Open ID Connect Authentication Can Be Hosted or Pre-Configured in the EMS Mobile App

Hosted Configuration: The configuration can be hosted at a URL available to end users. The user will then enter that URL into the application. EMS Mobile App will download and use that information, and kick off the authentication process. When configured this way, users will launch the EMS Mobile App and see the EMS Server URL screen. Instead of entering an EMS Server URL, the user will tap About near the bottom right of the screen and select the option to Import SSO Configuration. The user will then tap Import Mobile app, which will direct the user to enter the Configuration URL. Then the user will tap Import.

Pre-Configured In EMS Mobile App: The configuration can be "baked" into the application. This requires re-signing, hosting, and re-distributing the EMS Mobile App within your organization. With a pre-configured EMS Mobile App, users do not need to import any Open ID configuration details. EMS Mobile App will launch with that configuration and use it directly.

How Users Authenticate After Configuration

Assuming successful import of the configuration data, the authentication flow can now begin. EMS Web App will show the user the Open ID authorization web page (this happens in a web view inside the EMS Mobile App, and the user might briefly see a busy indicator while the page loads). The user will authenticate with the Open ID authorization view. The user plays no part in these next steps, which describe the completion of the Open ID flow. The user might simply see the screen change during this process. Successful authentication will redirect the user back to EMS Web App. EMS Web App will resume the Open ID authentication process and retrieve and access_token from the identity provider and will then forward the access_token to the EMS Platform Services API. EMS Platform Services API will verify the access_token by making a userinfo request per the Open ID specification. EMS Platform Services API will authenticate the user by matching the login email field (if provided) to an Everyday User in the EMS database. If there is no email field in the response, the API will try to match the response's sub field to an Everyday User. EMS Platform Services API will respond to EMS Mobile App. Once Open ID workflow above has successfully completed, EMS Web App will direct the user to the Home screen. If the EMS Platform Services API is unable to verify the credentials, EMS Mobile App will inform the user based on that response.

How the Identity Provider (IdP) Works

The Identity Provider (IdP) handles the input and verification of end user credentials. It also issues and verifies tokens. The EMS Mobile App must be registered with the IdP. The client_id generated by this registration is required information for the configuration used by the EMS Mobile App and the Open ID flow.

How the EMS Platform Services API Works

The EMS Platform Services API receives the access_token from the EMS Mobile App. The token is then sent to the userinfo endpoint for verification. The response from the userinfo endpoint is used to find a user in the EMS database. The API will then respond to the EMS Mobile App based on the results of this process.