Shibboleth IdP Authenticaiton requirement / design confirmation for authentication of Mobile User authentication

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Shibboleth IdP Authenticaiton requirement / design confirmation for authentication of Mobile User authentication

ashokvijayakumar
Hi Team, 

We  worked on developing the authentication of users of web application using Shibboleth IdP login page. 

Now our Customer requirement was to extend this authentication mechanism to the Mobile Users using Shibboleth IdP login page.

Our requirement list as below, 

1) Users of Mobile Application needs to be authenticated using Native Application web view by loading the Shibboleth IdP login page (ios, Android, ODS runtime). 
2) Users of Mobile Application should be authenticated via web view only once, and next the same user should be authenticated only after six months.

Please validate the following design decisions for the above said requirement,

1)  Designing the user authentication via Shibboleth IdP login page loaded on to the native application web view and the  subsequent authentication should be via Shibboleth ECP End point using the Shibboleth IdP Session cookie stored on the browser , and here the default browser of the native application used by the web view.  Is this valid ?  If not valid what is the alternative to achieve this?

2)  Designing the shibboleth session time out configuration as below,
idp.session.timeout=PT4320H
idp.authn.defaultLifetime=PT4320H  
idp.authn.defaultTimeout=PT259200M
Kindly validate the configuration if shibboleth is not supporting the same, what is the alternative to achieve force authentication of user once in six months for mobile applicaiton?
3) Can the user authenticated via Shibboleth login page be logged out via Shibboleth logout ECP end point with the Shibboleth IdP Session cookie?
4) Can the same instance of Shibboleth Server configured with different IdP Session time out configuration one for web and other one for mobile? Kindly confirm , if not possible what is the alternative?i?
Thanks, 
Ashok Vijayakumar.






--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Shibboleth IdP Authenticaiton requirement / design confirmation for authentication of Mobile User authentication

Cantor, Scott E.
On 12/25/17, 4:39 PM, "dev on behalf of Ashok Vijayakumar" <[hidden email] on behalf of [hidden email]> wrote:

> 1)  Designing the user authentication via Shibboleth IdP login page loaded on to the native application web view and the
> subsequent authentication should be via Shibboleth ECP End point

No. Usng a web view, which is a very reasonable to thing to do, is the exact opposite of using ECP, and would be relying on the standard Browser SSO profile.

> what is the alternative to achieve force authentication of user once in six months for mobile applicaiton?

By issuing your own token that you manage outside the IdP.

-- Scott


--
To unsubscribe from this list send an email to [hidden email]