.g. using WebViewClient + onPageFinished + cookies, or call to object provided with addJavascriptInterface, or whatever you already use)

In comparison with the usual mobile authentication with IDPs (such as using OAuth 2 for Facebook/Google), SAML is more complicated. With OAuth 2.0 it's easy to extract the authorization token and intercept response by using a custom URL scheme, without need for a web deployed (SP) component. As SAML doesn't support flow similar to "implicit" in Oauth (for security reasons) and because processing of SAML response is much more complex (due to XML signatures, XML encryption, ...), this approach is not feasible when using SAML.

Vladimír Schäfer
  • 15,375
  • 2
  • 51
  • 71
  • Hi vschafer, Thanks a lot for your response. In usual mobile authentication using OAuth 2.0, how exactly will be the flow ? Is there any way in which OAuth could simply this the above flow with SAML? – nshweta May 14 '14 at 05:45
  • No, unfortunately OAuth 2.0 can't help you to make SAML 2.0 WebSSO easier. You can find more information about the implicit grant supported by OAuth 2.0 in the spec at http://tools.ietf.org/html/rfc6749#section-4.2 – Vladimír Schäfer May 14 '14 at 13:24
  • Vschafer, how can you renew user session from SAML or should the SP worry about it? – iosdevnyc Oct 09 '14 at 22:29
  • 1
    Hi @VladimírSchäfer what happens when the user changes his/her password? Will the token still be valid? – arunvelsriram Jan 30 '18 at 02:11
  • hi @VladimírSchäfer: is there any tutorial or example that shows how this can be done for Cordova mobile applications – Parth Doshi Nov 15 '18 at 05:31
  • @VladimírSchäfer So do we need to rely on third party tools for SAML authentication in mobile apps ? Is there any document or links explaining the integration with iOS apps without third party ? – subin272 Apr 26 '19 at 06:19
  • @VladimírSchäfer Can you please answer this question - https://stackoverflow.com/questions/60359761/storing-saml-assertion-on-mobile-app-and-use-them-for-user-session – anuragal Feb 25 '20 at 07:49
  • @VladimírSchäfer can you please help me with this https://stackoverflow.com/questions/65347919/spring-boot-saml-response-inresponsetofield-of-the-response-doesnt-correspond-t – Akhil Dec 19 '20 at 12:05