How Symantec Mobility: Suite single sign-on app policies work
Last Updated November 09, 2015
When you enable this feature, the end user experience is as follows: assume App A, B, and C are all wrapped with policy conditions that require authentication and allow for SSO. The end user opens App A and is required to authenticate. After the authentication credentials pass through the IDP, App A launches. Within a few minutes, the end user then opens App B. App B launches without requiring the end user to authenticate. Within a few minutes, the end user then launches App C. Again, the app launches without requiring the user to authenticate.
The amount of time between when the user accesses the first app and authenticates and then opens a subsequent app without requiring authentication depends on the IDP's session timeout settings. If you use the local IDP or Active Directory/LDAP, the default Mobility Suite session timeout is 30 minutes. So if the user opens an app that requires authentication and allows for SSO within 30 minutes of opening the first app, no authentication is required. If you use SAML as the IDP, the session timeout settings are configured within the IDP.
The SSO feature works by sharing the encrypted cookie login credentials from the last wrapped app that was opened through SSO to the next wrapped app that requests SSO. So when the user closes the last app that was opened through SSO, the user must reauthenticate to open a subsequent wrapped app. For example, assume Apps A, B, C, and D are all wrapped with policy conditions that require authentication and allow for SSO. The end user opens App A and must authenticate. Within a few minutes, the user opens App B. No authentication is required. Within a few minutes the user opens wrapped App C. No authentication is required. While App A and App B are still running, the user closes App C. Then the user opens App D. The user is required to reauthenticate.
The SSO feature could become a security vulnerability if an unauthorized person gets control of an end user's device and is able to launch previously unopened wrapped apps using the SSO feature. As a best practice, you may want to encourage your end users to lock their devices when they are not in use.