Limitations
This page lists current known issues and limitations of the Orchestration SDKs.
Orchestration SDK for Android
-
Using auth tabs for social sign-on to Facebook might fail if the Facebook app is also installed.
Details
Using the Orchestration SDK for Android for social sign-on to Facebook using an auth tab might fail on devices where the Facebook app is installed.
The authentication flow exits the browser before completion, resulting in a
BrowserCanceledExceptionresponse in the client Android application.Environment
This issue only occurs in following environment:
-
You are using Facebook as an external identity provider.
-
The client device has the Facebook app installed.
-
You have not imported the native Facebook SDK for Android into the app project.
-
The client app has fallen-back to using an auth tab in Chrome to perform the social sign-in.
-
Learn more about configuring social sign-on in Android apps in the following pages:
Symptoms
The following symptoms are indicative of this issue occurring:
-
The client app launches the web browser to authenticate the user with Facebook, but closes it again immediately.
-
The user returns to the client application without being able to authenticate to Facebook.
-
In the client application, the value of
redirectUriisnull. -
The Orchestration SDK for Android outputs the following console output:
Result from AuthTab, resultCode: 0, redirectUri: null BrowserCanceledException: Browser was canceled
Cause
The Android Facebook app is able to intercept the authentication flow in an auth tab by using Android intent resolution.
This causes the social sign-on flow to exit the auth tab prematurely, without returning the necessary redirect URI to the client application.
Without the redirect URI, the client application assumes the user closed the auth tab and returns the
BrowserCancelledException, causing social sign-on to fail.Solution
The Orchestration SDK for Android supports Facebook’s native SDK libraries, which handle social sign-on directly rather than redirecting the user in a web browser.
This can provide a smoother, more integrated experience for your users than the redirect method.
To support a native experience you add the native libraries as dependencies in your Android application:
// Facebook native sign-on SDK for Android implementation("com.facebook.android:facebook-login:18.1.3")Learn more about embedding Facebook libraries for social sign-on at:
-
-
Displaying CAPTCHAs or using the Ping (ForgeRock) Authenticator module in your application requires the presence of the Google Play Services.
-
The Authenticator module of the Orchestration SDK for Android only supports Firebase Cloud Messaging service as a Push Notification provider.
-
Social sign-on with auth journeys requires PingAM 7.1 or the latest version of PingOne Advanced Identity Cloud.
-
Biometric authentication is only supported on Android 7.0 or newer.
-
Biometric authentication with auth journeys requires PingAM 7.1 or the latest version of PingOne Advanced Identity Cloud.
-
Biometric authentication requires the use of Google Play Services.
-
When a biometric dialog, such as the provide fingerprint dialog, is dismissed, the application may become unresponsive.
-
Biometric authentication does not distinguish individual biometrics (fingerprints or faces), but is limited to any registered for the device’s current user account.
-
Orchestration SDK for Android apps do not function correctly if they are minimized to picture-in-picture mode in Android custom tabs.
The Orchestration SDK is not able to detect being minimized until API support from Google is available in Android.
Orchestration SDK for iOS
-
Data encryption with Secure Enclave is only available for iOS 10+ devices with TouchID or FaceID.
-
Social signon with auth journeys requires PingAM 7.1 or the latest version of PingOne Advanced Identity Cloud.
-
The Google Sign-In SDK is only compatible with CocoaPods (Swift Package Manager is not supported).
-
Sign In With Apple is only supported in iOS 13 and above.
-
Biometric authentication with auth journeys requires PingAM 7.1 or the latest version of PingOne Advanced Identity Cloud.
-
Biometric authentication does not distinguish between individual biometrics (fingerprints or faces), but is limited to the collection of biometrics registered for the device’s current user account.
-
For Biometric authentication, iOS only supports the ES256 signing algorithm, this is configured in the WebAuthn Registration node.
-
For "usernameless" biometric authentication support in auth journeys, "limit registrations" must be disabled within the WebAuthn Registration node.
-
Device Binding is not supported on iOS simulators. You must use a physical device to test Device Binding.
Orchestration SDK for JavaScript
-
The Orchestration SDK for JavaScript is currently unable to revoke PingOne-issued OIDC tokens when using Firefox and Safari, due to third-party cookie protection.
-
When resources are protected by PingGateway, the Orchestration SDK for JavaScript can only support transactional authorization if PingAM and PingGateway are on the same origin.
-
FireFox does not support Touch ID as a WebAuthn device on Mac therefore it limits some WebAuthn node configurations.
-
The SDK requires polyfills to function in IE 11 and Legacy Edge.
-
In WebKit for both macOS and iOS, the "Prevent Cross-site Tracking" option, which is enabled by default, can prevent the SDK from functioning when the app and PingAM are under different origins.
-
Collecting location information requires the user’s system preferences to allow browser access to location information.
-
IndexedDB as a token storage strategy has a known issue with Firefox Private Mode. Use
localStorageas an alternative. -
Social login with Apple requires the use of a form POST, so the "Redirect URL" cannot be an SPA as they are unable to handle a POST request.