In our current situation, our web-based application(SP) has already integrated SSO using Spring Security SAML extension. Our product is a SaaS and we have different clients who may have different IDPs (Identity Providers) configured at their end. Now we're trying to provide SSO support to our mobile Application.
After some search, I've come across 3 possible solutions which I could implement:
1) Using a Web View: When SAML is enabled for a client, the mobile app will embed web view which renders the IDP login page upon opening the mobile app. A URL on SP side will be hit which will trigger a SAML redirect back to the IDP. Thus the webview will carry out the SP-initiated login flow. However, as the webview do not use the cookie space, the user has to login to the app, every time the app is killed or session expires. Also as webview is not a browser, I've read that it may not handle edge-cases during the HTTP redirects.
2) Using the Native SSO App: IDPs generally provide a native SSO app where mobile app can log into IDP. The mobile app can interact with IDP's native application via SDKs provided by the respective IDP. But since our mobile App should be able to support SSO for many IDPs, if we follow this approach we may have to integrate with multiple Native SSO apps for each IDP. I'm not sure if this a plausible in our scenario
3) Using OAuth and SAML: Third option is to add OAuth support to our mobile App. IDPs like Salesforce support OAuth to authorize mobile apps, but I'm not sure if all IDPs support OAuth and how difficult it is to implement OAuth and SAML for mobile App.
Could anyone tell me which approach is preferable in the above scenario or are there any better approaches which I didn't consider? Any suggestions?
Many thanks!
