SAML Authentication for Mobile and Thick Applications

We have been working with customers to help add SAML authentication to thick and mobile applications.  Since SAML is a web-based authentication flow, and not many SAML Identity Providers support the SAML Enhanced Client or Proxy (ECP) profile, the best option for adding SAML authentication to iOS, Android and thick applications is to use an embedded web browser.

Okta has published a good example of the embedded web browser approach for SAML authentication to an iOS application.  In Okta’s example OAuth is used to impersonate the logged in user after a successful SAML authentication, but this extra step might not be necessary depending on your use case.

The diagram below shows a simplified version of the authentication flow without the extra OAuth step.  Note that a SAML Service Provider is required as part of this architecture, and this approach will not work well if the customers SAML Identity Provider is hidden behind a firewall.