Mobile login¶
About Mobile login¶
- When the Onegini IdP is configured to work with the Onegini Token Server, it is possible to use the Mobile Authentication functionality of the Onegini Token Server.
- When end-users use their mobile device in combination with and additional authentication method such as a PIN or Fingerprint, this is called Mobile Login.
Below you can see the flow diagram for mobile login:
sequenceDiagram
participant u as User
participant idp as Onegini Identity Provider
participant ts as Onegini Token Server
participant ma as Mobile App
alt First user login - mobile login cookie not available
u->>+idp: Login
idp->>+ts: Is mobile login possible for user?
ts->>-idp: Result [true/false]
idp->>idp: Create cookie if mobile login possible
idp->>-u: Login success page
else Mobile login
u->>+idp: Mobile login
idp->>+ts: Initiate mobile authentication
ts->>-idp: transactionId
ts-->>+ma: PUSH mobile login request
u->>ma: Answer mobile login request
ma-->>-ts: Send mobile authentication response
ts-->>idp: Mobile authentication finished callback
idp->>+ts: Fetch mobile authentication result
alt Mobile login success
ts->>-idp: Login success
idp->>-u: Login success page
else Mobile login failure
ts->>idp: Login failure
idp->>u: Login page
end
end
Prerequisites¶
Ensure the following prerequisites:
- the Onegini IdP must be running,
- access to the Onegini IdP,
- you have previously configured Mobile Login.
How do I configure Mobile Login?¶
- Mobile Login requires access to the Onegini Token Server API. Please refer to the Onegini Token Server configuration.
- Set the time limit for using mobile login via the
Authorization Token Expiration Time Property
. - To enable the settings for Mobile Login, go the {{ no such element: dict object['ProductFullName'] }} -> Click
Configuration
-> ClickIdentity Providers
). - Fill in the following fields:
Field name | Description |
---|---|
Mobile Login enabled | Enables/disables mobile login. |
Show Allow Mobile login for this device login option |
If enabled, the end-user will see a checkbox on the login page where he can decide whether or not they want to use the mobile login feature from their current device. |
Authentication level | You can give the mobile login feature a specific authentication level or use the authentication level of the previous authenticator that the end-user used before logging in with mobile login. |
Authentication type | Mobile login authentication type (the mobile authentication type as defined in the Onegini Token Server) |
Allowed login attempts | Allowed number of failing / invalid login attempts occurring one after another with the Mobile login functionality. |
You can configure a message that the end-user will see on his mobile device when a mobile authentication request is sent:
- Add a custom message for the key
personal.mobile.notification.login
. In case this key is not set in any message source, then the message value is taken directly from the fieldLogin Message
in theMobile Login
section.
How does the user use Mobile Login?¶
Users will be able to login with their mobile device when they:
- have coupled the account with the mobile app (that is using the Onegini Mobile SDK),
- have enabled Mobile Authentication with Push within the mobile app,
- have successfully logged in to the Onegini IdP at least once, after all other prerequisites have been met.