Setting Up SSO and WebIdentity in MobileFirst Platform - ibm-mobilefirst

I am trying to make an app using Ionic in Mobile First.
The web application is has got both sso and WebIdentity(LDAP) for the login functionality....
How to approach for the Hybrid Mobile App?

I do not believe there is direct relation between using LDAP in IBM MobileFirst Platform and using SSO in IBM MobileFirst Platform.
SSO in MFP allows you to automatically login to app2 if you have already logged-in in app1.
So assuming your are able to login to app1 via LDAP (which is server-side anyway, to check your credentials against a list of users), and assuming you have correctly set-up both apps for SSO, it should work.
Read about setting up SSO: http://www.ibm.com/support/knowledgecenter/SSHS8R_7.1.0/com.ibm.worklight.dev.doc/devref/c_device_single_sign_on.html

Related

Google Identity Platform SAML setup for mobile applications

I have successfully set up SAML on my react web app with Google Identity Platform and the redirection works when logging in with my test account with Okta(Identity Provider). There is no documentation for mobile SAML setup for Google Identity Platform. Is there any way to set this up or customize the redirect behavior so that it redirects to a mobile URL scheme? (for example, my-apps-bundle-id://saml-sign-in)
It's not yet supported by Firebase for native apps. The "classic" approach is to use a secure equivalent of a web view: SFSafariViewController in iOS9+ or Chrome Custom Tabs in Chrome 45+

IBM MobileFirst SSO not working

I have two apps on my emulator device that go against the same SecurityCheck adapter for authentication. I can successfully login from both my apps. But my SSO is not working. If I login from my first app and after that I open the second app, the second app still requires login...vice versa
I have the steps explained in this tutorial:
https://mobilefirstplatform.ibmcloud.com/tutorials/en/foundation/8.0/authentication-and-security/device-sso/

authenticate from a website to an azure mobile app service

I have an Azure Mobile App service that I use with my (Cordova and Xamarin) mobile apps. The URL for the Mobile App service is https://gonzo.azurewebsites.net/ (not the real URL). I want to create a website (ASP.NET Core 2.0 Web App) that connects to my Azure Mobile App service, just like my apps do. I tried publishing it to the gonzo URL but that overwrote my mobile app service and thus I had to restore it. I’d love to know if there is a way to actually make that work.
My next step was to create the website and use a different URL https://kermit.azurewebsites.net/. I use social authentication for my app mobile service. When I debug it locally against localhost, everything works perfectly. The problem that I’m running into is that when I try to login from the published website, regardless of the auth provider (facebook, Microsoft, google), instead of getting to the login UI supplied by the login provider, I get a 403 with the URL looking something like this: https://gonzo.azurewebsites.net/.auth/login/facebook/callback?code=long-code.
I thought this can be fixed by allowing the kermit origin in my Azure Mobile App service in CORS. I even tried setting CORS to allow all hosts (*) but that didn’t make a difference. Any idea how to make this work?
I want to create a website (ASP.NET Core 2.0 Web App) that connects to my Azure Mobile App service, just like my apps do. I tried publishing it to the gonzo URL but that overwrote my mobile app service and thus I had to restore it. I’d love to know if there is a way to actually make that work.
Based on your requirement, I assumed that you could deploy your NET Core 2.0 Web App along with your mobile app, at this point your two applications could share the authentication. For Detailed tutorial, you could follow Deploying multiple virtual directories to a single Azure Website.
The problem that I’m running into is that when I try to login from the published website, regardless of the auth provider (facebook, Microsoft, google), instead of getting to the login UI supplied by the login provider, I get a 403 with the URL looking something like this: https://gonzo.azurewebsites.net/.auth/login/facebook/callback?code=long-code.
According to your description, you are using the App Service Authentication / Authorization. I would recommend you directly access https://<your-mobile-app-name>.azurewebsites.net/.auth/login/<provider-name> via the browser to make sure you have successfully set up the authentication for your mobile app.
If I understand you correctly that you want to create another Azure Web App to hosting your NET Core 2.0 Website, and your website wants to connect with your mobile app. Here are some approaches, you could refer to them:
For accessing mobile app in the front-end of your .Net Core web app
You could leverage the JavaScript SDK for Azure Mobile Apps in your .Net Core web app to access your mobile app. Details you could follow here. Additionally, if your website would also enable the app service authentication, you could just send GET https://<your-netcore-webapp-name>.azurewebsites.net/.auth/me to retrieve the access_token, then use the Client-managed authentication for logging with your mobile app in the front-end of your netcore website.
For accessing mobile app in the back-end of your .Net Core web app
I assume that your .Net Core web app would also need to enable social authentication via using the App Service Authentication / Authorization, and in the backend of your website you could retrieve the access_token for the current logged user, then you could use Client-managed authentication for logging with your mobile app. The logging request would look like this:
POST https://<your-mobile-app-name>.azurewebsites.net/.auth/login/<provider-name>
Payload: {"access_token":"<the-access-token-for-the-specific-social-provider>"}
Moreover, for retrieving the user logged infos (including the access_token,etc.) from App Service Authentication / Authorization (EasyAuth), you could follow this issue.

MobileFirst 8 Security issue in Web SDK

We have notice a security breach when implementing/testing the authentication module with MFP 8.0.
We are building a MobileFirst 8 web-based app using MFP Web SDK and we implemented the security check as per the credentials validation security check:
https://mobilefirstplatform.ibmcloud.com/tutorials/en/foundation/8.0/authentication-and-security/credentials-validation/
In the client side, after a user is authenticated, we found out that MFP Web SDK is using LocalStorage to save the following entries :
com.mfp.browser.uniqueid, com.sample.pincodeweb.com.mfp.oauth.application.data and com.sample.pincodeweb.com.mfp.oauth.clientid
The problem is when we took the clientid key/value pair from an authenticated user's browser and inserted them in a whole new different browser, unfortunately we found out that the user is being fully authorized and authenticated in the new browser even though we didn't provide any user credentials nor redirected to login.
We have tried it on the PinCode sample:
https://github.com/MobileFirst-Platform-Developer-Center/PinCodeWeb/tree/release80
Even the user authentication share the same problem.

How to authenticated in an SAP hybrid app against SMP and a backend system with different users?

Following situation:
An SAP OnPremise system is connected over cloud connector to SAP HCP
In the cloud version of the SAP mobile plattform (SMP) I configured the system
I have a hybrid app (using SAP Kapsel SDK) and try to connect to
a) SMP itself (registring)
b) also to the real backend sytem with the data needed
User name of SMP and backend system is not the same
Does anyone have a good tutorial / documentation link how to setup this correct?
I found a very good tutorial about the Kapsel plugins:
- https://blogs.sap.com/2016/10/20/getting-started-kapsel-part-1-sp13/
With a trial account and a trial backend account (same user name) it seems somehow working. But in my situation it is more complex.
Problem in other words (Edit)
I am searching for a way to use user & password from OnPremise system to authenticate against HCPms over a Hybrid app.
May I ask why you require two different users at all? From a usability point of view, it is very awkward for a user to give two sets of credentials for an app. I'd typically recommend to either
configure SCIM in Mobile Services. This would allow you to register with Mobile Services using your back-end credentials
configure no-auth in Mobile Services. While users still need to give their credentials for back-end access, they can register with Mobile Services without credentials at all
The rest depends on your back-end configuration. For example, if it requires Basic auth, configure your back-end connection accordingly and leave the user/password fields empty. When you supply those with your client requests, they will be forwarded to your back-end.
Edit: I misread the question and thought you were using "SAP Cloud Platform Mobile Service", the cloud equivalent of the SAP Mobile Platform. The answer basically remains the same, only the terminology changes (italic):
configure HTTP(s)-based Basic Authentication SSO in Mobile Platform. This would allow you to register with Mobile Platform using your back-end credentials.
configure no-auth in Mobile Platform. While users still need to give their credentials for back-end access, they can register with Mobile Platform without credentials at all
Either way, SCIM for Mobile Service is described in the documentation, and so is Basic authentication for Mobile Platform.