I'm currently working on integrating Single Sign-On (SSO) for multiple mobile applications using IBM Security Verify Access (ISVA) as the Identity Provider (IDP). The goal is to authenticate users through ISVA and enable seamless SSO across subsequent apps without requiring re-authentication.

Objectives

1. Configure ISVA as the central IDP for mobile app authentication.
2. Enable mobile applications to authenticate against ISVA.
3. Leverage SSO for additional apps once the user is authenticated.

Questions

• Is it possible to achieve SSO for mobile apps using ISVA?
• If yes, are there any detailed guides, references, or best practices available for configuring ISVA as the IDP for mobile applications?
• Are there specific considerations or challenges we should be aware of during this integration?

Any insights, documentation, or examples from the community would be greatly appreciated. Thanks in advance!

Hello Supun,

I don't think this is an issue of ISVA (or any other IDP). More or less, if you are using native apps, you must make sure the apps relaying on some lokal slo app handling the authentication or the browser. Anyway, depending on how you implement the session handling (e.g. OAuth, OIDC, Cookie, etc) the request send to the auth server must include a valid token. I've done it for a customer quite a while ago with a central, separate login application. But you could also implement a client with your application. Just in that case you need finding a mechanism exchanging the token secure between apps. Not sure thats a good idea.

 I'm currently working on integrating Single Sign-On (SSO) for multiple mobile applications using IBM Security Verify Access (ISVA) as the Identity Provider (IDP). The goal is to authenticate users through ISVA and enable seamless SSO across subsequent apps without requiring re-authentication.

Objectives

1. Configure ISVA as the central IDP for mobile app authentication.
2. Enable mobile applications to authenticate against ISVA.
3. Leverage SSO for additional apps once the user is authenticated.

Questions

• Is it possible to achieve SSO for mobile apps using ISVA?
• If yes, are there any detailed guides, references, or best practices available for configuring ISVA as the IDP for mobile applications?
• Are there specific considerations or challenges we should be aware of during this integration?

Any insights, documentation, or examples from the community would be greatly appreciated. Thanks in advance!

Hi Jens,

Thank you for the insight here. One follow-up question how can we use ISVA's authentication and MFA services (driven by policies) in a remote application? without leaving the app or without having a browser opened up. 

Hello Supun,

I don't think this is an issue of ISVA (or any other IDP). More or less, if you are using native apps, you must make sure the apps relaying on some lokal slo app handling the authentication or the browser. Anyway, depending on how you implement the session handling (e.g. OAuth, OIDC, Cookie, etc) the request send to the auth server must include a valid token. I've done it for a customer quite a while ago with a central, separate login application. But you could also implement a client with your application. Just in that case you need finding a mechanism exchanging the token secure between apps. Not sure thats a good idea.

 I'm currently working on integrating Single Sign-On (SSO) for multiple mobile applications using IBM Security Verify Access (ISVA) as the Identity Provider (IDP). The goal is to authenticate users through ISVA and enable seamless SSO across subsequent apps without requiring re-authentication.

Objectives

1. Configure ISVA as the central IDP for mobile app authentication.
2. Enable mobile applications to authenticate against ISVA.
3. Leverage SSO for additional apps once the user is authenticated.

Questions

• Is it possible to achieve SSO for mobile apps using ISVA?
• If yes, are there any detailed guides, references, or best practices available for configuring ISVA as the IDP for mobile applications?
• Are there specific considerations or challenges we should be aware of during this integration?

Any insights, documentation, or examples from the community would be greatly appreciated. Thanks in advance!

 I'm currently working on integrating Single Sign-On (SSO) for multiple mobile applications using IBM Security Verify Access (ISVA) as the Identity Provider (IDP). The goal is to authenticate users through ISVA and enable seamless SSO across subsequent apps without requiring re-authentication.

Objectives

1. Configure ISVA as the central IDP for mobile app authentication.
2. Enable mobile applications to authenticate against ISVA.
3. Leverage SSO for additional apps once the user is authenticated.

Questions

• Is it possible to achieve SSO for mobile apps using ISVA?
• If yes, are there any detailed guides, references, or best practices available for configuring ISVA as the IDP for mobile applications?
• Are there specific considerations or challenges we should be aware of during this integration?

Any insights, documentation, or examples from the community would be greatly appreciated. Thanks in advance!

I can only speak to the iOS realm but I use ISVA for one of our Enterprise Apps and SSO seems to work fine. In fact, it worked so well that I was having difficulty logging out and logging in as a different user (for testing) because it kept picking up my SSO "cookies" once I'd logged in. I found that I could "opt out" of SSO for testing by disabling the "shareSession" parameter to false in the call to the .performSignin method (in SigninViewModel.swift) when invoking the sign-in. That way, each time I started the app for testing I had to login.  It does appear to use some sort of session cookie from what I can tell.  I can't speak to what our IT Sec folks did in configuration but for me it just worked as they'd configured it and I didn't have to get them to make any changes to whatever they did for setting up SSO in general. Before I figured this out, I pretty much had to either log out of all my other Enterprise stuff completely (which would have been a hassle). All of which is to say that SSO works very well from what I can tell with the SDK they provide for iOS. Just make sure that you call the .performSignin method with a TRUE value for the shareSession parameter in the call if you want to do SSO. Once you login, you'll be "signed in" for that app every time you invoke it until your token(s)/cookies expire. At least that's the way it behaves for me. At that point you'll have to sign-in again to get a fresh SSO session. Your IT-Sec folks will set the timeframe they want for expirations.

FWIW,

-dB

 I'm currently working on integrating Single Sign-On (SSO) for multiple mobile applications using IBM Security Verify Access (ISVA) as the Identity Provider (IDP). The goal is to authenticate users through ISVA and enable seamless SSO across subsequent apps without requiring re-authentication.

Objectives

1. Configure ISVA as the central IDP for mobile app authentication.
2. Enable mobile applications to authenticate against ISVA.
3. Leverage SSO for additional apps once the user is authenticated.

Questions

• Is it possible to achieve SSO for mobile apps using ISVA?
• If yes, are there any detailed guides, references, or best practices available for configuring ISVA as the IDP for mobile applications?
• Are there specific considerations or challenges we should be aware of during this integration?

Any insights, documentation, or examples from the community would be greatly appreciated. Thanks in advance!