miniOrange provides a ready solution for Cordova application, which lets you log into your Cordova application with ADFS. This is done by creating a token accepted by our server and read, verify and access information of the signed in user.
- You have to setup an External App in miniOrange. (This will provide you the App Secret & Certificate required to generate the encrypted token.)
- You have setup ADFS as an Identity Source in miniOrange.
- You have to add miniOrange Broker service as a Relying Party in the ADFS and setup claim rules to send Username as an attribute to App.
Follow the Step-by-Step Guide given below to integrate your Cordova app with ADFS through JWT Tokens:
Step 1: Create External App in miniOrange.
- Login to Admin Console
- After logging in; go to Apps > Manage Apps from the left menu.
- Click on Configure Apps button on the right upper corner.
- Go to Create Your Own App tab.
- Select(Click) External App and then click on Add App button.
- Enter Custom Application Name and Description.
- Enter Redirect-URL as https://login.xecurify.com/moas/jwt/mobile
- Set Enable User Mapping as No.
- Click on Save button.
- From the list of Apps, find the new External App you just added and click on Download Certificate link against that. You will need the content of this to validate the JWT Token signature later.
- Now, click on Edit to get the App Secret.
- Click on "Click to reveal App Secret" link to find the App Secret. This App Secret will be required to generate the Encrypted Token.
Step 2: Getting The Customer Key and Token Key.
- In the Admin Console, go to Integrations > Custom App Integration from the left menu.
- Note down the Customer Key and Customer Token Key.
Step 3: Add ADFS as Identity Source in miniOrange.
- Click on Identity Sources from the left menu.
- Go to Add Identity Source button.
- Under SAML tab, enter the following details:
|IdP Display Name
||This is the ADFS Single Sign-On URL (Eg. https://adfs.example.com/adfs/ls/)
|IdP Entity ID
||This is the Entity ID value of ADFS (Eg. http://adfs.example.com/adfs/services/trust)
||Add the content of Token signing certificate here.
- Click on Save button.
Step 4: Add Relying Party in ADFS.
- Under ADFS Management, right click on Relying Party and Trusts and click on Add Relying Party Trust.
- Select Enter data manually option.
- Add a Display name to the relying party.
- Select ADFS Profile.
- Check the SAML 2.0 Web SSO Protocol. Enter the Service URL as https://login.xecurify.com/moas/broker/login/saml/acs/customerKey. Replace the customerKey placeholder with the Customer Key retrieved in Step 2.
- Add the Relying Party Trust Identifier as https://login.xecurify.com/moas.
- Save the Relying Party configuration.
- Right click on the added Relying Party and click on Edit Claim Rules.
- Click on Add Rule and select template as Send LDAP Attributes as Claims. Set the claim rules as below.
- Click on Save.
Step 5: Creating Encrypted token and Reading JWT Token.
You will need the following for this step:
- App Secret
- Public Certificate
- Customer Key
- Token Key
- JSRASign - Library for creation and validation of JWT Tokens .
Step a) Token Generation.
- You will need need App Secret, Customer Key, and Token Key from Step 1 above , in order to generate encrypted token.
- Now, add the below given code in the index.js file in the buttonClick callback function.
Step b) Constructing URL containing Encrypted Token.
Note:The cipherText needs to be URL Encoded.
Step c) Open URL in Cordova’s InAppBrowser.
Step d) Add a Listener to read JWT Token after authentication from ADFS.
Step e) Validate Signature in the JWT Token.
- To validate the signature you will need the Public Certificate from Step 1 above.
Step f) Verify Other JWT Token fields.
Step g) Get Subject from JWT Token.
Note:JWT Subject contains the values received in the NameIDof the SAML Response from ADFS.
Step 6: Test Sign On.
- Launch the Cordova application on an Android/ Virtual Device.
- You will see a Login button.
- On clicking this button, you will be redirected to ADFS , where you will need to enter ADFS credentials.
- Upon succesful authentication, you will get redirected back and will be shown the username for which the token is assigned.