We’re working through an IFS implementation and we’re having trouble getting NovaCura and IFS to authenticate users correctly.
We have IFS Cloud 22.1.5 on premise, using ADFS as our OpenId External Identity provider.
NovaCura is using the same ADFS instance as its External Identity provider.
We are trying to setup IFS and NovaCura so that users can authenticate from NovaCura to their IFS accounts and do their warehouse flows as their user in IFS from within the NovaCura flow mobile app. We have the additional challenge that the mobile devices we use for NovaCura are shared devices.
We setup a public client for the NovaCura IFS connector. And to some extent it’s working! But now we have a new issue.
Consider the following scenario:
- Alice picks up the warehouse device
- Alice logs into Novacura
- Alice starts an IFS warehouse flow
- Alice gets prompted for her IFS credentials.
- The actions that Alice does are done by Alice’s account in IFS.
- Alice is done for the day and logs out of Novacura.
- Bob picks up the device.
- Bob logs into Novacura.
- Bob doesn’t get an IFS login prompt.
- The actions that Bob does are done by Alice’s account in IFS.
NovaCura uses the google trust store on the Android devices via the browser to store the tokens/sessions from both IFS and ADFS. And NovaCura has no way of clearing this - we spoke to one of their consultants from Sweden, the Android security model prevents NovaCura from interacting with the trust store.
We’ve been working with NovaCura to get a solution but they are a little bit stumped too.
We tried using additional openid parameters as supported by KeyCloak (the thing that powers the IAM pod).
{“prompt”:”select_account”} - didn’t do anything.
{“prompt”:”login”} - did sorta work but whilst it forced a fresh login to ADFS, it didn’t log the IFS user out, so the user got an error when they were redirected to IFS.
Has anyone had any success getting this to work?
