Overview of Mobile App SSO
Released on 12th May 2023, Mobile SSO is now available to to all Humanforce customers (Cloud, Hosted and on-premise), using OIDC or SAML identity providers (IdP).
Mobile SSO is opt-in, regardless of whether you are already using SSO for Humanforce Web or Backoffice. Note that enabling Mobile SSO will not enable SSO on Humanforce Web or Back office.
In this article, we'll explain:
- How employees login using Mobile SSO
- How to enable Mobile SSO, including IdP requirements and setup for
- What happens to Mobile App access when you terminate a user in your IdP
How will my employees login with SSO?
Once enabled, employees simply click Login with SSO and then input their corporate email to log in to your chosen IdP provider.
How do I enable Mobile SSO?
We support Mobile SSO for identity providers using either the OIDC or SAML standards.
To enable Mobile SSO you need to:
- Set up Mobile SSO in your identity provider application. Depending on the type of identity provider your organisation uses, follow the steps below for:
- Contact your Humanforce account manager to enable Mobile SSO for your Humanforce account.
Set up Mobile SSO with an OIDC identity provider
To set up Mobile SSO with a OIDC identity provider:
- Create a new OIDC app integration in the identity provider (E.g. Okta, Azure AD etc.). Set the application type as Native application
- Set the grant type as Authorization code
- Configure the Sign-in redirect URI with the relevant value for your region (see Callback URLs below).
AU: https://auth.humanforce.com/oauth2/idpresponse
UK: https://auth.humanforce.co.uk/oauth2/idpresponse - Enable PKCE if available.
- Note down the Client ID and Issuer URL for later (pictured below) and contact your account manager. as you will need to provide them to your Humanforce account manager to enable the configuration of the identity provider in our systems.
-
Now that you have set up your OIDC, please contact your Humanforce account manager that you would like SSO enabled.
Setup Mobile SSO with Microsoft Azure Active Directory (Azure AD)
You can follow the steps on this article on how to setup Azure AD.
Set up Mobile SSO with a SAML 2.0 identity provider
Before you begin
You will need the following attributes to complete the process below.
Region | Attributes |
AU |
Sign-on URL: https://auth.humanforce.com/saml2/idpresponse Audience URI (SP Entity ID): urn:amazon:cognito:sp:ap-southeast-2_W7tgpw6cA |
UK |
Sign-on URL: https://auth.humanforce.co.uk/saml2/idpresponse Audience URI (SP Entity ID): urn:amazon:cognito:sp:eu-west-1_Pu3GulRQe |
To set up Mobile SSO with a SAML 2.0 identity provider:
- Create a new SAML 2.0 app integration in the identity provider (E.g. Okta, Azure AD etc.).
- Add the sign-on URL (see values for each region above).
- Add the Audience URI (SP Entity ID) (see values for each region above)
- Add the following Attribute Statement
Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
Value: user.email (or equivalent user email attribute for the chosen IdP). - Save changes.
- Assign users to the new app integration.
- Provide the metadata XML document, or URL referencing the document to Humanforce to configure the identity provider in our systems.
- Now that you have set up SAML 2.0 please let your account manager know that you would like SSO enabled.
Contact your Humanforce Account Manager
Once you've set up Mobile SSO to your identify provider, please contact your Humanforce Account Manager to request Mobile SSO be enabled in your Humanforce account.
Please advise your Account Manager of:
- whether you would like SSO enforced for all employees during login (this will disable logging in via other methods)
- if using an OICD identity provider, your Client ID and Issuer URL.
- if using SAML 2.0 identity provider, the metadata XML document, or URL referencing the document.
If I terminate a user in our IdP will that restrict access to the app?
This will be dependent on your identity provider and configuration. Generally, once a user has been de-activated in an identity provider, the user's authorisation token will be immediately invalidated, and the user's access to the mobile app revoked on the next HTTP request.