Topic
  • 5 replies
  • Latest Post - ‏2013-12-04T16:30:55Z by TiloMaster
TiloMaster
TiloMaster
8 Posts

Pinned topic Mobile app and ICN with SSO not working

‏2013-09-27T17:23:57Z |

Hi,

if ICN 2.0.1 or 2.0.2 is setup with SSO (P8, WAS SPNEGO / Kerberos) the mobile app doesn't work anymore. (can't login)

might spend the time and open up a PMR but anybody can confirm this? or got Mobile app working with SSO ICN?

Mobile version 2.0.1.1 Build 20130523-0849

Thanks, Tilo

Updated on 2013-09-27T18:30:38Z at 2013-09-27T18:30:38Z by TiloMaster
  • Michael Meli
    Michael Meli
    1 Post

    Re: Mobile app and ICN with SSO not working

    ‏2013-09-30T07:12:30Z  

    Hi

    I can confirm this (verified in a PMR), the mobile access / iOS app doesn't work again when CN 2.0.1 / 2.0.2 is deployed with the SSO option. SPNEGO filters cannot be used with the mobile app. IBM wants to change the app in future to be more close to the browser solution (using HTML5).

    What I did as a workaround: deploy CN in two different WAS profiles, once with and once without the SSO option. The iOS user is then connecting to a different port (e.g. 9444) then the desktop user.

    Another option is to use the Safari browser (but then you don't have the app goodies like upload pictures via cam etc.).

    Here's the official IBM answer about this issue:

     

    "Hope you had a good weekend. There was a misunderstanding regarding the
    iPad browser and the iPad app; it doesn't look like the iPad app is able to
    connect when Kerberos/SPNEGO SSO is enabled for ICN. L3 can reproduce this
    problem.

    Adding the ?noSPNEGO parameter to the URL for the iPad connection doesn't
    work. The user-agent string sent by the iPad app includes "Navigator", so I
    also tried these SPNEGO filters:

         user-agent!=Navigator      (<- Enable if not "Navigator")

         user-agent^=IE|Firefox     (<- Enable if "IE" or "Firefox")

    but the iPad app was still not able to connect.


    According to L3, the iPad app is not yet officially supported with SPNEGO.
    You may open a feature request to support Kerberos/SPNEGO SSO, but a defect
    can't be accepted for this lack of support. L3 stated learned that in the
    next major release of ICN the iPad app will use the same engine that is
    used when opening Navigator in Safari, so this should should remove
    differences in connection behavior between the iPad app and when the
    Navigator web client is used under Safari.

    Sorry about this."

     

    Best regards,

    Michael Meli

     

     

  • TiloMaster
    TiloMaster
    8 Posts

    Re: Mobile app and ICN with SSO not working

    ‏2013-09-30T15:29:14Z  

    Hi

    I can confirm this (verified in a PMR), the mobile access / iOS app doesn't work again when CN 2.0.1 / 2.0.2 is deployed with the SSO option. SPNEGO filters cannot be used with the mobile app. IBM wants to change the app in future to be more close to the browser solution (using HTML5).

    What I did as a workaround: deploy CN in two different WAS profiles, once with and once without the SSO option. The iOS user is then connecting to a different port (e.g. 9444) then the desktop user.

    Another option is to use the Safari browser (but then you don't have the app goodies like upload pictures via cam etc.).

    Here's the official IBM answer about this issue:

     

    "Hope you had a good weekend. There was a misunderstanding regarding the
    iPad browser and the iPad app; it doesn't look like the iPad app is able to
    connect when Kerberos/SPNEGO SSO is enabled for ICN. L3 can reproduce this
    problem.

    Adding the ?noSPNEGO parameter to the URL for the iPad connection doesn't
    work. The user-agent string sent by the iPad app includes "Navigator", so I
    also tried these SPNEGO filters:

         user-agent!=Navigator      (<- Enable if not "Navigator")

         user-agent^=IE|Firefox     (<- Enable if "IE" or "Firefox")

    but the iPad app was still not able to connect.


    According to L3, the iPad app is not yet officially supported with SPNEGO.
    You may open a feature request to support Kerberos/SPNEGO SSO, but a defect
    can't be accepted for this lack of support. L3 stated learned that in the
    next major release of ICN the iPad app will use the same engine that is
    used when opening Navigator in Safari, so this should should remove
    differences in connection behavior between the iPad app and when the
    Navigator web client is used under Safari.

    Sorry about this."

     

    Best regards,

    Michael Meli

     

     

    thanks for the details answer, any chance IBM can listed this somewhere as Known-Feature aka issue

    btw how did the "?noSPNEGO" works, is this a OOTB ICN parameter or you configure WAS to don't do SSO if url contains "noSPNEGO" ?

  • Oren Paikowsky
    Oren Paikowsky
    6 Posts

    Re: Mobile app and ICN with SSO not working

    ‏2013-10-02T13:06:41Z  

    Hi,

    I'd like to get more information on this topic, to see if there is any assistance we can provide.

    If you're willing, please send a mail to orenp <at> il.ibm.com and we can discuss further.

    Thanks,

    Oren Paikowsky

    ECM Mobile Development

  • mayank141
    mayank141
    1 Post

    Re: Mobile app and ICN with SSO not working

    ‏2013-11-06T03:33:18Z  

    Hi,

    I'd like to get more information on this topic, to see if there is any assistance we can provide.

    If you're willing, please send a mail to orenp <at> il.ibm.com and we can discuss further.

    Thanks,

    Oren Paikowsky

    ECM Mobile Development

    Hi,

    I have tried ipad app using TAM SSO but it is also not working. Please update if anybody has any updates on this.

    Thanks

    Mayank

  • TiloMaster
    TiloMaster
    8 Posts

    Re: Mobile app and ICN with SSO not working

    ‏2013-12-04T16:30:55Z  

    latest ICN app (20131128-1617) works with SSO configured WAS if a filter like user-agent^=IE|Firefox is used (didn't try other filters, but other should work too)

    cheers