Authenticating mobile users against SAML IDP

nshweta picture nshweta · May 13, 2014 · Viewed 14.3k times · Source

I am looking for a solution for - authenticating mobile-app users against SAML IDP, and have got some basic queries (I am new to SAML, OAuth :) ) In this scenario, the flow could be like the mobile user will be authenticated by IDP, the SAML response generated by IDP is sent to Service provider (via mobile browser - Webview). The Service provider will then create a token which will be used by the mobile app for subsequent calls. Is this understanding correct ?

Also, how will the mobile user authenticate at IDP, I mean, should the corresponding IDP should have support for mobile apps? IDP's login screen will be seen on the mobile during login?

In my application, currently, mobile (Rest APIs) user is authenticated against its application's credentials in database. But now the desktop app is incorporating SAML for authentication. So mobile users need to be authenticated against SAML IDP.

Thanks in advance!

Answer

Vladimír Schäfer picture Vladimír Schäfer · May 13, 2014

Yes, your understanding is correct. In order to use SAML IDP with mobile clients you need to go through the same process as on normal clients (AuthnRequest -> Response exchange between SP and IDP). The whole flow can look like this:

  • your mobile application opens WebView which accesses public URL of your SP
  • your SP starts authentication with IDP by sending redirect to the SAML IDP with AuthnRequest
  • user authenticates inside IDP's UI (which should be able to render properly for mobile clients as it's opened using a mobile client)
  • IDP redirects back to your SP with Response
  • your SP application processes Response and generates a token usable with your Rest APIs
  • SP communicates the token back to the mobile application (e.g. using WebViewClient + onPageFinished + cookies, or call to object provided with addJavascriptInterface, or whatever you already use)

In comparison with the usual mobile authentication with IDPs (such as using OAuth 2 for Facebook/Google), SAML is more complicated. With OAuth 2.0 it's easy to extract the authorization token and intercept response by using a custom URL scheme, without need for a web deployed (SP) component. As SAML doesn't support flow similar to "implicit" in Oauth (for security reasons) and because processing of SAML response is much more complex (due to XML signatures, XML encryption, ...), this approach is not feasible when using SAML.