SAML/SSO support for mobile app

Bogdan Kiselitsa shared this question 5 months ago
Answered

Hi,


Thanks to the SAML Bridge extension, we have pretty good and modern support for SAML-based SSO services (e.g. Okta Cloud). However, there currently seems no way for the Yellowfin Mobile App to integrate with this kind of system. If it could be modified to speak to the SAML bridge (e.g. dologin.jsp) that would really improve the value proposition there.


Regards,

Bogdan.

Comments (17)

photo
1

Hi Bogdan,

Just letting you know that we've actually got a SAML adapter somewhere over here that one of the developers recently created, it's a JSP (I think), and I'll try and dig it up and then send it across to you....


regards,

David

photo
1

Hi Bogdan,


turns out that it is already available from our Martketplace (in the Connectors list)!

Please keep in mind that it is just a example, however, it should be enough to get you going.


regards,

David

photo
1

Hi Dave,


Yeah that's the SAML Bridge that I was referring to. However, I can't see any way of getting it to work with the Yellowfin Mobile app.


Is there something I'm missing?


Regards,

Bogdan.

photo
1

Hi Bogdan,


apologies....it turns out that the developer who wrote that bridge says you shouldn't be using it to connect to the Mobile App. He says that you will need to have a discussion with our Mobile App developer. However, unfortunately he is away at the moment but he is due back in a few weeks, when he is back I will organise a meeting between you two.


regards,

David

photo
1

Hi Dave,


Thanks for that, appreciate it.


Regards,

Bogdan.

photo
1

Hi Bogdan,


just keeping you updated on this ticket....the developer has returned to work this week and I've asked him when he could have a meeting with you, now just waiting on his response, so it shouldn't be long now...although do keep in mind that he's been away 3 whole months so might have a bit of catching up to do first.


regards,

David

photo
1

Hello again Bogdan,


the mobile apps developer asks that you please have a read through his documentation and jsp examples (attached) first....you never know, the info you're seeking might be there....and if it's not then just let us know and we'll then go ahead and organise a meeting.


regards,

David

photo
1

Hi Bogdan,

I'm just cleaning up my worklist and I noticed that this ticket has been in "Awaiting Reply" mode for over a month now.

How did you get on with that documentation? Was it enough to help you? Or would you still like me to arrange a meeting between you and the developer?

regards,

David

photo
1

Hi Bogdan,

I'm just cleaning up my worklist and I noticed that this ticket has been in "Awaiting Reply" mode for over 2 months now.

How did you get on with that documentation? Was it enough to help you? Or would you still like me to arrange a meeting between you and the developer?

regards,

David

photo
1

Hi Dave,

Sorry, I've been overseas for a while, and then working on other projects.

Thanks for the info. Reading over it, a few questions come to mind:

- It seems like the app still prompts for username and password and client ref, then the JSP listed in can do secondary auth or signon. Is that right?

Ideally we want the user to be logged in automatically to the right tenant based on the connection config.

photo
1

Hi Bogdan,

working overseas...different projects....sounds great!

The mobile apps developer has responded - I hope it helps:

---------------------------------------------------------------


With the mobile SSO flag set in the database the iOS app will redirect to a custom jsp that the client specifies and they can program it to do whatever they want.

With this flag set you don’t have to fill out the username and password in the actual mobile app you just need to setup the instance url and once the app loads it automatically goes to that JSP.

Having said that if you do put a username or password these will be passed to the custom JSP via parameters which you can access like this


String mobileUsername = request.getParameter("mobileUsername") == null ? "" : request.getParameter("mobileUsername");


Once the app has redirected to this page the client can do anything with the JSP page as long it at returns the SSO token to the app.

So you could do something like get the user to enter their username and password and then look up which client org they are in and sign them into that automatically then return the token.


regards,

David

photo
1

Hi, thanks for that.


While we can certainly put in a username at the SSO landing page to look up the tenant, but it kind of defeats the point of the SSO. Right now with the SAML Bridge, we can login automatically just by visiting the URL for the relevant tenant. If we could set that same URL into the app connection settings, it could still launch the token to the app via iframe just like the documentation sample. But right now there seems to be no good way to due seamless SSO in a multi-tenant environment.

Regards,

Bogdan.

photo
1

Hi Bogdan,

the dev responds:


We would really need to see how their SAML setup worked but as this stage you can't have an individual URL per user if you have the mobile SSO token turned on. They could just have the same URL but change the username for each user and then the SSO JSP write something to sign them into the correct ip org.


regards,

David

photo
1

Hi Bogdan,


just cleaning up my work list and noticed this ticket is still open and has the "Awaiting Reply" status. So please let me know how you went with this and whether you would like the ticket closed or not.

thanks,

David

photo
1

Hi Dave,I think that will do for now, as I won't have time to follow this up further for some time.

However, I think this should be passed on to your product teams to consider as a proper integrated solution going forward. Protocols like SAML2 and OAuth 2 / OpenID Connect are becoming the preferred way to do Auth on the Internet, so it's something you guys should be considering as an integrated product offering quite seriously, in my opinion.

Regards,

Bogdan.

photo
1

Hi Bogdan,

OK thanks for that. And I have raised a Community Idea (5605) about your suggestions for protocols to integrate with for authentication on the internet.

regards,

David

photo
1

Thanks Dave.

Cheers,

Bogdan.