I am looking for a solution for - authenticating mobile-app users against SAML IDP, and have got some basic queries (I am new to SAML, OAuth :) ) In this scenario, the flow could be like the mobile user will be authenticated by IDP, the SAML response generated by IDP is sent to Service provider (via mobile browser - Webview). The Service provider will then create a token which will be used by the mobile app for subsequent calls. Is this understanding correct ?
Also, how will the mobile user authenticate at IDP, I mean, should the corresponding IDP should have support for mobile apps? IDP's login screen will be seen on the mobile during login?
In my application, currently, mobile (Rest APIs) user is authenticated against its application's credentials in database. But now the desktop app is incorporating SAML for authentication. So mobile users need to be authenticated against SAML IDP.
Thanks in advance!
Yes, your understanding is correct. In order to use SAML IDP with mobile clients you need to go through the same process as on normal clients (AuthnRequest -> Response exchange between SP and IDP). The whole flow can look like this:
In comparison with the usual mobile authentication with IDPs (such as using OAuth 2 for Facebook/Google), SAML is more complicated. With OAuth 2.0 it's easy to extract the authorization token and intercept response by using a custom URL scheme, without need for a web deployed (SP) component. As SAML doesn't support flow similar to "implicit" in Oauth (for security reasons) and because processing of SAML response is much more complex (due to XML signatures, XML encryption, ...), this approach is not feasible when using SAML.