Understanding how Integrated Authentication (IA) through the Workspace ONE SDK handles user credentials
- The SDK has a shared keychain that is utilized by applications that have the Workspace ONE SDK. This shared key chain is only available for devices that are enrolled and have either the Workspace ONE Hub or Container installed. Devices that were enrolled through the web and that don't have the Hub or Container installed cannot utilize the shared keychain, as access is only granted to other SDK apps via the brokering app (Hub or Container).
- Apps using the Workspace ONE SDK can leverage the credentials stored in the shared keychain when presented with an HTTP 401 response. For example, if a user navigates to a website using the WS1 Web and the website requires user authentication, the Web app will attempt to use any credentials stored in the shared keychain.
- In certain situations, the user credentials may not be in the keychain. This can occur when using any enrollment process where the user does not directly enter in their password, such as in token enrollment or staging enrollment. In this event, when first presented with an HTTP 401 response the SDK app will prompt the user to enter their credentials, after which they will be stored in the keychain.
- Please note that Workspace ONE does not pull the user's password from LDAP. We rely on the user to input this information onto the device so that the shared keychain or the individual app can have that information as needed.
Example Integrated Authentication workflow
- A user navigates to a specified URL using the Workspace ONE Web.
- The endpoint requires authentication and sends an HTTP 401 response.
- The Workspace ONE Web receives the HTTP 401.It then confirms that Integrated Authentication is enabled.
- The Workspace ONE Web checks with the Broker/Anchor app (WS1 Hub or Container). If one of them is installed, the Workspace ONE Web will ask for the credentials in the shared keychain.
- The Broker/Anchor app sends the encrypted credentials to the requesting app; the Workspace ONE Web in this case.
- The Workspace ONE Web decrypts the credentials and passes them to the endpoint.
- The endpoint Authenticates the request.
- If the Authentication attempt fails, then the Web will prompt the user for credentials.
- The Workspace ONE Web will save these new credentials and pass them the next time it is prompted with an HTTP 401 response. The Workspace ONE Web will effectively use these as "master credentials," as only a single set of credentials can be stored in the shared keychain.
Other Languages: 日本語