android – Storing SAML Assertion on mobile app and use them for user session-ThrowExceptions

Exception or error:

Trying to set the flow of SSO inside a mobile App. Here is what the flow is

  • SP resource URL is presented to CustomChromeTabs (Android)
  • SP Redirects to IDP for authentication
  • IDP presents login screen
  • User adds credentials and submits back to IDP
  • IDP check for the credentials and sends back SAML Assertion to SP
  • SP process the response and as it trusts IDP, converts SAML Assertion to access token
  • SP redirects token back to mobile app. CustomChromeTab store it in cookie for further resource requests

Problem

  • Due to security issues, storing access token inside a cookie is not advisable

Solution

  1. Store encrypted SAML assertion inside secured android keystore system

Questions

  1. Is it possible to store SAML assertions on client side (here mobile app) and use them later to get access token from SP?
  2. How expirations of these SAML Assertion works?
How to solve:

Leave a Reply

Your email address will not be published. Required fields are marked *