Enabling token based authentication

HCL Connections Cloud administrators can enable token based authentication for their Connections Mobile for iOS and Android users. This allows the Connections mobile app to use secure tokens for authentication instead of a user ID and password and provides support for single sign on with federated companies using an Identity Provider.

Overview

The following figure shows a high-level flow diagram showing how a mobile user logs in and then is able to access the Connections server using token based authentication. The flow as shown describes a mobile user belonging to a federated cloud company where the company has setup their own identity provider to allow single sign on using their company credentials. Connections Mobile supports both federated and non-federated connections cloud customers when using token based authentication. In the case of a non-federated customer (not shown), all user authentication performed at step 2, 3 and 4 is done within the cloud itself.

flow diagram of user login
  1. The mobile user creates a Connections account within the mobile app. The app discovers that this user's cloud company is enabled for token based authentication and launches a web view to handle the OAuth authorize request.
  2. The Authorization server authorizes the application, but it also authenticates the user. The figure above shows flows for a federated company using single sign on with Connections Cloud. Within the web view, the mobile user is redirected to their company's identity provider to start the user authentication process.
  3. The customer's identity provider authenticates the mobile user, typically using a form or set of forms to validate the user's identity. The forms may even use one time pass codes or other credentials beyond just your company user id and password.
  4. The encrypted SAML Response indicating a successful authentication and the identity of the user is returned to Connections Cloud for validation.
  5. Once a mobile user has been successfully authenticated, a short-lived authorization code is returned to the Connections Mobile app.
  6. The Connections mobile app closes the web view and uses the authorization code to request an access and refresh token from the Authorization server in Connections Cloud.
  7. The access token is used as the Authorization credentials for all Connections server API calls.
Advantages of using token-based authentication in Connections Mobile include:
  • Web based login forms Since the user authentication itself now occurs within a web view, the login form is free to use more complex forms that incorporate JavaScript or other active scripting. For federated companies using Connections Cloud that have implemented single sign on using your company's SAML 2.0 based identity provider, it is now possible to use your IDP's login forms to authenticate Connections Mobile users. Both web and mobile users should now be able to share identical login experiences. For this reason, all federated customers setting up their cloud based Connection companies are required to enabled token based authentication for Connections Mobile.
  • Extended login time for mobile apps Because the Mobile Server application uses multiple tokens for authentication, the expiration period can set to a relatively short time period for the access token, while setting the refresh token time-out to a much longer interval. The user is validated every time the short-lived access token expires, but the mobile user is only interrupted to revalidate using the web view when the longer-lived refresh token has expired. For HCL Connections Cloud, the access token interval is 2 hours and the refresh token expiration is 90 days.
  • User ID and password are never stored on the device When using token based authentication, the Connections Mobile Server application is never aware of any mobile user credentials such as a login ID or password. Since it never sees them, it does not need to save these sensitive credentials locally. This improves the overall security posture of the Mobile Server application.

FAQs

How do I enable token based authentication for Connections Mobile users in my company?
Your Connections Cloud company administrator must enable token based authentication using the Connections Mobile App Management properties of the Connections Cloud administration portal. As the company administrator, do the following:
  1. Login to your Connections Cloud account and select Manage Organization from the Admin options in the top navigation bar.
  2. Select Connections Mobile App Management from the navigation column.
  3. In the General section, check the box next to Use token based authentication.
    Note: Once this option is changed and saved, any mobile devices that already had accounts to your company will be required to login again using token based authentication. Ensure that you review this article in its entirety before proceeding.
  4. Scroll of the bottom of the preferences and click Save.
If my company is a federated company, do I need to set a Mobile URL for my company which is shown on the administration portal under System Settings/Security?
No - the Mobile Login URL value will be ignored when Token based authentication is enabled.
If my company is a federated company using single sign on, what login URL does the mobile app use for my identity provider?
The mobile app uses the Web Browser Login URL that is specified as part of the company Security page when federated setup is completed. It is the same URL used by the web browser desktop applications.
Will enabling token based authentication cause any impact to other Connections Cloud mobile apps such as Verse, Chat or Meetings?
No - these Mobile Server applications will continue to use the authentication mechanisms supported and enabled for these applications.
If I have employees in my company already using Connections Mobile, what will happen when Token based authentication is enabled?
When token based authentication is first turned on, existing Connections Mobile users will be prompted to enter their Connections Cloud email ID. This is used to determine if their company is a federated company using an Identity Provider for Single Sign On. If their ID belongs to a federated company, the user will then be asked to login to their company's identity provider using their company credentials. If they are not a federated company, they will be asked for their Connections Cloud password.
Can I use a Connections Cloud application password instead of my company's credentials?
No - if your company is a federated company using an Identity Provider, you must use your company's credentials to login.
How often will a mobile user be asked to manually enter my company's or Connections Cloud credentials?
Every 90 days, as long as the user is still a valid cloud user.
As an administrator, can I disable token based authentication after I have enabled it?
Yes, it is possible. However, if any Connections Mobile apps have already authenticated using token based authentication, those apps will be required to enter their cloud ID and password again that was previously used prior to using token based authentication. Note that if you are a federated company, it may only be possible to use single sign on when token based authentication is enabled, so turning off token based authentication in this case may prevent your Connections Mobile apps from using Connections Cloud.
What version of the Connections Mobile app supports token based authentication?
Token based authentication with Connections Cloud has been supported in the mobile app since version 6.0.9 (August 2018), but it is always recommended to install the latest version of Connections Mobile that is available from your app store.
Are there any known restrictions when using token based authentication?
Yes - there are a few points to be aware of when using token based authentication.
  1. or federated customers using an Identity Provider, that IDP must be accessible from mobile devices. If your IDP is behind your company firewall and only accessible when using a Virtual Private Network, then the VPN must be enabled for use from your company's mobile devices.
  2. The connections cloud security option: Ignore IP range restrictions for applications, is not supported when using token based authentication. When using token based authentication and IP range restrictions, ensure that your mobile device is acquiring an IP address from your defined range.