Blocking Malicious Redirect Requests During SSO Authentication

While performing Single-Sign-On authentication, the authenticating server often redirects the session to various servers, as part of the authentication process.
A security breach during the authentication process, that will redirect to a non-authorized server, may lead to password hijacking and may put the user and organization at risk.

Direct Broker is an SSO feature supplied by Appdome that secures the authentication communication. By adding the Direct Broker to your app, your app will block access to URLs outside the whitelisted domains during a Single Sign On (SSO) authentication process. This Knowledge Base article provides step-by-step instructions for using Appdome to add the Direct Broker enhancement to any Android and iOS mobile app.

We hope you find this knowledge base useful and enjoy using Appdome!

About No Code Direct Broker on Appdome

Appdome is a mobile integration platform as a service (iPaaS) that allows users to add a wide variety of features, SDKs and APIs to Android and iOS apps. Using a simple ‘click to add’ user interface, Appdome allows anyone to easily integrate the Direct Broker to any mobile app – instantly, no code or coding required.

Using Appdome, there are no development or coding prerequisites. For example, there is no Appdome SDK, libraries, or plug-ins to implement. Likewise, there are no required infrastructure changes inside the app. The Appdome technology adds Direct Broker capabilities to the app automatically, with no manual development work at all.

Using Appdome, mobile apps can integrate SSO to authenticate users. On top of the SSO solution, Appdome’s Direct Broker adds security and blocks malicious attempts to redirect the communication to non-approved domains. Appdome’s enhancements are compatible with mobile apps built in any development environment including Native Android and iOS apps, hybrid apps and non-native apps built in Xamarin, Cordova, and React Native, Ionic and more. This streamlines implementations, cuts development work, and ensures a guaranteed and consistent integration of The Direct Broker identity and security enhancement to any mobile app.

Prerequisites for using Appdome’s Direct Broker

In order to use Appdome’s no code implementation of Direct Broker, you’ll need:

  • Appdome account
  • Mobile App (.ipa for iOS, or .apk or .aab for Android)
  • An active configuration of Appdome for Single Sign-on. Please note the following information from your SSO provider:
    • Initiate login URI (sometimes referred to as the Hub URI)
    • Redirect URI (sometimes referred to as the Authentication successful URI)
    • Client ID – the ID assigned to an app on the SSO provider
  • List of domains allowed during the authentication process

If you do not know the exact domains accessed normally during the authentication process, you may be able to extract these by using a browser’s developer options on your computer. Following the example for extracting the domains used while authenticating using the site https://demo.c2id.com/oidc-client/

  1. Open Chrome browser
  2. Make sure you are logged out of your SSO provider in Chrome
  3. open https://demo.c2id.com/oidc-client/
    1. If not using openid, just log into the Initiate login URI
  4. Under OpenID Connect 1.0 Client, in the Issuer box, enter the discovery URI for your SSO provider
    1. If no discovery URI is available, enter the openid endpoints manually
  5. Under Client details enter:
    1. Your app’s Client ID from the SSO provider
    2. If client secret is required, change the Client authentication accordingly
    3. If code exchange is required, change PKCE accordingly (Okta, for instance, uses S256 when PKCE is chosen for an app)
    4. Copy the Redirection URI from the box and configure it in your SSO provider for your app
  6. Under Authenticate end-user enter select Response type as code
  7. Click Log in with OpenID Connect
  8. Right click the opened window and click Inspect
  9. Select the Network TabNote: a blue underline will appear showing it is active
  10. Check the Preserve log and Disable cache checkboxes
  11. To the right of View, check the Use small request rows
  12. Log-in to the SSO provider
  13. In the Developer options, note the domains used for non-resource URLs
  14. Please note that the domain of your Initiate login URI and/or discovery URI will need to be whitelisted as well if not shown in the developer options

How to Add Direct Broker capabilities to Any Mobile App on Appdome 

Follow these step-by-step instructions to add Direct Broker capabilities to Any Mobile App:

Upload a Mobile App to Your Account

Please follow these steps to add a mobile app to your Appdome account.
If you don’t have an Appdome account, click here to create an account.

From the “Build” tab, Add Direct Broker

Select the Build TabNote: a blue underline will appear showing the step is active
Beneath the Build Tab, you will find several service options. Select AuthenticationNote: a blue highlight will appear showing the category is active. 

  1. Configure your desired SSO provider as described in Appdome for Single Sign-on
  2. Open the Scheme drop-down list named Appdome SSO+ Suite
  3. In the Appdome SSO+ Suite, enable Direct Broker
  4. Specify one or more approved Broker domains
  5. When finished, click Built My App.

The technology behind Build My App has two major elements – (1) a microservice architecture filled with 1000s of code sets needed for mobile integrations, and (2) an adaptive code generation engine that can recognize the development environment, frameworks and methods in each app and match the app to the relevant code-sets needed to add SSO and Direct Broker capabilities to the mobile app in seconds. For example, the technology of Open-ID Connect and Webview authentication, work that ordinarily a developer would need to do.

Congratulations! You now have a mobile app fully integrated with Direct Broker capabilities.

After Adding Direct Broker to a Mobile App on Appdome

After you have added Direct Broker to any Mobile App on Appdome, there are a few additional steps needed to complete your mobile integration project.

Add Context™ to the Appdome-Built App

Appdome is a full featured mobile integration platform. Within Context™, Appdome users can brand the app, including adding a favicon to denote the new service added to the app.
For more information on the range of options available in Context™, please read this knowledge base article.

Sign the Direct Broker enabled Appdome-Built App (Required)

In order to deploy an Appdome-Built app, it must be signed. Signing iOS apps and Signing Android apps are easy using Appdome. Alternatively, you can use Private Signing, download your unsigned app and sign locally using your own signing methods.

Deploy the Appdome-Built App to a Mobile Device

Once you have signed your Appdome-Built app, you can download to deploy it using your distribution method of choice. For more information on deploying your Appdome-Built apps, please read this knowledge base.

That is it – Enjoy Appdome’s Direct Broker capabilities in your app!

How Do I Learn More?

Check out Appdome for SSO+ blog or request a demo at any time.

If you have any questions, please send them our way at support@appdome.com or via the chat window on the Appdome platform.

Thank you!

Thanks for visiting Appdome! Our mission is to make mobile integration easy. We hope we’re living up to the mission with your project. If you don’t already have an account, you can sign up for free.  

Gil Hartman

Have a question?

Ask an expert