Using SAML SSO Over Mobile Devices

This guide documents how SAML single sign-on interacts with Rippling when used over a mobile device. Generally, SAML-based SSO interacts in the same manner when used on a mobile device as over a web-browser. For the purposes of this guide, the Rippling Slack integration will be used to depict the SSO flow for onboarding new users to an often mobile-based application that utilizes SAML single sign-on.

Related Articles:

Accepting an Account Invite to a Mobile App

For applications that have a large mobile presence, it is critical that your employees have access to not only the web-based application, but the native version of the application as well. In these cases, the application will often handle SSO in custom manners. However, the same principles of verifying an employee’s identity through Rippling remain the same.

Invitations will either be made available to your employee in the mobile application or from their email depending on the application. With Slack, when an employee is granted access to a new workspace, the invitation will be made available from ‘Add Workspaces’ toggle, as well as the employee’s email.

As part of the account acceptance process, the employee will be prompted to sign in to their Rippling account.

With Slack, the verification uses the mobile browser to redirect the user to Rippling to be signed in. Rippling will be used to verify the user the user and then provide authorization back to the service provider.

Prior to directing the user to Rippling, Slack requires that the user agree to their terms of service. This may be different based on the application.

Signing in with Rippling on Mobile

As shown below, the Rippling login will be prompted over the user’s mobile browser to allow the employee to confirm their identity. This represents a Service Provider initiated flow (SP-Initiated Flow), as the request originates from the application (Slack), redirects to Rippling for authentication and authorization, and then redirects back to the application (Slack).

Once the user has been signed in through Rippling, they will have SSO access to the app by initiating logging in through Rippling from the app. Rippling does not currently support mobile-based log in initiations directly from the Rippling SSO bar as it does from the web application. Additionally, mobile applications may allow for sessions to remain indefinitely, so that users do not need to constantly be authenticated to use their mobile apps. For Slack specifically, the default session duration for SAML SSO log-ins is an indefinite time period. This can be modified from by your Slack admin from your SAML Authentication settings page.

Session Durations

Within your Slack settings, you can directly modify your session duration to the following options: Allow infinite sessions, Log users out when they close the application, log users out after a specific amount of amount of hours (minimum 12). These time out values allow you to force the employees within your organization to sign in due to set criteria, such as closing the application or not using the application for a period of time.