Your suggested change has been received. Thank you.

OneWelcome Identity Platform
- Explore Thales Docs

IDAAS core
User journey orchestration
- User journey orchestration - Access component
- User journey orchestration - Tulip component
Consent and preference management
Delegated user management
- Getting started
- Roles
- Rules
- User management
- Self service page
- Data
- APIs
- Apps
- Jobs
- Reports
Externalized authorization
Identity broker
Mobile identity
- Mobile identity - Access component
- Mobile identity - Tulip
Mobile SDK
API references
Release notes and FAQ
Integrations

All

All
CipherTrust Manager
CipherTrust Application Data Protection (CADP)
CipherTrust Application Key Management (CAKM)
CipherTrust Batch Data Transformation (BDT)
CipherTrust Cloud Key Management (CCKM)
CipherTrust Data Discovery and Classification (DDC)
CipherTrust Data Protection Gateway (DPG)
CipherTrust Database Protection (CDP)
CipherTrust Intelligent Protection (CIP)
CipherTrust Integrations
CipherTrust Migrations
CipherTrust RESTful Data Protection (CRDP)
CipherTrust Transparent Encryption (CTE)
CipherTrust Transparent Encryption Userspace (CTE-U)
CipherTrust Secrets Management (CSM)
CipherTrust Vaulted Tokenization (CT-V)
CipherTrust Vaultless Tokenization (CT-VL)
CTE-Linux
CTE-Windows
CTE-AIX
CTE-K8s
CTE-U
Crypto Command Center
Data Protection on Demand
Luna Cloud HSM
Luna Network HSM
Luna PCIe HSM
Luna USB HSM
OneWelcome Identity Platform
ProtectApp LUKS
ProtectServer 2 HSM
ProtectServer 3 HSM
SafeNet Trusted Access (STA)
SafeNet MobilePASS+
SafeNet MobilePASS+ for Android
SafeNet MobilePASS+ for Chrome
SafeNet MobilePASS+ for macOS
SafeNet MobilePASS+ for iOS
SafeNet MobilePASS+ for WatchOS
SafeNet MobilePASS+ for Windows
SafeNet Synchronization Agent
SafeNet Logging Agent
SafeNet Agent for FreeRADIUS
SafeNet Agent for NPS
SafeNet Agent for Windows Logon
SafeNet Authentication Service Private Cloud Edition (SAS PCE)
SafeNet Remote Logging Agent
SafeNet Keycloak Agent
SafeNet IDPrime Virtual (IDPV)
SafeNet FIDO Key Manager
SafeNet FIDO Key Manager for Android
SafeNet FIDO Key Manager for iOS
SafeNet FIDO Key Manager for Windows

Mobile identity - Access component

App-to-web SSO

Mobile identity
Mobile identity - Access component
- PIN policies
- OS version configuration
- Mobile applications
  - Mobile application version management
  - Mobile app delivery lifecycle
  - Push authentication
  - SMS authentication
  - One-time password
  - Transaction signing
  - Implicit authentication
  - Application API
  - Application version API
- Mobile authentication
  - Mobile authentication API version 4
  - Mobile authentication API version 3
- Custom registration
  - Custom registration examples
  - QR registration example
  - Stateless custom registration
  - Custom registration v2
  - Custom registration API v1
  - Back-channel communication API
- User management
- App-to-web SSO
- Device API version 4
- Device API version 3 (deprecated)
Mobile identity - Tulip
- Mobile identity registration
- QR code login
- Adding push notifications
- Create a session on login

Was this document helpful? Yes No

Feedback Sent!

If you like, you can provide additional feedback.

OneWelcome Identity Platform
Mobile identity
Mobile identity - Access component
App-to-web SSO

App-to-web SSO

App-to-web single sign-on (SSO) allows users to transfer their authenticated session from a mobile application (using the OneWelcome Mobile SDK) to a web browser seamlessly on the same device. This solution is designed to offer a frictionless experience when transitioning from the mobile app to a web browser, because the web application typically offers more extensive functionality.

The common use case for this technology arises when some features are not available in the mobile application, necessitating a transition to the web application. Ensuring that this switch is as smooth as possible is critical to maintaining a positive user experience. The principles of session extension can also be applied to other transitions, such as app-to-app or web-to-app, though the primary focus here is on mobile app-to-web transitions.

This approach plays a key role in offering a seamless and efficient user experience by reducing interruptions typically caused by multiple authentication prompts when switching between platforms.

Supported identity providers

This functionality is available when using a OneWelcome iDAAS core identity provider (IDP):

Tulip version R103 and later
CIM version 6.2.0 and later

The supported IDP is responsible for maintaining an allowlist for the target URLs. Target URLs that are not included in the allowlist are rejected.

OneWelcome mobile SDK integration

Using the OneWelcome mobile SDK, developers can specify a target URL that requires authentication. The SDK checks the validity of the mobile app’s session, establishes a session with the IDP, and redirects the user to the specified URL while maintaining their logged-in status.

You can find detailed information for each SDK:

iOS
Android
Flutter
React Native

How it works

The mobile app initiates an app-to-web SSO request. This request returns a URL that contains a one-time token with a limited lifetime.
Open this URL in a web browser. It creates an SSO session at the OneWelcome IDP.
After the session is created, it's redirected back to the web application.
At this point, the web app needs to initiate a (silent) authentication request via a supported SSO protocol, like SAML or OIDC.
When receiving an authentication response, the web app might need to exchange an authorization code for tokens (OIDC) or do artifact resolution (SAML).
The user is authenticated in the web app and can use all web functions from the browser.

Implementation options

Directing a user to a web application can happen in several ways:

Embedded web view: To create an experience that is similar to a native mobile experience, use the mobile operating system's support for different types of browsers. Use interceptors to show the webview only after the web app is loaded, and show a spinner when waiting for the webview.
Native mobile browser: For scenarios where it should be transparent to users that they are going to the web application, you can use a redirect to the native mobile browser. Optionally, you can use a dialog box to inform the user that they are leaving the app.

Simplified flow diagram

Simplified flow diagram

Session management

The session created on the web is not linked to the session in the mobile app. The lifecycle of the sessions should therefore be managed independently. In other words, a logout on the web does not log out of the mobile app unless a separate process is implemented for it.

Key benefits

Seamless user experience when transitioning from the mobile app to the web
Leveraging existing authentication without requiring users to log in again
Support for standard SSO protocols (SAML, OIDC)
Independent session management for enhanced security

On this page

Supported identity providers
OneWelcome mobile SDK integration
- How it works
- Implementation options
Simplified flow diagram
- Session management
Key benefits

OneWelcome Identity Platform

© Copyright 2019-2025, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com

Support
- Customer Release Notes
- Support Contacts
Legal
- End User License Agreement
- Terms of Service

© Copyright 2019-2025, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com

Suggest A Change

Thank you! Your suggestion has been submitted.

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

There are some errors in your form.

Your Name This field is required

Your Email This field is required

How can we improve this content? This field is required

Print

Suggest An Edit

Download this Page

Download Project

Copy Link

Copy Link

Copy Link

Copy Link

Copy Link

Copy Link

Copy Link