Single Sign-On for Android with SOTI Identity

Pre-requisites

  • Configure SOTI IdP in the Global Settings of the SOTI MobiControl web console.
  • Generate Android Single Sign-on (SSO) certificates from your Certificate Authority (CA). Create user-based certificate templates in Global Settings > Services > Certificate Authority.
    • Important: When creating certificate templates, the Subject Alternative Names(SAN) type must be DNS Name, the Alternative Name value must be Enrolled User IDP Refid, and the macro value as %ENROLLEDUSER_SOTIIDP_REFID%.
      .
    • The Certificate target must be User.
  • Enrollment Policy
    • For a dedicated device, create an enrollment policy with an IdP authentication.
    • For a shared device, enroll with an enrollment ID/QR code and configure the shared device mode for the SOTI Identity group.
  • Android requirements
    • The device must be on Android OS 7 or later.
    • The device must use Android agent version 15.4.3 or later.
  • SOTI Identity configurations
    • Integrate the device user's AD in SOTI Identity.
    • Integrate native app server or web apps' server with SOTI IdP (See SOTI Identity documentation for more details).
    • Add a root certificate and an intermediate certificate (if any) of the SOTI Identity certificate authority.
    • Integrate any other IdP (like Microsoft Entra or Okta) with SOTI Identity.
  • For an on-premises SOTI MobiControl environment, integrate the Cloud Link Agent (CLA) with both SOTI MobiControl and SOTI Identity.

Single Sign On Payload Configurations

SOTI IdentityStatus Enable this option to save the SSO profile configuration.
Manage Select the Manage button to navigate to theSOTI Identity tenant configured in Global Settings.
SOTI Identity URL The SOTI Identity URL is a non editable field and sources its value from Global Settings.
Target Applications Define the application's bundle identifier to enable SSO on specific applications.
Important: Not adding an application enables SSO for all the applications registered with SOTI Identity.

Workflow

Tip: See Configuring SSO for Android with SOTI Identity for an overview of configuring SSO from within the SOTI MobiControl web console.
  1. Create an application policy to send managed applications to the device.
  2. Create a profile with the following payloads.
    • Single Sign On
    • Certificate
    • Authentication
  3. Enroll the device in SOTI MobiControl.
    • For shared devices, enroll the device with an enrollment ID/QR code. Login to SOTI MobiControl Agent with the configured email IDs.
      • Send the payload after the shared device login.
    • For dedicated device login, enroll using authentication-based enrollment (SOTI Identity).

      Opening any native or web application does not require a password to be re-entered on sign-in.

Important: For shared device login:
  • Either move devices to the parent group (where the SSO profile is not installed) to logout.
  • Or define a SOTI Identity user filter while assigning the profile to the device.
Restriction: Native applications that block HTTP traffic do not have SSO enabled (for example, MS Teams, SharePoint).
Note: Application logout depends on the application's behavior.