IdPMobile¶
Referencias:¶
- http://shibboleth.1660669.n2.nabble.com/Android-Application-Question-td7630558.html (ver fragmentos en adjunto)
- https://www.mutuallyhuman.com/blog/2013/05/09/choosing-an-sso-strategy-saml-vs-oauth2/
- https://www.pingidentity.com/developer/en/resources/napps-native-app-sso.html
Linking a una aplicación movil:¶
- https://xamarinhelp.com/launching-mobile-app-via-uri-scheme/
- https://xamarinhelp.com/uri-scheme/
- https://developers.tune.com/sdk/deep-linking-to-your-mobile-app-from-your-website/
Ejemplos de uris que linkean a una aplicacion movil:
- twitter://timeline
- mobiledeeplinkingprojectdemo://product/123
Diagrama con posible interacción:¶
IDEA DE FLUJO:
- app request protected (sp) page (open system browser)
- authn request to idp
- login page
- redirecct to protected page
- redirect to mobile app con token de aplicacion
Login handler
- recibe pedido GET en /login, con variables de entorno ya cargadas por SP shib
- genera parametros, encripta/hmac en <token>. Ejemplo encode(ci+hmac)
- redirige a app mobil, a myapp://init/<token>
Luego, app mobil recibe parametros, verifica y genera sesion.
(Si solo usa documento, podria no ser necesario get user info)
Ideas para proteger el request:
https://s3.amazonaws.com/doc/s3-developer-guide/RESTAuthentication.html
h = hmac.new("OtxrzxIsfpFjA7SwPzILwy8Bw21TLhquhboDYROV",
"GET\n\n\n1141889120\n/quotes/nelson",
sha)
urllib.quote_plus(base64.encodestring(h.digest()).strip())
Note that we also url-encoded the result this time. This is because the output from the base64 algorithm is not suitable for use as a query string parameter, so we add an additional layer of armor to make it acceptable.
