Skip to content

Mobile login

About Mobile login

  • When the Onegini IdP is configured to work with the Onegini Token Server, it is possible to use the Mobile Authentication functionality of the Onegini Token Server.
  • When end-users use their mobile device in combination with and additional authentication method such as a PIN or Fingerprint, this is called Mobile Login.

Below you can see the flow diagram for mobile login:

sequenceDiagram participant u as User participant idp as Onegini Identity Provider participant ts as Onegini Token Server participant ma as Mobile App alt First user login - mobile login cookie not available u->>+idp: Login idp->>+ts: Is mobile login possible for user? ts->>-idp: Result [true/false] idp->>idp: Create cookie if mobile login possible idp->>-u: Login success page else Mobile login u->>+idp: Mobile login idp->>+ts: Initiate mobile authentication ts->>-idp: transactionId ts-->>+ma: PUSH mobile login request u->>ma: Answer mobile login request ma-->>-ts: Send mobile authentication response ts-->>idp: Mobile authentication finished callback idp->>+ts: Fetch mobile authentication result alt Mobile login success ts->>-idp: Login success idp->>-u: Login success page else Mobile login failure ts->>idp: Login failure idp->>u: Login page end end

Prerequisites

Ensure the following prerequisites:

  • the Onegini IdP must be running,
  • access to the Onegini IdP,
  • you have previously configured Mobile Login.

How do I configure Mobile Login?

  1. Mobile Login requires access to the Onegini Token Server API. Please refer to the Onegini Token Server configuration.
  2. Set the time limit for using mobile login via the Authorization Token Expiration Time Property.
  3. To enable the settings for Mobile Login, go the {{ no such element: dict object['ProductFullName'] }} -> Click Configuration -> Click Identity Providers).
  4. Fill in the following fields:
Field name Description
Mobile Login enabled Enables/disables mobile login.
Show Allow Mobile login for this device login option If enabled, the end-user will see a checkbox on the login page where he can decide whether or not they want to use the mobile login feature from their current device.
Authentication level You can give the mobile login feature a specific authentication level or use the authentication level of the previous authenticator that the end-user used before logging in with mobile login.
Authentication type Mobile login authentication type (the mobile authentication type as defined in the Onegini Token Server)
Allowed login attempts Allowed number of failing / invalid login attempts occurring one after another with the Mobile login functionality.

You can configure a message that the end-user will see on his mobile device when a mobile authentication request is sent:

  1. Add a custom message for the key personal.mobile.notification.login. In case this key is not set in any message source, then the message value is taken directly from the field Login Message in the Mobile Login section.

How does the user use Mobile Login?

Users will be able to login with their mobile device when they:

  • have coupled the account with the mobile app (that is using the Onegini Mobile SDK),
  • have enabled Mobile Authentication with Push within the mobile app,
  • have successfully logged in to the Onegini IdP at least once, after all other prerequisites have been met.