Overview

With so many websites and apps needing user authentication, Single Sign-On (SSO) is a great way to simplify the user experience. With SSO, a user provides their credentials only once. An app then authenticates the user with an Identity Provider (IdP) based, for instance, on Microsoft Active Directory. The next app that needs to authenticate the same user with the same IdP can simply rely on the previous authentication.

Unfortunately, developers who want to use SSO in their apps face a complex and fragmented landscape. There are many different SSO specifications (SAML, OAuth, OpenID) supported by the various IdPs, which adds complexity to apps if you want true interoperability with IdPs.

Samsung offers the first enterprise assembly of SSO for Android — the Knox Generic SSO Framework. Our framework is the bridge between apps that need SSO and IdPs that provide SSO. The framework is comprehensive, flexible, and easy to use. You need only a single version of an app to work with multiple IdP solutions.

Generic SSO SDK
for Independent Software Vendors
(ISVs)

Enroll to download

Already a developer? Sign in

Generic SSO SDK
for Identity Providers 
(IdPs)

Enroll to download

Already a developer? Sign in

Samsung SSO SDK
(Kerberos)

Enroll to download

Already a developer? Sign in

Already downloaded the SDK? Jump to next steps.

How it works

The Knox SSO framework supports the three app types shown above.

  1. Enterprise app — Sends a user authentication request to an authenticator app. If the authenticator app returns an SSO token, the enterprise app can use it to access web-based app services.
  2. Authenticator app — Handles user authentication requests from enterprise apps. If the user is already logged in, the authenticator app returns an SSO token. Otherwise, the app contacts a centralized IdP service to authenticate the user (for example, using a directory service like Active Directory), get an SSO token, and return the SSO token to the enterprise app.
  3. MDM app — Allows enterprise IT admins to identify which enterprise apps use which authenticator apps.

Key benefits

  • Usability — Reduces the number of login IDs and passwords that users need to remember. IT admins can select SSO as the Knox container unlock method.
  • Cost savings — Lowers the IT cost from helpdesk calls about lack of access or password resets.
  • Simplicity — Avoids having to develop multiple versions of enterprise apps for different authentication specifications.
  • Security — Stores sensitive data in the secure Knox TrustZone.

With the Knox Generic SSO Framework, Samsung has made it much easier for enterprise app developers to authenticate app users. An app can use the same code base to work with any of the supported IdPs. These IdPs can be using diverse authentication specifications like SAML, OAuth, and OpenID. All this is transparent to the enterprise app implementation.

  • Generic SSO SDK for ISVs — An Independent Software Vendor (ISV) is a company specializing in developing or selling software designed for mass or niche markets. Many ISV apps are web-based and provide exclusive privileges and resources to users who log in using unique credentials for their web servers. To overcome the burden of maintaining the infrastructure needed for storing passwords and usernames, which needs high security and intrusion protection, ISVs sign up with IdPs (trusted SSO service vendors), to obtain authentication and authorization services. This way, ISVs are only obligated to manage authentication information known as tokens that are issued by the IdP. ISVs can use the tokens to obtain authorization and information about the user from the IdP servers and web resources from respective web servers. When multiple ISV apps on a device use the same IdP tokens, a single login is sufficient to verify identity for all apps making use of the IdP services.

    ISV apps are free to talk to the Generic SSO framework through dedicated app-level APIs, as shown in the diagram above

The Generic SSO Framework supports our previous SSO SDK solutions, which are tied to specific authentication specifications and authenticator apps.

  • Samsung SSO SDK (Kerberos) — Introduced with Samsung Knox v2.0, you can use this SDK to authenticate app users through an enterprise Active Directory, using the authentication specification Kerberos or SAML. For more info about this SDK, see the Samsung SSO SDK Developer Guide.
  • Centrify MAS SDK — Introduced with Samsung Knox v1.0, you can use this SDK to authenticate app users through an enterprise Active Directory, using the authentication specification SAML. To get this SDK and its documentation, go to Centrify’s MAS SDK for Samsung Knox page.

These two SDKs provide API methods that require data related to the authentication specification, unlike the Generic SSO SDK for ISVs, which provides a simple generic API method, GetToken, that seamlessly works with multiple authentication specifications.

Samsung has partnered with leading IdPs including Microsoft (Azure AD), CA Technologies, and Centrify. We include their authenticator apps in the Knox Generic SSO Framework on a device. Each authenticator app works as a proxy, passing authentication requests to a web-based authentication service that accesses a user directory like Active Directory.

IdPs use the Generic SDK SSO for IdPs  to receive SSO requests through the framework from enterprise apps, check if the user has already been authenticated, and if not, authenticate the user.

MDM (Mobile Device Management) functionality typically includes over-the-air distribution of apps, and data and configuration settings for many types of mobile devices. MDM solutions typically include:

  • a server component, which sends out the management commands to the mobile devices
  • a client component, which runs on the mobile device and carries out received management commands

In some cases, a single vendor provides both the client and the server; in others, different vendors provide the client and server.

An IT admin provides commands at the server. This admin is aware of the policies and configuration that need to be applied to the mobile devices belonging to an enterprise. For the Generic SSO framework, admins need to enroll an SSO provider and identify the apps that can use the SSO service. Admins can configure:

  • specifications about the SSO service provider whose tokens will be used by the enterprise apps
  • related data needed by the SSO provider to fetch and validate tokens effectively
  • a list of whitelisted apps which can make use of the access tokens

As a developer of an MDM solution, you can load this information directly into the framework by means of an XML file (as shown for one of the API methods) or one piece at a time by calling separate API methods. You can manage SSO for both:

  • apps that are inside a secure Knox container — Use the Knox Premium SDK, which provides many other container-level management and security features.
  • apps that are not in the secure Knox container — Use the Knox Standard SDK, which provides many other device-level management features.

Note that the Knox Standard SDK is bundled in with the Knox Premium SDK, for full access to MDM features.

Generic SSO SDK
for Independent Software Vendors
(ISVs)

Enroll to download

Already a developer? Sign in

Generic SSO SDK
for Identity Providers 
(IdPs)

Enroll to download

Already a developer? Sign in

Samsung SSO SDK
(Kerberos)

Enroll to download

Already a developer? Sign in

Next steps ...

Later, when you start coding and have questions, check the FAQs and Developer Forum for support.