SSO for Android with SOTI Identity

Pre-requisites

  • Configure SOTI IDP in Global Settings of SOTI MobiControl web console.
  • CA (Certificate Authority) to generate certificates for Android SSO. Create user based certificate templates in Global Settings > Services > Certificate Authority.
    • When creating certificate templates: Subject Alternative Names Must be added with ALTERNATIVE NAME TYPE as 'DNS Name' & Alternative Name Value as 'Enrolled User IDP Refid' or the macro value as '%ENROLLEDUSER_SOTIIDP_REFID%'.
    • Certificate target must be 'User'.
  • Enrollment Policy
    • For a dedicated device, create enrollment policy with IDP authentication.
    • For a shared device, enroll with an enrollment ID/QR code and configure shared device mode for the SOTI Identity group.
  • Compatible Android Agent Version 15.4.3 or later.
  • SOTI Identity configurations:
    • Integrate device users AD in SOTI Identity.
    • Integrate native app server or web app's server with SOTI IDP. Refer to SOTI Identity SOTI documentation.
    • Add Root certificate and Intermediate certificate (if any) of the certificate authority in SOTI Identity.
    • Integrate any other IDP (like Azure or Okta) with SOTI Identity.
  • For on-premises SOTI MobiControl, CLA must be integrated with both SOTI MobiControl and SOTI Identity.
  • SSO requires Android 7 or later.

Single Sign On Payload

  • Enable 'SOTI Identity Status' to save the profile.
  • Manage button - Navigate to SOTI Identity configuration in Global Settings.
  • SOTI Identity URL - Non editable field. URL value from Global Settings.
  • Identity Certificate - User certificate template selected in certificate payload.
  • Target Applications - Define application's bundle identifier to enable SSO on specific applications. Not adding an application enables SSO for all the applications registered with SOTI Identity.

Workflow

  • See Configuring SSO for Android with SOTI Identity for an overview of how to configure SSO from within the SOTI MobiControl web console.
  • Create an application policy to send managed applications to the device.
  • Create a profile with payloads.
    • Single Sign On
    • Certificate
    • Authentication
  • Enroll the device in SOTI MobiControl.
    • For shared devices, enroll the device with enrollment ID/QR code. Login to SOTI MobiControl Agent with the configured email IDs.
      • Send payload after shared device login.
    • For dedicated device login, enroll with authentication-based enrollment (SOTI Identity).
  • Opening any native or web application does not require a password to be re-entered on sign in.
Note: For shared device login:
  • Either move devices to the parent group (where the SSO profile is not installed) to logout.
  • Or define a SOTI Identity user filter while assigning the profile to the device.
Note: Native applications that block HTTP traffic do not have SSO enabled (for example, MS Teams, SharePoint).
Note: Application logout depends on the application behavior.