What It Is & How It Works
When a user launches WorkSimple, he typically goes through a two-stage authentication process. The user first authenticates to WorkSimple, which is how Capriza identifies the user and displays Zapps that are appropriate based on his group memberships. When a user launches a Zapp, he will then log in to the source application. (Of course, if the source application does not require login, the user will not be prompted.)
If you are using SAML authentication for WorkSimple, it may be possible to leverage this authentication for access to the source application. For this feature to operate, the source application must be integrated with the same SAML provider that is used for WorkSimple login, and recognize the session cookie(s) that are set when the WorkSimple session is initiated.
The system works as follows: a user launches WorkSimple on their mobile device. Once Capriza identifies him as a member of your organization, the user is taken to your IdP page and prompted to authenticate using his corporate credentials. Upon successful authentication, the IdP returns a SAML assertion and session cookie(s). Capriza then grants the user access to WorkSimple based on this assertion.
When the user launches the Zapp, the session cookie(s) are passed to the virtual browser, and the browser loads the start URL. Typically the start URL will redirect to your IdP for authentication, at which point the browser will present the session cookie(s) from the mobile device. The source application will confirm that the session cookie(s) are valid and redirect back to the source application without requiring the user to enter their credentials again; the user has gained access to the zapp without having to log in again.
Configuring Single Sign On
Your Capriza Customer Success Manager will configure this on your behalf. We need three pieces of information in order to do so, and we can collaborate with you to identify them if necessary.
- Session cookie name(s): The names of one or more cookies that are set by the SAML IdP when a user logs in. For common IdP's like Microsoft ADFS and Okta, we can use the default values, unless you have customized your system.
- Cookie runtime URL(s): The list of domain(s) where the runtime server should present the session cookie(s). Typically this will be the same domain as the SAML IdP for WorkSimple login, but, if for some reason your source application redirects to a different domain for login, we need that domain name. This can be determined by logging in to the source application from a browser and observing the domain of the page that prompts for user credentials.
- WorkSimple session duration: It is critical to be aware of session duration when configuring Single Sign On. Be sure to identify the session durations both for your IdP as well as any source applications using SSO. We need to ensure that the WorkSimple will end before the session expires- this will ensure the user is taken back to the WorkSimple SAML login rather than logging in again while inside the zapp. Therefore, the WorkSimple session duration should be set to the shortest value of the IdP or source application session durations. The Capriza session is an absolute session duration, based on the time when a user initiates the session; we do not have an "idle timeout" value based on inactivity. Capriza can configure the Session Duration in our system, or you may specify it in the SAML assertion. (See "Expiration of Authentication Token" in SAML Integration for more details.)