Configuring device single sign-on (SSO)

Enable device single sign-on (SSO) to share the state of a security check among multiple applications on the same device.

About this task

You can enable device single sign-on (SSO) for any custom security check to share the state of this check with other application instances that are running on the same device. For example, you can use device SSO to implement an authentication flow whereby successful user log in from one application is applicable also to other applications on the same device.

Device SSO is configured in the application-descriptor JSON file by using the predefined enableSSO security-check configuration property.

Note:

While device SSO can technically be enabled for any custom security check, ensure that enabling this feature matches the logic of the target security check. Namely, avoid enabling device SSO for security checks that are inherently specific to your application, such as application-authenticity validation.
Configuration of the device SSO property is done only at the application level. You do not define or configure the enableSSO property as part of the implementation of a custom security check.
Using device SSO might have performance implications.
The remember-me feature of the UserAuthenticationSecurityCheck base class cannot be used together with a device-SSO configuration.

Procedure

Enable device SSO for a specific security check by using one of the following alternative methods:

Using IBM MobileFirst™ Platform Operations Console (the console)
1. Select your application version from the Applications section of the console's navigation sidebar, and then select the application Security tab.
2. In the Security-Check Configurations section, select Create New, or select the edit icon for an existing security-check configuration (if exists).
3. In the Configure Security-Check Properties dialog window, select the custom security check for which you want to enable device SSO.
4. Locate the Enable Device SSO configuration field, and select true. You can also configure other properties of the security check. When you are done, select OK to apply your changes.
You can delete or edit your security-check configuration, including the device-SSO configuration, at any time, by selecting the relevant action icon for your security check in the security-check configurations table.
Editing the application-descriptor file
1. Create a local copy of the application-descriptor JSON file. See Application configuration.
2. Edit your local copy to enable device SSO for your selected custom security check: device SSO is enabled by setting the enableSSO property of a custom security check to true. The property configuration is contained within a security-check object that is nested in a securityCheckConfigurations object. Locate these objects in your application descriptor file, or create them if they are missing. In the following template, replace SecurityCheckName with the name of your selected security check:
```
"securityCheckConfigurations": {
    "SecurityCheckName": {
        [...]
        "enableSSO": true
    }
}
```
  For example, the following descriptor-file snippet enables enableSSO property for a UserAuthenticationSC security check that also configures other properties:
```
"securityCheckConfigurations": {
    "UserAuthenticationSC": {
        "maxAttempts": "4",
        "failureStateExpirationSec": "120",
        "enableSSO": true
    }
}
```
3. Deploy your copy of the application-descriptor JSON file to MobileFirst Server. See Application configuration.
To disable device SSO for your security check, create a new copy of the application-descriptor file, delete the enableSSO configuration or set the property value to false, and redeploy the descriptor file to the server.

Results

After you successfully enable device SSO for your selected security check, you can see in the Security-Check Configurations table on the application Security console page, that the value of the Enable Device SSO property for your configured security check is true. In addition, you can see the device-SSO property definition in the application descriptor: in the console, go to the application Configuration Files tab. In the Application-Descriptor JSON File section, you can see a copy of the application-descriptor JSON file. Search for the name of the configured security check within the securityCheckConfigurations object. The nested security-check object should contain an "enableSSO": true entry. In the following template, replace SecurityCheckName with the name of the security check that you configured:

"securityCheckConfigurations": {
    "SecurityCheckName": {
        [...]
        "enableSSO": true
    }
}

To test device SSO, enable this feature for the same security check from multiple applications. Then attempt to access resources that are protected by this security check from multiple applications on the same device. You should be required to pass the security check only once, for the first resource request. For example, for a user-login scenario, after you successfully log in from one application, the log in from the second application on the same device should succeed automatically, without any user input.