my company wants to implement SSO on an Android device, which is used by several employees over the day. We came accross MSAL and the use of the Authenticator App to implement SSO. As far as I understood, I need to put the device into "Shared Device Mode".
From what I read so far I am confused, if I therefor also need to use Intune to manage my Android device. Currently, we use another Mobile Device Management solution.
Can someone clarify to me, if I can use MSAL for SSO on an Android device in a Shared Device scenarion without using Intune?
I am very confused at the moment.
Best regards,
Marcel
• Yes, you can configure and use MSAL for SSO on an Android device in a shared device scenario without using Intune by following the below given documentation link. It clearly describes the steps for enabling shared-device mode for an android application and integrating MSAL with it for signing in and signing out a user.
https://learn.microsoft.com/en-us/azure/active-directory/develop/tutorial-v2-shared-device-mode
The above snapshots depict the MSAL authentication integration for an Android platform-based application in Azure AD and the associated ‘auth_config.json’ file configuration in the application setup files in which the Azure AD application registration details are configured. It also states that the shared device mode is supported for the MSAL authentication with SSO.
Related
my company runs/develops a node.js application, that can be used from an Android device are via any other web client (i.e., Desktop). We want to use MSAL on Android to allow SSO for our Frontline Workers in our stores. We came accross the question, if this is even possible.
My current understanding is, that MSAL for Android (Java) can use the MS Authenticator in the Shared Device Mode for SSO scenario. I guess MSAL for node.js will not be able to access an existing token that is stored in MS Authenticator on Android.
Is there any way to make some kind of "bridge" between the token stored in MS Authenticator on the Android device and the node.js application?
I am thankful for any helpful ideas, to solve this.
Best regards,
Marcel
When using MSAL library for authentication the app is redirecting the user to a webpage where they have to login with microsoft account. If the user already having Outlook or some other app installed then is there a way to get that login info like how FB app does it?
MSAL works best on iOS if the user has installed and configured the Microsoft Authenticator app. MSAL will launch that app instead of a web browser and the user can just tap their account to login.
If the device is managed by an MDM then you can [enable the enterprise SSO component>(https://github.com/AzureAD/microsoft-authentication-library-for-objc#microsoft-enterprise-sso-plug-in-for-apple-devices) to further simplify the login process.
Without the Authenticator app there is no way for your app to get any existing account authentication details.
Just a thought, but:
Azure AD messages are mostly standards based so you don't have to use MSAL libraries
You may get a better mobile solution with AppAuth libraries
Rather than a web page you could use the in app browser solutions, which feel integrated and have some good UX features:
Chrome Custom Tabs on Android
ASWebAuthenticationSession on iOS
In case any of this is useful, here are some links of mine, including code samples you can run:
Kotlin app for Android
SwiftUI app for iOS
We are developing 10+ mobile apps for our organization's internal purposes. We use Azure AD so we are trying to implement SSO for all android apps using Microsoft identity platform(v2.0). We couldn't make Microsoft authenticator as the Broker app instead of the browser view.
Please help us on how to achieve this.
I checked out the Microsoft identity platform(v2.0) documentation regarding this but no use.
Looking at the MSAL for Android code, looks like you need to set the broker_redirect_uri_registered value to true in your auth_config.json (refer sample) file for the broker to be used.
PS: I haven't tried this myself either... yet.
Our company is building an internal mobile app for corporate mobile devices. AirWatch is used as an MDM solution.
App would have to access data from internal servers (by calling Web.API services). Additionally, each user will have to use their AD (Active Directory) accounts to login to the app (verified against internal AD records). I envision this can be done through Web.API service as well?
I've researched that for existing applications AirWatch provides "App Wrapping" (link), which supposedly takes care of Authentication & App Tunneling (granting access and routing your Mobile App to internal corporate servers using AirWatch VPN).
However I don't have any info on how to implement this. Has anyone done anything similar? Any advice would be appreciated.
I've never done it before but according to the AirWatch documentation:
You can apply available AirWatch SDK and App Wrapping features to your internal applications to integrate your applications and add extra functionality.
Then, just have to implement your app, with or without the SDK but I advise you to integrate it, and upload it on the AirWatch Console. There, you can a procedure to enable App Wrapping and configure options.
Contact your AirWatch administrator to access App Wrapping Guide, Mobile Application Management Guide, AirWatch Software Develpment Kit for Android.
What I want to do is log my users in via Google in my mobile app powered by Phonegap on Android.
To do so I use firebase SimpleLogin module which logs me in correctly thanks to the "InAppBrowser" plugin.
My problem is that the webview powered by the InAppBrowser does not have access to my Google credentials. I have to tap them manually each time.
Is there a way to tell the webview how to automatically get my Google credentials from my phone so that I don't have to write them each time ?
Thanks
Probably not. If you're only using the browser for auth, consider using Google+ Sign-in for Android instead.
The browser on Android, like web browsers in general, runs in a sandbox. This means it does not have access to system resources such as Android's AccountManager. This is done on purpose for security reasons.