Forge Component
(2)
Published on 16 Apr by Telmo Martins
2 votes
Published on 16 Apr by Telmo Martins

Hello,

I’m struggling with the implementation of IDP-Mobile inside our environment.

I’ll try to summarize my findings as precise as possible (sorry for the long text).


Using following components from Forge:

  • IdP
  • IdPMobile
  • InAppBrowserEvents
  • IdPMobileSample


Environment:

  • Federation Service with SAM2.0 via NetIQ Access Manager.
  • Authentication via Smartcard (Web) or client certificate (Mobile) preferred.
  • Two Fallback solutions: RSA SecureID Token and One-Time-Password (in case client certificate is not available / selected by user)


Goal:

Open Mobile Application and authenticate user via client certificate on Federation Service.

(Authentication for Web Application via Smartcard already works)


Current situation for Mobile:

  • Open URL to Federation Service via Browser (Safari on iOS): 
    • User is asked (via Prompt) for client certificate, after selecting it, User gets authenticated


  • Using of IdPMobileSample App with InAppBrowser target (“_blank”): 
    • User is redirected to Federation Service, prompt to ask for client certificate is NOT shown, Login via Fallback (RSA SecureID and One-Time-Password) is possible
    • Didn’t found a way that the prompt to ask for client certificate opens in InAppBrowser window --> not supported?


  • Using of IdPMobileSample App with InAppBrowser target (“_system”): 
    • The App opens the local browser, is redirected to Federation Service, the prompt to ask for client certificate is shown, User gets authenticated, but User stays in Browser. 
    • After manually going back to App, the User is not authenticated inside the App
    • Didn’t found a way to go back to the App with authenticated login


  • Using of Forge component “Sample Safari View and Custom Chrome Tab”: 
    • If I enter the URL of the Federation Service to this sample App, the User is redirected inside the App via the SafariViewController to the Federation Service URL and the prompt for the client certificate is shown 
    • There was no SSO configured for this yet, just to check whether the prompt is shown
    • An additional solution to read the token would also be required (e.g. using Custom-URL-Scheme see below)


Questions:

  • Is there a way to solve the Issue with using the InAppBrowser? (Solution for target “_blank” would be preferred)



  • Or is there maybe another solution available to handle the client certificate based authentication?


What are your thoughts about this?

Thanks in advance for your support and contribution.


Kind Regards,

Benjamin

Hi Benny,

From what I understood the InAppBrowserPlugin does not seems to support the use case for your authentication process.

The main challenge to use a system browser, it's really to get a callback to the mobile app once the authentication it's performed.

I don't believe I've ever used  the plugin you mention, but from it's documentation it seems that you need something like  Custom URL scheme that you mentioned, it, some URL that you entered in the system browser that opens or bring the app to foreground with some context passed in that URL).

Having that in place, then it's quite easy to adapt IdP and IdPMobile to be align with that behavior.

Regards

Hi Benjamin,
As I've shared already with you, we've managed to use the IdP component for external authentication on a mobile app with client certificates, let me share with the community what we've done to accomplish that.

We had to change the component to allow the usage of the system browser, as it is the only way of using the client certificates, and after that, we also had to change the callback screen (MobileCloseInAppPoint) to redirect us back to the mobile application, for this last part we've used deep links. 

The main changes we've done were:

  • Create a new session variable that holds the module that made the authentication request
  • Create a new entity to map the mobile token and the module that made the request, the information about the module comes from the session variable 
  • Change the callback screen MobileCloseInAppPoint to redirect the user back to the application through a deep link.

If anyone has any more question regarding this just let me know.

Cheers,

João

João Martins wrote:

Hi Benjamin,
As I've shared already with you, we've managed to use the IdP component for external authentication on a mobile app with client certificates, let me share with the community what we've done to accomplish that.

We had to change the component to allow the usage of the system browser, as it is the only way of using the client certificates, and after that, we also had to change the callback screen (MobileCloseInAppPoint) to redirect us back to the mobile application, for this last part we've used deep links. 

The main changes we've done were:

  • Create a new session variable that holds the module that made the authentication request
  • Create a new entity to map the mobile token and the module that made the request, the information about the module comes from the session variable 
  • Change the callback screen MobileCloseInAppPoint to redirect the user back to the application through a deep link.

If anyone has any more question regarding this just let me know.

Cheers,

João

Hi João, 

we are currently facing the exact problem that you seem to have solved.

But we can't really work out how you did this. Could you provide us with some more details or example module?
What does this token comprise off? What's in the session variable? ...

Kind regards,

Dieter


Hi Dieter,

Follows a detailed explanation of what I've done and shared by email with Benjamin:

IdP_Ext 

 - Create a new module to hold a new entity (MobileToken_Ext) to map the generated token with the module that starts the request. We need this entity for later on generate a deep link to go back to the application requesting the external authentication.

Create 2 actions:

 - GenerateDeepLink(token, IsIOS).DeepLink

This action is the one that's going to generate the deep link and it's going to be used on the MobileCloseInAppPoint screen's preparation on the external URL

 - MobileTokenExt_Create(MobileTokenId,EspaceName)

This action is used to insert a new record on the new entity.


IdP

 - Create a new Session variable called EspaceName

 - Make the entity MobileToken as public

 - Add as output parameter the just create mobileTokenId on the action Private>AddMobileToken

 - On the Screen DoLogin>Preparation, before going to the external URL, assign the value to the EspaceName session variable with the information being sent on the URL on the parameter espaceName:



 -On the preparation of the IdP screen, on the code specific to mobile, call the MobileTokenExt_Create action from the new espace IdP_Ext and pass as inputs the session variable and the id of the Mobile token just created:



 - Add the following logic to the preparation of the screen MobileCloseInAppPoint:




IdP_Mobile

- On the web block at IdPMobileFlow> SamlLogin add a new input parameter called Target with the default value Entities.Target.IN_APP_BROWSER and use it as input on the Target input parameter of the InAppBrowser:



 - on the action OnReady of the web block IdPMobileFlow>SamlLogin, if the target were System, add a new URL parameter called espaceName with the value GetEntryEspaceName():



 - Add a new web block called FinishLoginWB that receives a token and that on initialize will replicate the same logic we have on the action IdPMobileFlow>SamlLogin>InAppBrowserOnLoadStart:



This web block will then be used in every mobile app to finish the login process and must be placed in a screen called FinishLogin, see below an example on a sample application:



On success, this will redirect the user to the main screen of the application.


One of the benefits of these changes is that both types of authentication work, either System or inAppBrowser.

I'm sending in the attachments all the modules I needed to change and a sample mobile app for you to take a look and replicate on your side.

Please note that this is a customization to the original component and by doing it you must be really careful whenever you update the component as new changes to it will affect your customized version.

Cheers,

João