Bringing Clemson’s TigerOne card to the iPhone and Watch

Over the past few months our team at Clemson worked with TigerOne, our card services department, and Apple to successfully bring mobile ID provisioning to campus. We were the first school to integrate this functionality into our own app, my.Clemson, and that integration correlated with the success we saw on launch day – around 4500 students, faculty, and staff were able to add their TigerOne Mobile ID to their phone and Watch. These are record numbers to date. 🎉

Adobe XD Process

There were a lot of unknowns when we started the project, one being that we’d never integrated Duo (the University’s two factor system) with a native client. It made sense to reuse the embedded web version so we didn’t have to reinvent the wheel, but we weren’t sure of how to combine this with our current method of authentication via SwiftECP, whose goal is to avoid the browser!

We ended up with a pretty slick solution. After configuring the IdP to allow a Duo flow from a client that authenticated ECP, it worked like this:

  1. Authenticate via ECP
  2. Try to load the resource that’s protected by Shibboleth + MFA
  3. If the resource needs MFA authentication, show it in a WKWebView and use the navigationDelegate methods to determine when the user has responded
  4. Finally, inject the cookies provided by the Duo flow back into the native client so that it could be used for subsequent requests with a URLSession
Duo flow in action. Please ignore my super old ID picture.