Configuring Trust Between the Capriza Service and Organization IdP
SAML IdP configuration is performed by the Capriza team. Please contact your Customer Success Manager if you are interested in SAML integration.
For creating trust between Capriza and enterprise’s IDP, you will need to provide Capriza with:
- The IDP endpoint URL
- The IDP certificate for the SAML request endpoint that Capriza authenticates against.
Capriza will then associate that IdP-endpoint and the certificate to your organization.
Once configured, users running the WorkSimple App will be initially redirected to the IdP endpoint for authentication. After authentication, he can access the WorkSimple app, view Zapps shared with him, and run any of them.
Capriza-Enterprise SAML IdP Authentication Workflow
Capriza allows for a two-phase authentication process. First the user is authenticated when launching the WorkSimple app, then per each Zapp, the user may need to login to the source (backend) application.
With integration to SAML authentication, Capriza WorkSimple login is replaced by the customer SAML authentication flow. If the customer implemented SSO for other enterprise applications - the obtained authentication token will be used to authenticate the user when running a Zapp against those applications.
WorkSimple app authentication flow is depicted in the figure below:
While the mobile client does not have an authentication cookie for Capriza Services, the user is not authenticated to run WorkSimple or enterprise Zapps.
The authentication steps are as follows:
- When launching WorkSimple on the mobile device, a login to Capriza request is sent to Capriza Service (API).
- Capriza Service, acting as SAML SP, redirects the client with a SAML request to the SAML IdP.
- User will be prompted for authentication, per the solution used in that enterprise (user/password, OTP , etc.).
- IdP will reply to the mobile client with a cookie and a SAML response for the SP (Capriza Service) .
- The SAML response with the assertion for that user is forwarded by the mobile client to Capriza Service.
- Capriza Service issues an authentication token for the mobile device, authenticating the user (see expiration in next section), and launches the WorkSimple app.
- Further on, when a user starts a Zapp, the authentication token will be forwarded to the runtime agent to authenticate the user on the Zapp source application.
Expiration of Authentication Token
The authentication token can be stored on the mobile device, as a cookie, in the WorkSimple app’s cookie storage. The authentication token is valid for as long as defined in the SAML assertion from the IdP SAML response or, if not defined in the response, for 180 days or as otherwise specified in the Org configuration. The SAML assertion may specify the session duration either via the attribute SessionNotOnOrAfter (as an absolute time), or the custom attribute SessionDuration (as a value in seconds).
For the lifetime of the cookie, the client is authenticated and Capriza-IdP flow will not be initiated.
As a best practice, if the session duration is not specified in the SAML assertion, be sure to inform Capriza of the session duration, so we may configure the session duration in the Org configuration to an equivalent value. Otherwise, the user may remain inside WorkSimple without a valid session cookie, requiring them to log in to the zapp, negating the benefit of SSO.