[IdP Mobile] Idp mobile SSO scenario in app while loading Sharepoint content

Forge Component
(3)
Published on 20 Mar by Telmo Martins
3 votes
Published on 20 Mar by Telmo Martins

Hi,

We have a mobile app wich uses IdP and Azure AD for the authorization of users.
The login works correct.

De Azure AD login is also used by other applications, like Sharepoint.

Our mobile app loads (video) content from Sharepoint. The video is secured. If the app user has a valid Azure AD IdP session, the user is authenticated for video playback. This authentication is handled by sharepoint en Microsoft Azure ID in a iFrame in the mobile app.
If for some reason the app user no longer has a valid Azure AD IdP session (e.g. session expired), the user is not able to playback the video. A message is shown with an option to login. The login link is not working, because it tries to open a popup (from an iFrame). The user is not able to authenticate. The only option for the user is to logout the app en to login again. This way the Azure AD IdP session is renewed and the authorization for the video works again (SSO).

Asking the user to manually log out and in again before viewing a video is not user friendly.
Which technique can we use to optimize the user experience.

  • Is it posible to validate the user session in Azure AD IdP, so we can redirect the user to a login screen when the session is expired?
  • Is it posible to align the session timeouts for Azure AD (IdP) and the Outsystems app, so the user has to login manualy after expiration.
  • Is it possible to set the session expire time for one app in Outsystems or is this an environment setting for all mobile apps?


How can we improve the user experience in the scenario described?
Any recommendations are appreciated.

Ben


we can also use IDP set and web SSO set to get mobile sso done by azure Ad. please find the steps below.

SSO using IDP connector 

 

> Logging to IDP configuration page using  

   below URL 

              https://{your outsystem envirnament }/IdP/ 

           For example : https://xyz.outsystemscloud.com /IdP/ 

 

 

> Select  Identity Provider as Azure AD / ADFS 

 

 

Sign in to the Azure Active Directory portal and add the OutSystems Azure AD application from the gallery. 

  • Navigate to Enterprise applications 

  • Click New application. 

  • Search for OutSystems Azure AD. 

  • Select the application and click Add. 

 

 

Select SAML as the single sign-on method. 

  • In the OutSystems Azure AD application dashboard click the Single sign-on entry. 

  • Select SAML. 

Set up Single Sign-On with SAML. 

Alternatively, you can upload the metadata file  from the IdP connector. 

 

You can then configure the IdP connector with the provided information on sections 3 and 4, or upload the Federation Metadata XML file downloaded in the Azure AD application. 

 

 

  • In your project Change Preparation of the NoPermission screen to redirect the user to the URL provided by IdP_SSO_URL action. 

 

  • Note: if the system contains multiple tenants, the tenant switch has to have been done before calling IdP_SSO_URL. 

 

Logout Flow 

  • Change LoginInfo web block on Common Flow (Optional: Single-logout). 

  • In a standard OutSystems application the Common Flow is also responsible for handling Logout operation. 

  • By default, the Logout will invalidate the session on the OutSystems application server, but with an IdP SSO scenario many times the logout must be also performed on IdP Server, redirecting the browser to a specific URL on IdP SSO server. 

  • So, to achieve that, it's necessary to change the Logout default behavior. 

  • If your IdP Server allows a Logout initiated by the SP (IdP Connector), configure the field IdP server Single Logout URL which should be provided by your IdP Server (the IdP Connector will generate the SAML messages to perform a Single-Logout). 

  • Note: Your application shouldn't call the User_Logout or Logout system actions. The IdP connector is the one responsible for that call. 

  • Change Preparation of the LoginInfo to redirect the user to the URL provided by IdP Server 

  • If your IdP Server allows a Logout initiated by the SP through SAML messages: call the action IdP_SingleLogout_URL and call the Common\ExternalURL with its output.