The mobile application supports Single Sign-on to facilitate access to the application with different login platforms. So if your organization is using SAML, LDAP, or Google authentication, once it is configured you can simply log in to the mobile application with the supported login mechanisms.
Once the Open ID configuration is set up with the required provider information. Once when you open the application, the alternative login mechanism will display as below.
The system will support the following SSO options;
- LDAP
- SAML (eg:Okta)
- Social Media IdPs (eg: Google IdP)
Login with LDAP
Users shall be able to use the LDAP username and password to access the system by choosing Login with OrangeHRM on the Authentication method selection page.
Login with SAML
If the user selects Login with a SAML IdP (eg: Login with Okta) as the authentication method, the device web browser (eg: Chrome, Safari, etc) will be open and directs the user to the relevant SAML authentication endpoint page where he will require to sign in with SAML IdP credentials. If the user already signed into SAML IdP, the browser will skip the IdP sign-in page and redirect to the OrangeHRM application by granting login access to the mobile app.
Login with SAML
If the user selects Login with a SAML IdP (eg: Login with Okta) as the authentication method, the device web browser (eg: Chrome, Safari, etc) will be open and directs the user to the relevant SAML authentication endpoint page where he will require to sign in with SAML IdP credentials. If the user already signed into SAML IdP, the browser will skip the IdP sign-in page and redirect to the OrangeHRM application by granting login access to the mobile app.
How does the SSO implementation work in Mobile Products with SAML
As the graphic suggested, the generic approach of doing so is to,
- Get user authenticated with OKTA and generate the grant token from the Identity Provider
- Send the grant token via a WEB API and request for access token required, access token and refresh token.
SSO Workflow
SSO Logout Scenarios
The following table contains how the application behaves when logging out of the application
User logs out from the mobile app
|
Opening the app (after closing) | Directs the user to "OrangeHRM Login " page User shall be able to Log back into the system using the their OrangeHRM/LDAP username and password. |
User will be logged out and directed to "Connect" page When tapping on "Connect" button, User will be validated back into the system using the selected authentication method Tapping on the Instance URL in connect page will direct the user to Config URL page |
Opening the app (after running the app in the background) | Directs the user to the "OrangeHRM Login " page User shall be able to log back into the system using their OrangeHRM/LDAP username and password. |
User will be logged out and directed to the "Connect" page When tapping on "Connect" button, the User will be validated back into the system using the selected authentication method Tapping on the Instance URL in the connect page will direct the user to Config URL page " |
|
User already viewing the app when the main scenario occurs | Directs the user to "OrangeHRM Login" page User shall be able to Log back into the system using the their OrangeHRM/LDAP username and password. |
User will be logged out and directed to "Connect" page When tapping on "Connect" button, User will be validated back into the system using the selected authentication method Tapping on the Instance URL in Connect page will direct the user to the Config URL page " |
|
Session Timeout
|
Opening the app (after closing) | Directs the user to "OrangeHRM Login " page User shall be able to log back into the system using their OrangeHRM/LDAP username and password. |
User will be logged out and directed to the "Connect" page When tapping on the "Connect" button, the User will be validated back into the system using the selected authentication method Tapping on the Instance URL in connect page will direct the user to Config URL page |
Opening the app (after running the app in the background) | Connection Error! Operation Couldn't Be Completed" toast message will be displayed open opening the app Directs the user to "OrangeHRM Login " page User shall be able to Log back into the system using their OrangeHRM/LDAP username and password. |
User will be logged out and directed to "Connect" page When tapping on "Connect" button, User will be validated back into the system using the selected authentication method Tapping on the Instance URL in connect page will direct the user to Config URL page " |
|
User already viewing the app when the main scenario occurs | If the user keeps the app idle until the session timeout occurs, "Connection Error! Operation Couldn't Be Completed" toast message will be displayed in the current page when the user attempts to perform an action (i.e Navigate to a page, button taps, etc) Directs the user to "OrangeHRM Login" page User shall be able to Log back into the system using their OrangeHRM/LDAP username and password." |
If the user keeps the app idle until the session timeout occurs, "Connection Error! Operation Couldn't Be Completed" toast message will be displayed in the current page when the user attempts to perform an action (i.e Navigate to a page, button taps, etc) User will be logged out and directed to "Connect" page When tapping on "Connect" button, User will be validated back into the system using the selected authentication method Tapping on the Instance URL in connect page will direct the user to the Config URL page " |
|
User Account is deleted from the OrangeHRM system
|
Opening the app (after closing) | User will be logged out and directed the user to "OrangeHRM Login " page | User will be logged out and directed the user to "Select Authentication method" page |
Opening the app (after running the app in the background) | "Connection Error! Operation Couldn't Be Completed" toast message will be displayed in the current page upon the user attempts to perform an action (i.e Navigate to a page, button taps, etc) User will be logged out and directed the user to "OrangeHRM Login " page |
Connection Error! Operation Couldn't Be Completed" toast message will be displayed in the current page when the user attempts to perform an action (i.e Navigate to a page, button taps, etc) User will be logged out and directed the user to "Select Authentication method" page |
|
User already viewing the app when the main scenario occurs | "Connection Error! Operation Couldn't Be Completed" toast message will be displayed in the current page upon the user attempts to perform an action (i.e Navigate to a page, button taps, etc) User will be logged out and directed the user to "OrangeHRM Login " page |
Connection Error! Operation Couldn't Be Completed" toast message will be displayed in the current page when the user attempts to perform an action (i.e Navigate to a page, button taps, etc) User will be logged out and directed the user to "Select Authentication method" page |
|
When User account is disabled in OrangeHRM System
|
Opening the app (after closing) | User will be logged out and directed the user to "OrangeHRM Login " page | User will be logged out and directed the user to "Select Authentication method" page |
Opening the app (after running the app in the background) | "Connection Error! Operation Couldn't Be Completed" toast message will be displayed on the current page upon the user attempts to perform an action (i.e Navigate to a page, button taps, etc) User will be logged out and directed the user to the "OrangeHRM Login " page |
Connection Error! Operation Couldn't Be Completed" toast message will be displayed on the current page when the user attempts to perform an action (i.e Navigate to a page, button taps, etc) User will be logged out and directed the user to "Select Authentication method" page |
|
User already viewing the app when the main scenario occurs | "Connection Error! Operation Couldn't Be Completed" toast message will be displayed in the current page upon the user attempts to perform an action (i.e Navigate to a page, button taps, etc) User will be logged out and directed the user to "OrangeHRM Login " page |
Connection Error! Operation Couldn't Be Completed" toast message will be displayed in the current page when the user attempts to perform an action (i.e Navigate to a page, button taps, etc) User will be logged out and directed the user to "Select Authentication method" page |
|
When Admin changes user password via "Edit User" Option
|
Opening the app (after closing) | User will be logged out and directed the user to "OrangeHRM Login " page | User will be logged out and directed the user to "Select Authentication method" page |
Opening the app (after running the app in the background) | "Connection Error! Operation Couldn't Be Completed" toast message will be displayed on the current page upon the user attempts to perform an action (i.e Navigate to a page, button taps, etc) User will be logged out and directed the user to "OrangeHRM Login " page |
Connection Error! Operation Couldn't Be Completed" toast message will be displayed on the current page when the user attempts to perform an action (i.e Navigate to a page, button taps, etc) User will be logged out and directed the user to "Select Authentication method" page |
|
User already viewing the app when the main scenario occurs | "Connection Error! Operation Couldn't Be Completed" toast message will be displayed on the current page upon the user attempts to perform an action (i.e Navigate to a page, button taps, etc) User will be logged out and directed the user to "OrangeHRM Login " page |
Connection Error! Operation Couldn't Be Completed" toast message will be displayed on the current page when the user attempts to perform an action (i.e Navigate to a page, button taps, etc) User will be logged out and directed the user to "Select Authentication method" page |
|
When Admin Reset the password via "Edit User" Option (Only available if configured from "Default Authentication Settings")
|
Opening the app (after closing) | User will be logged out and directed the user to "OrangeHRM Login " page | User will be logged out and directed the user to "Select Authentication method" page |
Opening the app (after running the app in the background) | "Connection Error! Operation Couldn't Be Completed" toast message will be displayed on the current page upon the user attempts to perform an action (i.e Navigate to a page, button taps, etc) User will be logged out and directed the user to "OrangeHRM Login " page |
Connection Error! Operation Couldn't Be Completed" toast message will be displayed on the current page when the user attempts to perform an action (i.e Navigate to a page, button taps, etc) User will be logged out and directed the user to "Select Authentication method" page |
|
User already viewing the app when the main scenario occurs | "Connection Error! Operation Couldn't Be Completed" toast message will be displayed in the current page upon the user attempts to perform an action (i.e Navigate to a page, button taps, etc) User will be logged out and directed the user to "OrangeHRM Login " page |
Connection Error! Operation Couldn't Be Completed" toast message will be displayed in the current page when the user attempts to perform an action (i.e Navigate to a page, button taps, etc) User will be logged out and directed the user to "Select Authentication method" page |
|
When ESS User changes the password via "Menu - Change Password" Screen
|
Opening the app (after closing) | User will be logged out and directed the user to "OrangeHRM Login " page | User will be logged out and directed the user to "Select Authentication method" page |
Opening the app (after running the app in the background) | "Connection Error! Operation Couldn't Be Completed" toast message will be displayed on the current page upon the user attempts to perform an action (i.e Navigate to a page, button taps, etc) User will be logged out and directed the user to "OrangeHRM Login " page |
Connection Error! Operation Couldn't Be Completed" toast message will be displayed on the current page when the user attempts to perform an action (i.e Navigate to a page, button taps, etc) User will be logged out and directed the user to "Select Authentication method" page |
|
User already viewing the app when the main scenario occurs | "Connection Error! Operation Couldn't Be Completed" toast message will be displayed on the current page upon the user attempts to perform an action (i.e Navigate to a page, button taps, etc) User will be logged out and directed the user to "OrangeHRM Login " page |
Connection Error! Operation Couldn't Be Completed" toast message will be displayed on the current page when the user attempts to perform an action (i.e Navigate to a page, button taps, etc) User will be logged out and directed the user to "Select Authentication method" page |
|
When ESS User changes the password using forgot password link
|
Opening the app (after closing) | User will be logged out and directed the user to "OrangeHRM Login " page | User will be logged out and directed the user to "Select Authentication method" page |
Opening the app (after running the app in the background) | "Connection Error! Operation Couldn't Be Completed" toast message will be displayed on the current page upon the user attempts to perform an action (i.e Navigate to a page, button taps, etc) User will be logged out and directed the user to "OrangeHRM Login " page |
Connection Error! Operation Couldn't Be Completed" toast message will be displayed on the current page when the user attempts to perform an action (i.e Navigate to a page, button taps, etc) User will be logged out and directed the user to "Select Authentication method" page |
|
User already viewing the app when the main scenario occurs | "Connection Error! Operation Couldn't Be Completed" toast message will be displayed on the current page upon the user attempts to perform an action (i.e Navigate to a page, button taps, etc) User will be logged out and directed the user to "OrangeHRM Login " page |
Connection Error! Operation Couldn't Be Completed" toast message will be displayed on the current page when the user attempts to perform an action (i.e Navigate to a page, button taps, etc) User will be logged out and directed the user to "Select Authentication method" page |
|
When the employee is Terminated
|
Opening the app (after closing) | User will be logged out and directed the user to "OrangeHRM Login " page | User will be logged out and directed the user to "Select Authentication method" page |
Opening the app (after running the app in the background) | "Connection Error! Operation Couldn't Be Completed" toast message will be displayed on the current page upon the user attempts to perform an action (i.e Navigate to a page, button taps, etc) User will be logged out and directed the user to "OrangeHRM Login " page |
Connection Error! Operation Couldn't Be Completed" toast message will be displayed on the current page when the user attempts to perform an action (i.e Navigate to a page, button taps, etc) User will be logged out and directed the user to "Select Authentication method" page |
|
User already viewing the app when the main scenario occurs | "Connection Error! Operation Couldn't Be Completed" toast message will be displayed on the current page upon the user attempts to perform an action (i.e Navigate to a page, button taps, etc) User will be logged out and directed the user to "OrangeHRM Login " page |
Connection Error! Operation Couldn't Be Completed" toast message will be displayed on the current page when the user attempts to perform an action (i.e Navigate to a page, button taps, etc) User will be logged out and directed the user to "Select Authentication method" page |
|
Upon Password expiry from OrangeHRM system
|
Opening the app (after closing) | User will be logged out and directed the user to "OrangeHRM Login " page | User will be logged out and directed the user to "Select Authentication method" page |
Opening the app (after running the app in the background) | User will not be logged out from the mobile app and will be able to perform actions until logout/session timeout occurs | User will not be logged out from the mobile app and will be able to perform actions until logout/session timeout occurs | |
User already viewing the app when the main scenario occurs | User will not be logged out from the mobile app and will be able to perform actions until logout/session timeout occurs | User will not be logged out from the mobile app and will be able to perform actions until logout/session timeout occurs | |
If the alternative SSO login credentials are unassigned from OrangeHRM account
|
Opening the app (after closing) |
N/A
|
User will be logged out and directed the user to "Select Authentication method" page |
Opening the app (after running the app in the background) | User will not be logged out from the mobile app and will be able to perform actions until logout/session timeout occurs | ||
User already viewing the app when the main scenario occurs | User will not be logged out from the mobile app and will be able to perform actions until logout/session timeout occurs | ||
user account is deleted in an alternative login server
|
Opening the app (after closing) |
N/A
|
User will be logged out and directed the user to "Select Authentication method" page |
Opening the app (after running the app in the background) | User will not be logged out from the mobile app and will be able to perform actions until logout/session timeout occurs | ||
User already viewing the app when the main scenario occurs | User will not be logged out from the mobile app and will be able to perform actions until logout/session timeout occurs | ||
user account is deactivated in an alternative login server
|
Opening the app (after closing) |
N/A
|
User will be logged out and directed the user to "Select Authentication method" page |
Opening the app (after running the app in the background) | User will not be logged out from the mobile app and will be able to perform actions until logout/session timeout occurs | ||
User already viewing the app when the main scenario occurs | User will not be logged out from the mobile app and will be able to perform actions until logout/session timeout occurs | ||
The alternative login password is changed
|
Opening the app (after closing) |
N/A
|
User will be logged out and directed the user to "Select Authentication method" page |
Opening the app (after running the app in the background) | User will not be logged out from the mobile app and will be able to perform actions until logout/session timeout occurs | ||
User already viewing the app when the main scenario occurs | User will not be logged out from the mobile app and will be able to perform actions until logout/session timeout occurs |