Android Application Question

[Marc Boorshtein]

> I've found a few applications that use embedded web panes but I'd rather
> not go that route, if possible.  I'd rather use the ECP approach.
>
>
>
I would use the system web browser (NOT an embedded one).  This is the
guidance Google uses for apps that authenticate with Google IDs and there
are multiple other benefits:

1.  If the IdP adds additional security such as multi factor authentication
your app doesn't need to change
2.  Letting users see their "normal" login page lets them see that they're
not giving their credentials to a bad actor
3.  Collecting someone's credentials means you are now responsible for them
(even if its only in memory)
4.  ECP does NOT define a standard for authentication.  Its mostly used
with basic authentication but that is more out of convenience then anything
else


I run a multi-jurisdictional identity provider now and we are trying to
integrate with an app developer that didn't integrate the system browser
and they have to go back and make updates to their code to get it to work.
WebEx is a great example of a mobile app that uses the system browser for
SSO.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20170103/f1060c22/attachment.html>