August 21, 2013

Deliver Mobile Single Sign-On with New Symplified Component

By

symplifiedWe’re pleased to announce the first enterprise identity management component in the Xamarin Component Store from Symplified, a leader in providing Identity-as-a-Service.

With this new component, you can quickly and easily build, test and deploy authentication and single sign-on (SSO) capabilities in your apps and securely connect them to existing identity infrastructure such as Active Directory and LDAP.

The component works with any IdP that supports SAML 2.0 or OAuth 1.0/2.0, such as Salesforce.com.  Alternatively,  joint Symplified and Xamarin customers can now extend existing Symplified IDaaS capabilities out to Xamarin apps.

Read on to get a code-level view of the component, and register now for a live “Authenticating Enterprise Users into Mobile Apps” webinar on August 27 at 8am Pacific.

Get Your Code On

You’ll need an XML file that provides the provisioning details. The Symplified client reads that file and configures itself by using the values it defines. You will find an example file, named `idp.symplified.net.metadata.xml`, in each of the sample applications included in the component, as well as on the component’s Getting Started page (which this article pulls heavily from). With this file on hand, we’re ready to code.

Step 1: Creating and configuring the Symplified identity provider.

Let’s get the website information required to use Symplified’s IdP for your application. We’ll load the XML document containing SAML 2.0 metadata, and send it off to a metadata parser:

XmlDocument xDoc = new XmlDocument ();
xDoc.PreserveWhitespace = true; // This is important do not remove
xDoc.Load ("idp.symplified.net.metadata.xml");
Saml20MetadataDocument idpMetadata = new Saml20MetadataDocument (xDoc);

Step 2: Create and configure a SAML 2.0 authentication client

To verify an assertion that returns from the IdP, we’ll configure an authenticator using the IdP metadata:

Saml20Authenticator authenticator = new Saml20Authenticator (
  "Symplified.Auth.iOS.Sample",
  idpMetadata
);

The authenticator will:

  • Create a SAML assertion.

  • Send it to the IdP.

  • Get an assertion back. The assertion is issued depending on conditions such as the user’s log in state.

  • Verify the signature on the assertion.

  • Request the resource.

Step 3: Authenticate the user

Although third-party authenticators control their own UI, you decide how to show the authenticator’s UI on the screen. You can manage how the authentication UI is presented–modally, in navigation controllers, in popovers, and so on.

Prior to displaying the UI, we must first listen for the Completed event which triggers when user successfully authenticates or cancels. Find out whether the authentication succeeded by examining the IsAuthenticatedproperty of eventArgs:

authenticator.Completed += (s, e) => {
  loginViewController.DismissViewController (true, null);
  if (!e.IsAuthenticated) {
    samlLoginStatusStringElement.Caption = "Not authorized";
    samlLoginStatusStringElement.GetActiveCell ().BackgroundColor = UIColor.Red;
  } else {
    SamlAccount authenticatedAccount = (SamlAccount)e.Account;
    samlLoginStatusStringElement.Caption = String.Format ("Name: {0}", authenticatedAccount.Assertion.Subject.Value);
    samlLoginStatusStringElement.GetActiveCell ().BackgroundColor = UIColor.Green;
  }
  loginViewController.ReloadData ();
};

All the information collected from a successful authentication is accessible in eventArgs.Account. We are now ready to display the login UI from ViewDidAppear on iOS:

UIViewController vc = authenticator.GetUI ();
loginViewController.PresentViewController (vc, true, null);

The GetUI method returns UINavigationControllers on iOS, and Intents on Android. Here is how we would write the code to display the UI from OnCreate:

var intent = authenticator.GetUI (this);
StartActivityForResult (intent, 42);

Step 4: Storing the account details

The Symplified Mobile Developer SDK securely stores Account objects so you don’t always have to re-authenticate the user. The AccountStore class is in charge of storing Account information, supported by the Keychain on iOS and a KeyStore on Android:

// On iOS:
AccountStore.Create ().Save (eventArgs.Account, "idp.symplified.net");
// On Android:
AccountStore.Create (this).Save (eventArgs.Account, "idp.sympliifed.net");

Saved Accounts are uniquely identified with a key composed of the account’s Username property and a “Service ID”. The “Service ID” is any string that is used when retrieving accounts from the store.

If an Account was saved earlier, calling Save again will overwrite it. This is helpful for services that expire the credentials stored in the account object. If you have used Xamarin.Auth before, then this will be familiar to you.

Voila, single sign-on in your apps in just 4 steps.

Ready for more? Watch the webinar “Authenticating Enterprise Users into Mobile Apps”.

 

TwitterFacebookGoogle+LinkedInEmail