Your understanding is correct. The Mobile client authentication to Jive Mobile is virtually identical to how a desktop web browser would authenticate to Jive. The authentication flow is like this:
- User enters username and password in mobile login page
- Mobile Client sends the credentials to the Mobile Gateway, which forwards the credentials to the Core API authentication service
- In the response to the authentication request, the Core API will issue either just a session cookie (if the Remember Me checkbox was not checked), or both a session cookie and a Spring Security-based "remember me" cookie if the Remember Me box was checked. This is the same thing that would happen on the normal web UI for a Jive instance at login time. The Mobile Gateway forwards these directly back to the mobile client. Since the mobile client receives the cookies in the response from the Jive Mobile domain, the mobile client will always send these cookies to the Mobile Gateway when making further requests.
- Spring Security remember me cookies are a hashed combination of the username, password, and an expiration time.
- The Remember Me option by default produces a cookie that is valid for 14 days. This value can currently not be modified via a Jive System Property. Instead, any change will require changing the value of the tokenValiditySeconds bean property of the rememberMeServices bean in the spring security configuration (XML). Again, this change will apply to both mobile and desktop Jive.
- During any subsequent requests proxied from the client through the Mobile Gateway, the gateway will forward the cookies from the client to the Jive instance.
- If the session cookie is accepted by the Jive instance as valid, then the Jive instance will also accept the accompanying request. Again, this is the same as how Jive desktop authenticates requests from a web browser, i.e,. based on session cookie if available.
- If the session cookie is invalid/expired or does not exist, and the user has a "remember me" cookie, then the Jive instance will attempt to re-authenticate the user based on the "remember me" cookie, which lives longer than a single session. If the re-authentication succeeds, a new, valid session cookie is issued and we proceed as before.
- If there is neither a valid session cookie nor a valid remember me cookie in the request, the request will be rejected by the Jive Core API, which will result in a login prompt in the mobile client. Return to step 1.
As outlined above, there are no special privileges involved in the process, and no "superuser" or privileged connections are made or required at any time. Users of Jive Mobile get the same access to Jive data on mobile that they do on the full Jive website, although of course not all Jive data/features are available in mobile.
Regarding SAML, we are currently evaluating the ability for Jive Mobile to support SAML2 for Jive 5 instances. SAML2 is an out of the box option in Jive 5 so our intention is to extend that support to mobile. If you have specific information on your SSO implemention, please do provide that to me so we can factor it into our product development.
I am evalutating alternative approaches for mobile user authentication which will work regardless of the methodology utilized in the Jive instance itself. Are you available next week to discuss it over the phone? Perhaps on Wednesday at 9, 11, or 1:00 Pacific?
Sorry - just saw this. Actually, let me pass this on to someone who knows much more about this than I do on my team.