Below are the instructions for connecting an SSO authentication service to the Chemwatch mobile application: Your IDP service must support the OAuth 2.0 PKCE or OIDC protocol for authentication and authorisation.
For integration with your service, we need the following information:
clientId (sometimes called client credentials).
clientSecret (client credentialsif you are using an IDP that requires the use of a client secret).
authorizeUrl.
accessTokenUrl.
userInfoUrl.
Add our redirect URL: net.chemwatch.walkabout://oauth2redirect.
You can also specify the scope that should be available for getting obtaining user information about the user and select the exact field representing the username.
Please If you have guest user credentials — please provide us with a temporary SSO username and password to check it out.
Specific to MS Azure
temporary access to test it, this may speed up the SSO setup process.
Below, we list some tips for the most common IDPs outlining the required steps for the specific platform. Please note that if you are using a custom IDP and it requires certain actions beyond the standard OAuth2.0 protocol, you will need to provide the complete data yourself.
Currently, our application is configured to work primarily with OAuth2.0 PKCE. It also has OIDC support.
Microsoft Entra ID
1. When registering the Smarter Suite app in Azure, the optional redirect field must be selected as a public client/native(mobile & desktop) app for mobile apps. Mobile apps have a different redirect URL structure and always start with customScheme.://. It needs to be exactly net.chemwatch.walkabout://oauth2redirect Otherwise, the mobile app won't work with your AzureAD setupclient. Please see the below image for your the reference.
...
2. If you didn’t specify the redirect URL when registering the app as above, please add the net.chemwatch.walkabout://oauth2redirect URL to the AzureAD console as an allowed redirect, or else our app will fail the AzureAD security check on login. This can be done in the "Authentication" section which should be second from the top under the “Manage” menu in the left pane.
...
On the "Authentication" screen, please add the mobile and desktop apps category (1). After that, it will be possible to add net.chemwatch.walkabout://oauth2redirect as a redirect URL here (2). It is extremely important to add the correct redirect URL otherwise the Smarter Suite app will not be able to receive a response from your IDP.
...
3. In the “API permissions”, you need to add "email" for from Microsoft Graph (delegated permissions) because we use the user's email address for authentication purposes. Please see the below image for your reference. If you would like to use OIDC instead of Oauth2.0 PKCE — you must also add the openid from the same graph section.
...
4. Please take a look at the screenshot below. We marked several zones with numbers so you can understand where to get the relevant data.
authorization URL — number 1
accessToken URL — number 2
userInfo URL — number 3
...
Specific to For OIDC users only — please let us know the following endpoint: OpenID Connect metadata document.
...
Google Workspace
Please provide us with the following.
...
app store id — 1547225480
team id — AD5M8U9NQL
This The above is a very important step because Google has strict limits and each client is only eligible for one mobile app and mobile platform at a time.
After two clients are successfully created, please provide us with the below info from each of the clients separately. This data can be downloaded as a text file directly from the client's window in the GCP console (there is a special button for this called "download plist" for iOS and "download json" for Android). These files will contain info such as client_id, auth_uri, token_uri, reverse identifier ( for iOS), etc. We need this to set up our app to communicate with these specific clients.
In any case, we need the client id, auth uri, token uri from each of the clients, and the reverse client id from the iOS client. Please keep in mind that the client ID cannot be the same for different clients, each one will have a unique value.
Specific to Okta (TBD)
Okta
If you don't have the mobile client set up in Okta IDP, please follow steps 1-5 to create it. Please note that the Okta web client is not suitable for mobile apps, they require the native client.
Create a native client for the Smarter Suite mobile application in the Okta console with the following parameters:
Create a new app => OIDC => Native app
Login redirect URI => net.chemwatch.walkabout://oauth2redirect
Controlled access => one of two options has to be selected ("Allow access to everyone in your organization" or "Restrict access to selected groups" if such exist)
Once the client is created, as an additional check, verify that the new client is configured to work with PKCE. This should be enabled by default and can be checked in the "client credentials" of the "General" section. PKCE must be enabled!
If you decide to additionally request a client secret, this can be set up on the same page. "Public Key/Private Key" is not allowed, only "None" or "Client Secret" can be selected.
...
In the end, We need the following data from Okta for mobile SSO:
6.1 Client ID: This can be found in the "General" section of the native Okta client.
6.2 Okta Issuer (can be found in the "Sign On" section, should be in the following format: "https://xxx-1234567.okta.com")
6.2.1 It's important to ensure that the client ID on the General tab matches the "Audience" token in the Sign On section. A parameter mismatch indicates an error while creating the client.
6.3. If you opted to use the client secret — the client secret from the "General" tab
6.4. Last but not least, the custom API URL of the authorisation server (if applicable). It can be found by navigating to Security => API. By default, it looks similar to https://xxx-12345.okta.com/oauth2/default, but if it’s different, we need this information as well.
Please let us know if you have any issues with providing the data for points 6.1-6.4.
FINAL STEP: Chemwatch Web App Configuration for Smarter Suite Users
...