2

I have successfully set up SAML on my react web app with Google Identity Platform and the redirection works when logging in with my test account with Okta(Identity Provider). There is no documentation for mobile SAML setup for Google Identity Platform. Is there any way to set this up or customize the redirect behavior so that it redirects to a mobile URL scheme? (for example, my-apps-bundle-id://saml-sign-in)

Cenk Yurtbilir
  • 63
  • 2
  • 6
  • Did you try setting the required redirect target in the `RelayState` on OKTA and see if it is honored by the app? – Sergio Pulgarin Aug 12 '19 at 04:09
  • What will I set the RelayState? Can you give me an example. – Cenk Yurtbilir Aug 12 '19 at 04:33
  • According the SAML2 protocol, the `RelayState` can be used to redirect users after authentication happens. I'm not 100% sure that it will work, but try looking for the Relay State parameter on OKTA and set it to the mobile URL scheme that you want. You can use the web inspector [Preserve logs] to see if OKTA sent this parameter in the `SAMLResponse` to the ACS endpoint. – Sergio Pulgarin Aug 12 '19 at 04:53
  • I think RelayState works for IdP initiated flows. And not sure it is used for redirecting to mobile apps – Cenk Yurtbilir Aug 12 '19 at 16:09

1 Answers1

2

It's not yet supported by Firebase for native apps. The "classic" approach is to use a secure equivalent of a web view: SFSafariViewController in iOS9+ or Chrome Custom Tabs in Chrome 45+

identigral
  • 3,920
  • 16
  • 31
  • Yeah, I tried to use SFSafariViewController in iOS with a redirect URL scheme like my-apps-bundle-id://saml-sign-in. However, the redirect doesn't work like on the web. Is there any solution or workaround for redirecting to the mobile apps? – Cenk Yurtbilir Aug 12 '19 at 14:14
  • It might be possible depending on the web view implementation/platform, e.g [Android](https://stackoverflow.com/questions/25672330/how-to-enable-deep-linking-in-webview-on-android-app) – identigral Aug 12 '19 at 14:19
  • I tried to use Firebase Dynamic Links as a redirect URI. It redirects to the app, but not attaching the idToken parameter from successful SAML authentication. – Cenk Yurtbilir Aug 12 '19 at 16:09
  • id_token is not SAML. You might want to create a new question. – identigral Aug 12 '19 at 16:19
  • I'm just talking about the SAML Authentication flow. When using Google Identity Platform, it gives id_token at the end of the successful authentication. However, whe n I use the Firebase Dynamic links as redirect URI, not seeing id_token. So it comes down to is there any workaround to enable SAML on Google Identity Platform for mobile app authentication when using SFSafariViewController? – Cenk Yurtbilir Aug 12 '19 at 17:18
  • Do you have a link to Google Identity docs that show id_token in SAML? – identigral Aug 12 '19 at 17:21
  • 1
    Yes. This [documentation](https://cloud.google.com/identity-platform/docs/how-to-enable-application-for-saml#customizing-the-redirect-domain) shows how to enable SAML for the web app, but doesn't talk about mobile apps. So the question comes down to is there any workaround to redirect to mobile apps after successful SAML auth in Google Identity Platform? (FYI: Both Auth0 and AWS Cognito SAML authentication flow start with opening a web browser with SFSafariViewController redirecting to mobile apps with url scheme) – Cenk Yurtbilir Aug 12 '19 at 17:42
  • 1
    Ah, yes, they're abusing a common vocabulary a bit in the name of abstraction by calling a SAML assertion an id token. Yeah, you can't do that on mobile with Firebase as we said in the answer. Your best shot is to explore the quirks of individual web view implementations, some allow for redirects to custom app schemes (see my comment with a link above) – identigral Aug 12 '19 at 18:46
  • Thanks @identigral – Cenk Yurtbilir Aug 12 '19 at 20:38