Authenticating mobile users against SAML IDP

Question

I am looking for a solution for - authenticating mobile-app users against SAML IDP, and have got some basic queries (I am new to SAML, OAuth :) ) In this scenario, the flow

Answer 1

Yes, your understanding is correct. In order to use SAML IDP with mobile clients you need to go through the same process as on normal clients (AuthnRequest -> Response exchange between SP and IDP). The whole flow can look like this:

• your mobile application opens WebView which accesses public URL of your SP
• your SP starts authentication with IDP by sending redirect to the SAML IDP with AuthnRequest
• user authenticates inside IDP's UI (which should be able to render properly for mobile clients as it's opened using a mobile client)
• IDP redirects back to your SP with Response
• your SP application processes Response and generates a token usable with your Rest APIs
• SP communicates the token back to the mobile application (e.g. using WebViewClient + onPageFinished + cookies, or call to object provided with addJavascriptInterface, or whatever you already use)

In comparison with the usual mobile authentication with IDPs (such as using OAuth 2 for Facebook/Google), SAML is more complicated. With OAuth 2.0 it's easy to extract the authorization token and intercept response by using a custom URL scheme, without need for a web deployed (SP) component. As SAML doesn't support flow similar to "implicit" in Oauth (for security reasons) and because processing of SAML response is much more complex (due to XML signatures, XML encryption, ...), this approach is not feasible when using SAML.