Below are the instructions for connecting an SSO authentication service to the Chemwatch mobile application: Your IDP service must support the OAuth 2.0 PKCE or OIDC protocol for authentication and authorisation.
For integration with your service, we need the following information:
clientId (sometimes called client credentials).
clientSecret (client credentialsif you are using an IDP that requires the use of a client secret).
authorizeUrl.
accessTokenUrl.
userInfoUrl.
Add our redirect URL: net.chemwatch.walkabout://oauth2redirect.
You can also specify the scope that should be available for getting obtaining user information about the user and select the exact field representing the username.
Please If you have guest user credentials — please provide us with a temporary SSO username and password to check it out.
Specific to MS Azure
temporary access to test it, this may speed up the SSO setup process.
Below, we list some tips for the most common IDPs outlining the required steps for the specific platform. Please note that if you are using a custom IDP and it requires certain actions beyond the standard OAuth2.0 protocol, you will need to provide the complete data yourself.
Currently, our application is configured to work primarily with OAuth2.0 PKCE. It also has OIDC support.
Microsoft Entra ID
1. When registering the Smarter Suite app in Azure, the optional redirect field must be selected as a public client/native(mobile & desktop) app for mobile apps. Mobile apps have a different redirect URL structure and always start with customScheme.://. It needs to be exactly net.chemwatch.walkabout://oauth2redirect Otherwise, the mobile app won't work with your AzureAD setupclient. Please see the below image for your the reference.
...
2. If you didn’t specify the redirect URL when registering the app as above, please add the net.chemwatch.walkabout://oauth2redirect URL to the AzureAD console as an allowed redirect, or else our app will fail the AzureAD security check on login. This can be done in the "Authentication" section which should be second from the top under the “Manage” menu in the left pane.
...
On the "Authentication" screen, please add the mobile and desktop apps category (1). After that, it will be possible to add net.chemwatch.walkabout://oauth2redirect as a redirect URL here (2). It is extremely important to add the correct redirect URL otherwise the Smarter Suite app will not be able to receive a response from your IDP.
...
3. In the “API permissions”, you need to add "email" for from Microsoft Graph (delegated permissions) because we use the user's email address for authentication purposes. Please see the below image for your reference. If you would like to use OIDC instead of Oauth2.0 PKCE — you must also add the openid from the same graph section.
...
4. Please take a look at the screenshot below. We marked several zones with numbers so you can understand where to get the relevant data.
authorization URL — number 1
accessToken URL — number 2
userInfo URL — number 3
...
Specific to For OIDC users only — please let us know the following endpoint: OpenID Connect metadata document.
...
Google Workspace
Please provide us with the following.
...
In any case, we need the client id, auth uri, token uri from each of the clients, and the reverse client id from the iOS client. Please keep in mind that the client ID cannot be the same for different clients, each one will have a unique value.Specific to
Okta
If you don't have the mobile client set up in Okta IDP, please follow steps 1-5 to create it. Please note that the Okta web client is not suitable for mobile apps, they require the native client.
...