SSO / SAML authentication using Ignition Perspective APK on Android mobile

Does anyone have SAML / SSO working with the Ignition Perspective APK ?

We are setting up internal MDM deployment of the

After getting internal endpoints (i.e. gateways) configured in the managed-devices VPN tunnel, the managed-app (downloaded APK from the managed Play) works to launch internal Perspective projects. When we try to get SSO / SAML authentication to work using the managed-app APK, we get a time-out error.

I suspected that we might be missing another internal endpoint in the VPN tunnel; unfortunately I have not found a way to trace the SAML/SSO network API-exchange as one can using Chrome browser’s F12-developer tools. The API-handshaking sets up the authenticated session. As best I can tell, Android’s System Tracing dev-tool does not yet support network information in the Perfetto system traces.

I say “suspected” because if, instead of using the managed-APK, I access a gateway and/or perspective project via the managed-app (VMware’s) web browser, the SAML / SSO api-exchange executes to completion yielding a valid authenticated session. Because this pathway is utilizing the same VPN tunnel, the issue of missing endpoints would seem to be falsified.

Punting this question here since I’m about out of ideas of how to advance.

I don’t see anything since release 0.97.2 in the APK’s change-log regarding SSO or SAML.

Hi @jsorlie -

Your best bet will be reaching out to support to troubleshoot this. We’d likely need to understand the details around your network topology, how the perspective app connects to the Gateway, and how the VPN and this VMWare browser come into the equation before we can help troubleshoot. Someone will likely need to walk through the redirects to see where things are breaking down…

Before reaching out to support, take a look at this: [BUG-13715,13982] Perspective App - #19 by mrojas

If there are any reverse proxies or other middleware between the Perspective App and the Gateway, make sure that custom HTTP request headers are not filtered out before forwarding to the Gateway. I believe these include:

  • client_timezone
  • device_id
  • device_type
  • version_code
  • perspective-session-id
1 Like