Configuring Device Single Sign-On (SSO)

improve this page | report issue


IBM Mobile Foundation offers a Single Sign-On (SSO) feature which enables sharing the state of any custom security check between multiple applications on the same device. For example, by using Device SSO, users can successfully sign on to one application on their device and also be authenticated on other applications on the same device that uses the same implementation.

Prerequisite: Make sure to read the Authentication and Security tutorials.

Configuring SSO

In the MobileFirst Operations Console:

  1. Navigate to [your application] → Security tab → Security-Check Configurations section.
  2. Click the New button to create a new security check configuration, or the Edit icon if a security check configuration already exists.
  3. In the Configure Security-Check Properties dialog, set the Enable Device SSO setting to true and press OK.

Repeat these steps for each of the applications you want the enable Device SSO for.

Configuring Device SSO in the MobileFirst Operations Console

You can also manually edit the application’s configuration JSON file with the required configuration and push the changes back to a MobileFirst Server.

  1. From a command-line window, navigate to the project’s root folder and run the mfpdev app pull.
  2. Open the configuration file, located in the [project-folder]\mobilefirst folder.
  3. Edit the file to enable device SSO for your selected custom security check: device SSO is enabled by setting the enableSSO property of a custom security check to true. The property configuration is contained within a security-check object that is nested in a securityCheckConfigurations object. Locate these objects in your application descriptor file, or create them if they are missing. For example:

    "securityCheckConfigurations": {
         "UserAuthentication": {
             "enableSSO": true
  4. Deploy the updated configuration JSON file by running the command: mfpdev app push.

Using Device SSO with a Pre-Existing Sample

Read the Credential Validation tutorial because its sample is used to configure Device SSO.
For this demonstration, the Cordova sample application is used, however you can do the same also with the iOS, Android, and Windows sample applications.

  1. Follow the sample usage instructions.
  2. Repeat the steps with a different sample name and application identifier.
  3. Run both applications on the same device. Notice how in each application you are prompted for the pincode (“1234”).
  4. In the MobileFirst Operations Console, set Enable Device SSO to true for each of the applications, as instructed above.
  5. Quit both applications and try again. In the first application you open, you are prompted to enter the pincode once by tapping the Get Balance button. After you open the second application and tap the Get Balance button, you do not need to enter the pincode again to get the balance. ` Note that the PinCodeAttempts security check has a 60-second expiration token. Therefore, after one more attempt after 60 seconds, the second application requires a pincode.

pincode cordova sample application

Inclusive terminology note: The Mobile First Platform team is making changes to support the IBM® initiative to replace racially biased and other discriminatory language in our code and content with more inclusive language. While IBM values the use of inclusive language, terms that are outside of IBM's direct influence are sometimes required for the sake of maintaining user understanding. As other industry leaders join IBM in embracing the use of inclusive language, IBM will continue to update the documentation to reflect those changes.
Last modified on November 10, 2017