Skip to main content

We’re working through an IFS implementation and we’re having trouble getting NovaCura and IFS to authenticate users correctly.

We have IFS Cloud 22.1.5 on premise, using ADFS as our OpenId External Identity provider.

NovaCura is using the same ADFS instance as its External Identity provider.

We are trying to setup IFS and NovaCura so that users can authenticate from NovaCura to their IFS accounts and do their warehouse flows as their user in IFS from within the NovaCura flow mobile app. We have the additional challenge that the mobile devices we use for NovaCura are shared devices.

We setup a public client for the NovaCura IFS connector. And to some extent it’s working! But now we have a new issue.

Consider the following scenario:

  1. Alice picks up the warehouse device
  2. Alice logs into Novacura
  3. Alice starts an IFS warehouse flow
  4. Alice gets prompted for her IFS credentials.
  5. The actions that Alice does are done by Alice’s account in IFS.
  6. Alice is done for the day and logs out of Novacura.
  7. Bob picks up the device.
  8. Bob logs into Novacura.
  9. Bob doesn’t get an IFS login prompt.
  10. The actions that Bob does are done by Alice’s account in IFS.

NovaCura uses the google trust store on the Android devices via the browser to store the tokens/sessions from both IFS and ADFS. And NovaCura has no way of clearing this - we spoke to one of their consultants from Sweden, the Android security model prevents NovaCura from interacting with the trust store.

We’ve been working with NovaCura to get a solution but they are a little bit stumped too.

We tried using additional openid parameters as supported by KeyCloak (the thing that powers the IAM pod).

{“prompt”:”select_account”} - didn’t do anything.

{“prompt”:”login”} - did sorta work but whilst it forced a fresh login to ADFS, it didn’t log the IFS user out, so the user got an error when they were redirected to IFS.

Has anyone had any success getting this to work?

@Emma.Carter I looked into something similar and can share a thought that might give you some help.

First of all, I assume you’re using web-based clients in both Novacura and IFS, and not IFS Scan It.

If that’s the case, logging out of IFS Cloud only logs you out of the application, but the browser still retains your AD authentication. I suspect this is what lets Bob login to Novacura without the IFS prompt.

If that’s indeed your scenario, there’s a rather dirty hack to force login - you can clear the browser’s local data (long press > App Info > clear data). This is of course cumbersome for your users, but could help you confirm the root cause of the issue.

If clearing helps, that gives you a couple of different possible ways forward.

  1. you could look into setting up Chrome or Firefox on the Android devices to always open in incognito/private mode. I’ve not tested this, but it should clear the credentials at the end.
  2. similarly, you could look into providing different user accounts on the Android device for each user, so that they have their own browsers without getting in each other’s way.

Hope this helps you in some way!

Cheers,

Rukmal

@Emma.Carter I looked into something similar and can share a thought that might give you some help.

First of all, I assume you’re using web-based clients in both Novacura and IFS, and not IFS Scan It.

If that’s the case, logging out of IFS Cloud only logs you out of the application, but the browser still retains your AD authentication. I suspect this is what lets Bob login to Novacura without the IFS prompt.

If that’s indeed your scenario, there’s a rather dirty hack to force login - you can clear the browser’s local data (long press > App Info > clear data). This is of course cumbersome for your users, but could help you confirm the root cause of the issue.

If clearing helps, that gives you a couple of different possible ways forward.

  1. you could look into setting up Chrome or Firefox on the Android devices to always open in incognito/private mode. I’ve not tested this, but it should clear the credentials at the end.
  2. similarly, you could look into providing different user accounts on the Android device for each user, so that they have their own browsers without getting in each other’s way.

Hope this helps you in some way!

Cheers,

Rukmal

Thanks Rukmal! Yes, this was in line with what we thought the problem is.

Unfortunately, we are using the NovaCura Flow native web application rather than the browser, and the devices are locked down using mobile device management so that the web browser is not available to end users.

The other challenge is that the Android OS on the Zebra handheld devices we are using do not support a mulitple user environment (most mobile device operating systems don’t).

Reply


Terms & ConditionsCookie settings