Forge Component
(2)
Published on 7 Jan by Telmo Martins
2 votes
Published on 7 Jan by Telmo Martins

Hello,

I’m struggling with the implementation of IDP-Mobile inside our environment.

I’ll try to summarize my findings as precise as possible (sorry for the long text).


Using following components from Forge:

  • IdP
  • IdPMobile
  • InAppBrowserEvents
  • IdPMobileSample


Environment:

  • Federation Service with SAM2.0 via NetIQ Access Manager.
  • Authentication via Smartcard (Web) or client certificate (Mobile) preferred.
  • Two Fallback solutions: RSA SecureID Token and One-Time-Password (in case client certificate is not available / selected by user)


Goal:

Open Mobile Application and authenticate user via client certificate on Federation Service.

(Authentication for Web Application via Smartcard already works)


Current situation for Mobile:

  • Open URL to Federation Service via Browser (Safari on iOS): 
    • User is asked (via Prompt) for client certificate, after selecting it, User gets authenticated


  • Using of IdPMobileSample App with InAppBrowser target (“_blank”): 
    • User is redirected to Federation Service, prompt to ask for client certificate is NOT shown, Login via Fallback (RSA SecureID and One-Time-Password) is possible
    • Didn’t found a way that the prompt to ask for client certificate opens in InAppBrowser window --> not supported?


  • Using of IdPMobileSample App with InAppBrowser target (“_system”): 
    • The App opens the local browser, is redirected to Federation Service, the prompt to ask for client certificate is shown, User gets authenticated, but User stays in Browser. 
    • After manually going back to App, the User is not authenticated inside the App
    • Didn’t found a way to go back to the App with authenticated login


  • Using of Forge component “Sample Safari View and Custom Chrome Tab”: 
    • If I enter the URL of the Federation Service to this sample App, the User is redirected inside the App via the SafariViewController to the Federation Service URL and the prompt for the client certificate is shown 
    • There was no SSO configured for this yet, just to check whether the prompt is shown
    • An additional solution to read the token would also be required (e.g. using Custom-URL-Scheme see below)


Questions:

  • Is there a way to solve the Issue with using the InAppBrowser? (Solution for target “_blank” would be preferred)



  • Or is there maybe another solution available to handle the client certificate based authentication?


What are your thoughts about this?

Thanks in advance for your support and contribution.


Kind Regards,

Benjamin

Hi Benny,

From what I understood the InAppBrowserPlugin does not seems to support the use case for your authentication process.

The main challenge to use a system browser, it's really to get a callback to the mobile app once the authentication it's performed.

I don't believe I've ever used  the plugin you mention, but from it's documentation it seems that you need something like  Custom URL scheme that you mentioned, it, some URL that you entered in the system browser that opens or bring the app to foreground with some context passed in that URL).

Having that in place, then it's quite easy to adapt IdP and IdPMobile to be align with that behavior.

Regards

Hi Benjamin,
As I've shared already with you, we've managed to use the IdP component for external authentication on a mobile app with client certificates, let me share with the community what we've done to accomplish that.

We had to change the component to allow the usage of the system browser, as it is the only way of using the client certificates, and after that, we also had to change the callback screen (MobileCloseInAppPoint) to redirect us back to the mobile application, for this last part we've used deep links. 

The main changes we've done were:

  • Create a new session variable that holds the module that made the authentication request
  • Create a new entity to map the mobile token and the module that made the request, the information about the module comes from the session variable 
  • Change the callback screen MobileCloseInAppPoint to redirect the user back to the application through a deep link.

If anyone has any more question regarding this just let me know.

Cheers,

João