Exception or error:
Trying to set the flow of SSO inside a mobile App. Here is what the flow is
- SP resource URL is presented to CustomChromeTabs (Android)
- SP Redirects to IDP for authentication
- IDP presents login screen
- User adds credentials and submits back to IDP
- IDP check for the credentials and sends back SAML Assertion to SP
- SP process the response and as it trusts IDP, converts SAML Assertion to access token
- SP redirects token back to mobile app. CustomChromeTab store it in cookie for further resource requests
- Due to security issues, storing access token inside a cookie is not advisable
- Store encrypted SAML assertion inside secured android keystore system
- Is it possible to store SAML assertions on client side (here mobile app) and use them later to get access token from SP?
- How expirations of these SAML Assertion works?
How to solve: