问题
Trying to set the flow of SSO inside a mobile App. Here is what the flow is
- SP resource URL is presented to CustomChromeTabs (Android)
- SP Redirects to IDP for authentication
- IDP presents login screen
- User adds credentials and submits back to IDP
- IDP check for the credentials and sends back SAML Assertion to SP
- SP process the response and as it trusts IDP, converts SAML Assertion to access token
- SP redirects token back to mobile app. CustomChromeTab store it in cookie for further resource requests
Problem
- Due to security issues, storing access token inside a cookie is not advisable
Solution
- Store encrypted SAML assertion inside secured android keystore system
Questions
- Is it possible to store SAML assertions on client side (here mobile app) and use them later to get access token from SP?
- How expirations of these SAML Assertion works?
来源:https://stackoverflow.com/questions/60359761/storing-saml-assertion-on-mobile-app-and-use-them-for-user-session