IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

Single Sign on MaaS Managed Android device

By Pragya Agarwal posted Wed October 30, 2019 10:24 AM

  

Overview

MaaS360 integration with IBM Cloud Identity (CI), an Identity and Access Management (IAM) service delivered as a SaaS offering (Identity as a Service: ID-a-a-S) that enables Single Sign-On (SSO) capabilities across SaaS based applications for users on mobile and desktop environments. The MaaS360 and Cloud Identity integration enables IT administrators to seamlessly provision third-party cloud applications to end customers and enable them to login to these apps with a click of a button. 

Key feature: 

Users do not have to enter credentials on any app to authenticate 

Note: The mobile devices must have at least Android "Lollipop" version 5.0. 

Steps to configure and perform SSO: 

Step 1: MaaS360 Portal for provisioning a Cloud Identity Instance: 

  • Login to MaaS360 Portal.  
  • MaaS360 allows you to create a new tenant of Cloud Identity. If you do not see the Cloud Identity service, contact your MaaS360 support to enable this for your portal. 
  • Enable Identity and Access Management and IBM Cloud Identity Essentials for Identity linking. 
  • Click configure button to proceed. 
  • Administrators can choose a tenant name, enter their IBM ID and spin up a new Cloud Identity Tenant.. 

 

Step 2: Add cloud applications to IBM Cloud Identity (CI): 

  • Login to Cloud Identity (CI) using the hostname (also called as Tenant) created in Step 1.

  • Add an application for which you would like to configure SSO.

 

  • CI provides wide list of applications. You can search for your interest. Here, adding PagerDuty application.
  • CI acts as an Identity Provider (IDP) for all apps. This means that all users will authenticate to IBM Cloud Identity service before being granted to access these cloud applications. Users will use the same credential for authentication to access all cloud applications. 
  • CI leverages SAML capabilities of cloud applications for IDP authentication. This means that when a user tries to access the cloud application, the cloud application will re-direct the user to CI for SAML authentication before allowing the user to use the application. 
  • CI provides a set of pre-defined connectors to connect Cloud Identity as the Identity Provider for hundreds of cloud applications. Administrators can quick search and add applications that they have licensed to their Cloud Identity portal. 

 

Step 3: Configure cloud applications for SSO: 

  • Configure Single Sign-on (SSO): 
  • The app connectors that are added to the Cloud Identity portal (Step 2) provides administrators easy step by step instructions on setting up each cloud application to use CI as an Identity Provider. These steps are typically carried out on the third party app's portal.  
  • Each connector is developed to integrate with a specific cloud application.  
  • CI has hundreds of such pre-defined connectors to various cloud applications 
  • CI requires you to configure your cloud application specific information like Company Name, Domain Name, list of apps in the suite etc. to facilitate the integration 

 

  • Once you have configured SSO for your application.  
  • It’s time for update hostname entry under General Tab 
  • Save your changes.

 

  • Now that your cloud apps have been configured for SSO using Cloud Identity, it is time to deploy apps to devices. 

 

Step 4: Add apps to MaaS360 and enable Enterprise SSO 

  • When adding Android apps to MaaS360, Under Apps tab [Symbol] Click  Add [Symbol] Select  Android [Symbol] Choose Google Play App. 

 

  • A dialog box will appear,  
  • Search for the App under App Details tab.  
  • Under Policies And distribution tab [Symbol] enable Enable Enterprise single sign-on. Checking this option will enable apps to be configured to participate in SSO and conditional access in MaaS360 policies. 
  • Click on Add button.

  • Existing apps that are already deployed using MaaS360 can be edited to make them participate in SSO and conditional access checks with Cloud Identity

Step 5: Configure MaaS360 MDM policy: 

  • Enabling the  Enterprise single sign-on option on the apps workflow above will only make the app for selection in the SSO policy in MaaS360. 
  • As it is, it does not enable SSO on the mobile device.  
  • Any Android MDM policy can be configured to select these eligible apps for SSO. To selectively whitelist the apps, navigate to Security tab[Symbol] Policies [Symbol] view Android MDM policy [Symbol] Select Single Sign on Settings > SSO Conditional Access. 
  • Enable Single Sign on Conditional Access. 
  • This workflow supports auto complete when the partial app name is entered. 
    iygnJvg8QiC2kPdUSlpk_temp.png

Step 6: Configure SSO Settings on the device: 

Configure SSO Settings on Android: 

  • New users will enroll their Android devices to MaaS360 using the standard enrollment process and gets assigned a policy that has SSO Conditional Access configured. 
  • Existing users who are already assigned to a policy will get a policy update with SSO settings. 
  • The MaaS360 App on the Android device gets an SSO settings automatically pushed by MaaS360 that shows the list of all apps that will participate in SSO. These settings can be found on the device under MaaS360 App >> Settings >> SSO Enabled Apps (MaaS360 app version 6.0)

Step 7: Perform SSO on app on device: 

  • Go to App, select Sign with Your Identity Provider 

  • Enter hostname configured for app in Step3. 
0 comments
23 views

Permalink

https://community.ibm.com/community/user/blogs/pragya-agarwal1/2019/10/30/single-sign-on-maas-managed-android-device