What is the best SSO solution for a native mobile app which can support multiple IDPs?

Question

In our current situation, our web-based application(SP) has already integrated SSO using Spring Security SAML extension. Our product is a SaaS and we have different clients who may have different IDPs (Identity Providers) configured at their end. Now we're trying to provide SSO support to our mobile Application.

After some search, I've come across 3 possible solutions which I could implement:

1) Using a Web View: When SAML is enabled for a client, the mobile app will embed web view which renders the IDP login page upon opening the mobile app. A URL on SP side will be hit which will trigger a SAML redirect back to the IDP. Thus the webview will carry out the SP-initiated login flow. However, as the webview do not use the cookie space, the user has to login to the app, every time the app is killed or session expires. Also as webview is not a browser, I've read that it may not handle edge-cases during the HTTP redirects.

2) Using the Native SSO App: IDPs generally provide a native SSO app where mobile app can log into IDP. The mobile app can interact with IDP's native application via SDKs provided by the respective IDP. But since our mobile App should be able to support SSO for many IDPs, if we follow this approach we may have to integrate with multiple Native SSO apps for each IDP. I'm not sure if this a plausible in our scenario

3) Using OAuth and SAML: Third option is to add OAuth support to our mobile App. IDPs like Salesforce support OAuth to authorize mobile apps, but I'm not sure if all IDPs support OAuth and how difficult it is to implement OAuth and SAML for mobile App.

Could anyone tell me which approach is preferable in the above scenario or are there any better approaches which I didn't consider? Any suggestions?

Many thanks!

Answer 1

For mobile apps I think that OAuth2 or OpenID Connect is preferred over SAML. They work great with mobile solutions.

They also have the notion of a back channel for the communication with the authentication server. This means that you can safely fire up the device's default browser to do the sign in and benefit from any cookies in that one. Once the user has authenticated in the browser, the application will receive a token by the back channel where it calls the auth server.

If you have SAML-only Idps an option is to use an identity server to do the translation, that acts as a SAML2 SP and an OAuth server.