With the Knox Generic SSO Framework, Samsung has made it much easier for enterprise app developers to authenticate app users. An app can use the same code base to work with any of the supported IdPs. These IdPs can be using diverse authentication specifications like SAML, OAuth, and OpenID. All this is transparent to the enterprise app implementation.
The Generic SSO Framework supports our previous SSO SDK solutions, which are tied to specific authentication specifications and authenticator apps.
- Samsung SSO SDK (Kerberos) — Introduced with Samsung Knox v2.0, you can use this SDK to authenticate app users through an enterprise Active Directory, using the authentication specification Kerberos or SAML. For more info about this SDK, see the Samsung SSO SDK Developer Guide.
- Centrify MAS SDK — Introduced with Samsung Knox v1.0, you can use this SDK to authenticate app users through an enterprise Active Directory, using the authentication specification SAML. To get this SDK and its documentation, go to Centrify’s MAS SDK for Samsung Knox page.
These two SDKs provide API methods that require data related to the authentication specification, unlike the Generic SSO SDK for ISVs, which provides a simple generic API method, GetToken, that seamlessly works with multiple authentication specifications.
Samsung has partnered with leading IdPs including Microsoft (Azure AD), CA Technologies, and Centrify. We include their authenticator apps in the Knox Generic SSO Framework on a device. Each authenticator app works as a proxy, passing authentication requests to a web-based authentication service that accesses a user directory like Active Directory.
IdPs use the Generic SDK SSO for IdPs to receive SSO requests through the framework from enterprise apps, check if the user has already been authenticated, and if not, authenticate the user.
MDM (Mobile Device Management) functionality typically includes over-the-air distribution of apps, and data and configuration settings for many types of mobile devices. MDM solutions typically include:
- a server component, which sends out the management commands to the mobile devices
- a client component, which runs on the mobile device and carries out received management commands
In some cases, a single vendor provides both the client and the server; in others, different vendors provide the client and server.
An IT admin provides commands at the server. This admin is aware of the policies and configuration that need to be applied to the mobile devices belonging to an enterprise. For the Generic SSO framework, admins need to enroll an SSO provider and identify the apps that can use the SSO service. Admins can configure:
- specifications about the SSO service provider whose tokens will be used by the enterprise apps
- related data needed by the SSO provider to fetch and validate tokens effectively
- a list of whitelisted apps which can make use of the access tokens
As a developer of an MDM solution, you can load this information directly into the framework by means of an XML file (as shown for one of the API methods) or one piece at a time by calling separate API methods. You can manage SSO for both:
- apps that are inside a secure Knox container — Use the Knox Premium SDK, which provides many other container-level management and security features.
- apps that are not in the secure Knox container — Use the Knox Standard SDK, which provides many other device-level management features.
Note that the Knox Standard SDK is bundled in with the Knox Premium SDK, for full access to MDM features.