Using Advanced Authentication

By default, Mobile SDK automatically uses standard authentication. On the server side, however, Salesforce orgs can choose to use advanced authentication by configuring either My Domain or MDM. Advanced auth requires a small amount of configuration in most Mobile SDK apps.

At runtime, Mobile SDK bases its authentication type on the login org’s configuration.

  • If browser-based authentication is configured for the org’s My Domain, Mobile SDK conforms to the My Domain setting.
  • If browser-based authentication hasn’t been configured for the org’s My Domain, Mobile SDK uses advanced auth only if the org uses MDM certificate-based auth.
  • If the org doesn’t use My Domain browser-based authentication or MDM certificate-based auth, Mobile SDK uses standard auth.

For browser-based authentication, customers log in through the familiar Salesforce web view, followed by an authorization screen.

For certificate-based authentication, instead of a login screen, the operating system prompts the customer to choose a certificate for authentication. The customer does not enter credentials. After choosing the certificate, the customer sees the authorization screen.

Mobile SDK requirements for implementing advanced auth are minimal. Most apps require only a small amount of configuration. Android apps that use MDM certificate-based auth do not require client-side configuration.

  • In a Salesforce connected app, under API (Enable OAuth Settings):
    • Apply the typical OAuth settings for Mobile SDK apps. See API (Enable OAuth Settings).
    • Make sure that Require Secret for Web Server Flow is not selected.

An org administrator can require advanced auth through My Domain settings. To take advantage of advanced auth:

  1. From Setup, in the Quick Find box, enter My Domain, and then select My Domain.

  2. In My Domain settings, under Authentication Configuration, the administrator selects one or both of the following options:

    • Use the native browser for user authentication on Android
    • Use the native browser for user authentication on iOS

    See “Customize Your My Domain Login Page for Mobile Auth Methods” in Salesforce Help.

For logins managed through MDM, Mobile SDK uses advanced auth only if the org’s MDM settings specify certificate-based auth. An org’s MDM suite must:

  • Set the RequireCertAuth property to true.
  • Android only: Set the ManagedAppCertAlias property to an alias name.

With advanced auth, logging out of an app can cause surprising behavior. How this behavior can affect your app depends on the type of login your app uses.

Certificate-Based (MDM) Login

With certificates, a customer remains authenticated until the certificate is revoked. A certificate remains valid until the issuer revokes it. If a customer logs out of the app while the certificate is valid, the Salesforce login screen appears briefly. However, because the certificate automatically supplies the customer’s credentials, the flow goes directly to the authorization (”Allow Access”) screen. By choosing Allow, the customer obtains new access and refresh tokens and can continue using the app. In effect, a customer can’t log out until the MDM issuer revokes the certificate.

Web Server OAuth Login

During OAuth 2.0 authentication, Salesforce creates a temporary short-term session to bridge the gap between login and the Salesforce authorization (”Allow Access”) screen. This temporary session, which uses a cookie, is not tied to the OAuth refresh or access token and therefore isn’t invalidated at logout. Instead, the session remains valid until it expires. The most recently authenticated customer remains logged in until the temporary session expires. These sessions have an intentionally short lifetime, after which the user can log in normally.

The following unexpected behavior can occur during the lifetime of the temporary session: If the customer tries to log out and log in again before the cookie expires, the flow skips the login prompt. Instead, it goes directly to Salesforce authorization. By choosing Allow, the customer automatically obtains new access and refresh tokens and can continue using the app.

This behavior doesn’t occur with standard web view authentication because the web view doesn’t preserve cookies from previous authentications. It also doesn’t occur if the customer logs out after the temporary session expires. Mobile SDK apps, including the Salesforce app, can’t control cookies from the Salesforce service.

Although advanced auth doesn’t use swizzling, the login page remains full-screen. This presentation can give customers the impression that they've temporarily left your app.