Single Sign-On for Android with SOTI Identity
Pre-requisites
- Configure SOTI IdP in the Global Settings of the SOTI MobiControl web console.
- Generate Android Single Sign-on (SSO) certificates from your Certificate
Authority (CA). Create user-based certificate templates in
- Important: When creating certificate templates, the Subject Alternative Names(SAN) type must be.
DNS Name
, the Alternative Name value must beEnrolled User IDP Refid
, and the macro value as%ENROLLEDUSER_SOTIIDP_REFID%
. - The Certificate target must be
User
.
. - Enrollment Policy
- For a dedicated device, create an enrollment policy with an IdP authentication.
- For a shared device, enroll with an enrollment ID/QR code and configure the shared device mode for the SOTI Identity group.
- Android requirements
- The device must be on Android OS 7 or later.
- The device must use Android agent version 15.4.3 or later.
- SOTI Identity configurations
- Integrate the device user's AD in SOTI Identity.
- Integrate native app server or web apps' server with SOTI IdP (See SOTI Identity documentation for more details).
- Add a root certificate and an intermediate certificate (if any) of the SOTI Identity certificate authority.
- Integrate any other IdP (like Microsoft Entra or Okta) with SOTI Identity.
- For an on-premises SOTI MobiControl environment, integrate the Cloud Link Agent (CLA) with both SOTI MobiControl and SOTI Identity.
Single Sign On Payload Configurations
SOTI IdentityStatus | Enable this option to save the SSO profile configuration. |
Manage | Select the Manage button to navigate to theSOTI Identity tenant configured in Global Settings. |
SOTI Identity URL | The SOTI Identity URL is a non editable field and sources its value from Global Settings. |
Target Applications | Define the application's bundle identifier to enable SSO on
specific applications. Important: Not adding an application enables SSO for all the applications
registered with SOTI Identity. |
Workflow
Tip: See Configuring SSO for Android with SOTI Identity
for an overview of configuring SSO from within the SOTI MobiControl
web console.
- Create an application policy to send managed applications to the device.
- Create a profile with the following payloads.
- Single Sign On
- Certificate
- Authentication
- Enroll the device in SOTI MobiControl.
- For shared devices, enroll the device with an enrollment ID/QR code.
Login to SOTI MobiControl Agent with the configured email
IDs.
- Send the payload after the shared device login.
- For dedicated device login, enroll using authentication-based enrollment
(SOTI Identity).
Opening any native or web application does not require a password to be re-entered on sign-in.
- For shared devices, enroll the device with an enrollment ID/QR code.
Login to SOTI MobiControl Agent with the configured email
IDs.
Important: For shared device login:
- Either move devices to the parent group (where the SSO profile is not installed) to logout.
- Or define a SOTI Identity user filter while assigning the profile to the device.
Restriction: Native applications that block HTTP
traffic do not have SSO enabled (for example, MS Teams, SharePoint).
Note: Application logout depends on the application's
behavior.