04-20-2011 10:30 AM
My company has an app that connects to a server in order to get access to some informations.
The BB application is working fine, but now we're trying to make a smooth integration with BES system:
users that are connected with their BES don't need to login as the BES would be middleware in charge of authenticating the user to the 3rd-party system, retrieve a token from that system and send it back to the BB app. After that, the BB app would be connected to the 3rd party app and the user could use it.
Now this is a general scheme but I have no idea how this could be achieved. I'm pretty sure BES could be used in order to process the login step, maybe with developping some connector, but I can't find any docs on the that topic.
Could please help with pointing to the right docs and helping build the right architecture ?
Thanks in advance.
Solved! Go to Solution.
04-20-2011 11:37 AM
Hi and welcome to the forums!
The BES MDS can perform authentication on behalf of the user with a defined set of credentials (the same credentials would be used for all users). Using this approach you would have no development work, you would just need to ensure that the credentials used have access to the required functionalities on your application servers.
To the device the connection would be made seemlessly, the BES is the only thing that handles authentication, so there is no need for tokens either.
The above stated functionality is native to the BES and does not require any special connectors.
The following article explains how this can be set up using a 5.0.2 BES:
04-20-2011 12:05 PM
thanks for the reply and welcome
Actually, my need is slightly different: the service we offer is not windows based. The BB client uses SOAP to exchange information with the server, and every person might be able to have its own account.
you can find more info about the service and the app here:
My point is, what can I do, if I want to automatically login people who are connected through a BES ? In that case, we consider that the BES would allow both authentication and security policy enforcement.
Hence when the user starts the app, it directly goes into the app and skips the login screen.
In my understanding, the app would send an "anonymous" request to the BES, which translates it into a login request with the correct ID and pwd, sends it to the server which returns a session token. The BES would then transmit that token back to the app and that's it: the user is able to use the app.
Thanks for your help
04-20-2011 12:48 PM
How are you expecting the BES to manage multiple accounts? If a user creates a new account would the BES hold onto this account and ties it to a particular user? If that's the case then you would likelt be best to store this information to the device and include the authentication information in the request to your server.
Some more details on your solution (whether your server is hosted internal or external to the environment, what authentication mechanism you are using, how you are managing user accounts) would be helpful to better understand the scenario and suggest some possible solutions.
04-21-2011 04:42 AM
Hi Garett, thanks a lot for your patience
I would like to use the same account management as the one existing on the BES. There would be a simple correspondance between the user accountst on the BES and the user accounts on our server. This point remains open as we are able to make some developments on our server side to fit the need.
But so far, there "is" two parallel accounting systems: the one on the BES and the one on our service.
Our server could be both hosted internally or externally from the customer's point of view. But to start, let's consider the easier, which is internal hosting.
All requests to our service go through SOAP and as I previsously said, the authentication process creates a token that the client must send every time it makes a request.
Maybe the SSO feature ain't worth the effort but I wonder, because it seems to me that the BES is the entry point for enabling third-party services with special features only to registered users . And SSO with a 3rd-party service would definitely be in that scope.
04-21-2011 09:36 AM
The BES only handles accounts when the user tries to access the BES management interface, and most users would be using Active Directory credentials to access this. When browsing the web there is not credential authentication that happens between the device and the BES. So it's not supported nor feasible to grab these credentials using a third-party connector when a web service call is made through the BES.
It seems to be a bit over-complicated. Perhaps a simpler solution I could propose would be something along the lines of: Configure the BES to include the email address and PINs of the devices passing through to the HTTP headers. Your client app could make the request to your server, your server could authenticate based on these pieces of information. You could also include a password for your application, if necessary, stored in the BES IT Policy. So each user would essentially use the same password but a different username based on their email address. The password could also ne hard-coded or even non-existant depending on your security requirements. Just a few ideas to keep in mind.
05-03-2011 06:04 AM
sorry for my late reply.
Your suggestion seems definitly a good solution suiting my need. If I understand well, the BES would act as a proxy, filling the HTTP headers with login (email) and a password that would be defined in the BES policy.
This way, only users connected via their registered blackerry would be able to use the service.
That sounds great to me !!
Now the only thing left is that it would require a slight change in the manner of authenticating in our SOAP service. But I think this has a limited impact
Thanks a lot for your help
Just one more thing, could you please help to find the documentation regarding the BES policy configuration. I get lost in all the docs pages ...
05-03-2011 09:02 AM
Here's information on creating the custom IT Policy items:
And here is how the BES can be configured to add email and PINs to the HTTP headers:
06-21-2011 06:37 PM
I came accross your posting..as I guess I am also facing the same problem as you.
Here is the problem which I am facing on my app. My app works perfectly fine on Wi-Fi or on users data plan from their cell phone providers, but it stops working when user is in company internet, I assume that the company is running BES.
How can my app work on BES internet connection ?? I went through lots of things on web, but did not found any thing useful... If you guys couple direct me in some Blackberry document, which stay on how to configure BES servers for specific thir party application it would be great. Also as a developer I am confused on how to test such scenario...How to simulate BES connection over real device or simulator.
Please help me guys....
Thanks for the replies and suggestions...