Device single sign-on (SSO)

Single sign-on (SSO) enables users to access multiple resources (that is, applications and adapter procedures) by authenticating only once.

When a user successfully logs in through an SSO-enabled login module, the user gains access to all resources that are using the same login module, without having to authenticate again for each of them. The authenticated state remains alive as long as requests to resources protected by the login module are being issued within the timeout period, which is identical to the session timeout period.

Device authentication

The SSO feature requires the use of device authentication. This means that for a protected resource that needs to be protected with SSO, there must also be a device authentication realm in the securityTest protecting the resource in the authenticationConfig.xml file. Device authentication should take place before the SSO-enabled user authentication.

Supported devices

SSO is supported on Android, iOS, Windows 8 Universal, and Windows Phone Silverlight 8 devices.

Performance

When you use the single sign-on feature, the load on the database might increase, and you might have to adjust the database configuration.

Implementing a custom authentication to support SSO

To allow SSO to operate on your custom authentication classes (authenticator and loginModule) you must:

Make all fields in your class transient except for those fields that are being used by the following methods:
- WorklightAuthenticator.processRequestAlreadyAuthenticated(HttpServletRequest, HttpServletResponse)
- WorklightAuthLoginModule.logout()
Mark the authenticator and loginModule classes (and any class referred to by those classes that is not transient after you perform step 1) with the class annotation @DeviceSSO(supported = true) .

Device SSO in the OAuth-based security model

OAuth resources are not protected by security tests and do not have a single defined user realm per resource, therefore the standard MobileFirst device SSO behavior does not apply for them.

However, in order to obtain an access token in the MobileFirst OAuth-based security model, the client is also required to pass the application's security test. If SSO is configured for this security test, it will function for the MobileFirst OAuth-based security model as it does for the classical MobileFirst security model.