Using Entrust for push notification authentication to enterprise servers (iOS only)
The PIV-D Manager app for iOS supports handling push notifications to authenticate a non-AppConnect app to the app's enterpise server or web service with an Entrust derived credential. The enterprise server or web service (from here on called simply an enterprise server) must use SAML-based authentication.
In this scenario, the following steps occur:
|
1.
|
A non-AppConnect app makes an authentication request to its SAML-based enterprise server. |
|
2.
|
The enterprise server responds to the app with a redirection request to the appropriate identity provider (IdP). |
|
3.
|
The IdP makes a request to an Entrust server. |
|
4.
|
The Entrust server sends an iOS push notification to the PIV-D Manager app. |
|
5.
|
The device user taps the notification to open the PIV-D Manager app. If necessary, control switches to MobileIron Go to prompt the device user for the secure apps passcode, and then control switches back to the PIV-D Manager app.
|
|
6.
|
The PIV-D Manager app prompts the user to confirm the authentication request. |
|
7.
|
The user taps to confirm the authentication request. |
|
8.
|
The PIV-D Manager app signs the authentication request with the derived credential's authentication certificate's private key, and sends the request to the Entrust server. |
|
9.
|
The Entrust server validates the authentication request's signature, and tells the IdP to issue the SAML token to the app and to the app's enterprise server. |
To set up this scenario:
|
1.
|
Work with Entrust so that your IdP can interact with Entrust authentication services. |
|
2.
|
Configure derived credentials on MobileIron Cloud. |
|
3.
|
Activate an Entrust derived credential on your iOS device. |
See Setting up Entrust derived credentials during registration or Setting up Entrust derived credentials after registration.
What the device user experiences:
|
1.
|
The device user opens a non-AppConnect app. |
|
2.
|
The user’s iOS device receives a push notification to the PIV-D Manager to confirm the authentication to the app's enterprise server. |
|
3.
|
The user taps the notification to open the PIV-D Manager, and enters the secure apps passcode if prompted. |
The PIV-D Manager displays a dialog box to confirm the authentication.
If the PIV-D Manager is in the foreground when the notification is received, it displays the dialog box.
|
4.
|
The user taps one of the following: |
|
-
|
Confirm to confirm the authentication. |
|
-
|
Cancel to cancel the authentication. |
|
-
|
It Wasn’t Me to indicate that the authentication is fraudulent. |