SAML Authentication Can Be Hosted or Pre-Configured in the EMS Mobile App

Hosted Configuration – The configuration can be hosted at a URL available to end users. The user will then enter that URL into the application. EMS Mobile App will download and use that information, and kick off the authentication process. When configured this way, users will launch the EMS Mobile App and see the EMS Server URL screen. Instead of entering an EMS Server URL, the user will tap About near the bottom right of the screen and select the option to Import SSO Configuration. The user will then tap Import Mobile app, which will direct the user to enter the Configuration URL. Then the user will tap Import.

Pre-Configured In EMS Mobile App – The configuration can be "baked" into the application. This requires re-signing, hosting, and re-distributing the EMS Mobile App within your organization. With a pre-configured EMS Mobile App users do not need to import any SAML configuration details. EMS Mobile App will launch with that configuration and use it directly.

How Users Authenticate After Configuration

EMS Mobile App makes a request to the configured or default SAML URL

  • If the request redirects the user to the SAML authentication web page, then the web user will see the page in a web view inside EMS Mobile App.
  • The user might briefly see a busy indicator while the page loads.

Users will authenticate using the SAML authorization view. They do not participate in the steps that follow. They may, however, see the screen change during this process. Successful authentication will send an HTML response back to EMS Mobile App, which will silently POST the SAML form and response to the EMS Platform Services API.  EMS Platform Services API will then parse the SAML response and find the corresponding user in the EMS database. Then EMS Platform Services API will respond to EMS Mobile App, which will direct the user to the Home screen. If the EMS Platform Services API is unable to verify the credentials, EMS Mobile App will present an error message informing the user.

How the Identity Provider (IdP) Works 

The Identity Provider (IdP) handles the input and verification of end user credentials. It also issues and verifies tokens. The EMS Mobile App must be registered with the IdP. The client_id generated by this registration is required information for the configuration used by the EMS Mobile App and the SAML flow.

How the EMS Platform Services API Works

The EMS Platform Services API receives the access_token from the EMS Mobile App. The token is then sent to the userinfo endpoint for verification. The response from the userinfoendpoint is used to find a user in the EMS database. The API will then respond to the EMS Mobile App based on the results of this process.