Below are the instructions for connecting an SSO authentication service to the Chemwatch mobile application: Your IDP service must support the OAuth 2.0 protocol for authentication and authorisation.
For integration with your service, we need the following information:
clientId (client credentials).
clientSecret (client credentials).
authorizeUrl.
accessTokenUrl.
userInfoUrl.
Add our redirect URL: net.chemwatch.walkabout://oauth2redirect.
You can also specify the scope that should be available for getting information about the user and select the exact field representing the username.
Please provide us with a temporary SSO username and password to check it out.
Specific to MS Azure
When registering the Smarter Suite app in Azure, the optional redirect field must be selected as a public client/native(mobile & desktop) app for mobile apps. Mobile apps have a different redirect URL structure and always start with customScheme.://. It needs to be exactly net.chemwatch.walkabout://oauth2redirect Otherwise, the mobile app won't work with your AzureAD setup. Please see the below image for your reference.
If you didn’t specify the redirect URL when registering the app, please add the net.chemwatch.walkabout://oauth2redirect URL to the AzureAD console as an allowed redirect, or else our app will fail the AzureAD security check on login. This can be done in the "Authentication" section which should be second from the top under “Manage” in the left pane.
In the API permissions, you need to add "email" for Microsoft Graph because we use the user's email address for authentication purposes.
Please take a look at the screenshot below. We marked several zones with numbers so you can understand where to get the relevant data.
authorization URL — number 1
accessToken URL — number 2
userInfo URL — number 3
Specific to Google Workspace
Please provide us with the following.
Google IDP requires that two different OAuth 2.0 client IDs be created for each of the platforms: Android and iOS. Google mobile clients do not have clientSecret and work differently. You need to create two clients: one for Android and another for iOS. This can be done in the "Credentials" section of "API & Services" (in GCP). Each of the clients has some properties that need to be filled in with the specified data.
Android client
Name — can be filled with any data
package name — net.chemwatch.walkabout
SHA-1 certificate fingerprint — 7F:49:D2:02:9B:A8:6D:54:24:C1:F7:01:83:5C:EF:3F:3B:21:B6:A4
iOS client
Name — can be filled with any data
bundle id — net.chemwatch.walkabout
app store id — 1547225480
team id — AD5M8U9NQL
This above is a very important step because Google has strict limits and each client is only eligible for one mobile app and mobile platform at a time.
After two clients are successfully created, please provide us with the below info from each of the clients separately. This data can be downloaded as a text file directly from the client's window in the GCP console (there is a special button for this called "download plist" for iOS and "download json" for Android). These files will contain info such as client_id, auth_uri, token_uri, reverse identifier ( for iOS), etc. We need this to set up our app to communicate with these specific clients.
In any case, we need the client id, auth uri, token uri from each of the clients, and the reverse client id from the iOS client. Please keep in mind that the client ID cannot be the same for different clients, each one will have a unique value.
Specific to Okta (TBD)